VIRTUSA CORP - FORM 10-Q - EX-10.3

Attached files

Attached files

VIRTUSA CORP Reports

Also read

file	filename
EX-31.1 - EX-31.1 - VIRTUSA CORP	a15-24917_1ex31d1.htm
EX-32.2 - EX-32.2 - VIRTUSA CORP	a15-24917_1ex32d2.htm
EX-31.2 - EX-31.2 - VIRTUSA CORP	a15-24917_1ex31d2.htm
EX-10.4 - EX-10.4 - VIRTUSA CORP	a15-24917_1ex10d4.htm
EX-32.1 - EX-32.1 - VIRTUSA CORP	a15-24917_1ex32d1.htm
10-Q - 10-Q - VIRTUSA CORP	a15-24917_110q.htm

Exhibit 10.3

PORTIONS OF THIS EXHIBIT WERE OMITTED AND HAVE BEEN FILED SEPARATELY WITH THE SECRETARY OF THE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT UNDER RULE 24B-2 OF THE SECURITIES EXCHANGE ACT; [***] DENOTES OMISSIONS

MASTER PROFESSIONAL SERVICES AGREEMENT

CITI-CONTRACT-14084-2015

Effective Date:

July 1, 2015

Party:	SUPPLIER	CITI
Name:	Polaris Consulting & Services Ltd	Citigroup Technology, Inc.
Address:	“Polaris House” 244 Anna Salai Chennai 600006, Tamilnadu, India	111 Wall Street, 7th Floor New York, NY 10005
Incorporation:	India	Delaware

WHEREAS, Citi desires Supplier to provide ADM Services, Co-Managed Services and Managed Services, and Supplier desires to provide any of such Services to Citi, in accordance with the terms of this Master Agreement.

NOW, IN CONSIDERATION of the mutual covenants and undertakings contained herein, and intending to be legally bound, Supplier and Citi agree as follows.

1. DEFINITIONS

1.1 Specific Words or Phrases. For purposes of this Agreement, each word or phrase listed below shall have the meaning designated. Other words or phrases used in this Agreement may be defined in the context in which they are used, and shall have the respective meaning there designated.

“Acceptance” means acceptance in accordance with the Acceptance Criteria.

“Acceptance Criteria” means the criteria by which the Deliverable(s) or the Service(s) will be evaluated for purposes of determining Acceptance by Citi, which shall include the functional, technical, design and performance characteristics, Service descriptions, report or presentation requirements and other capabilities specifically set forth or incorporated by reference in the applicable Work Order. If the Parties fail to specify Acceptance Criteria in such Work Order, then the Acceptance Criteria shall be based upon Citi’s reasonable determination that the Deliverable(s) or Services are satisfactory to Citi in all material respects.

“ADM Services” means all services relating to the design, architecting, implementation, development, enhancements, production support, testing and management of all business applications and software areas of Citi and Citi Affiliates, including applications and software relating to legacy applications on mainframe-based technologies, web applications, enterprise resource planning, customer relationship management, procurement, data warehousing, business process management, enterprise application integration, content management, document management, portals, and workflow management controls and compliance activities including independent controls review, quality management, peer review audit and project office services. ADM Services shall be considered a subset of the definition of “Services.”

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a Party, where “control” means the ownership of, or the power to vote, at least twenty percent (20%) in the case of Citi and greater than fifty percent (50%) in the case of Supplier, of the voting stock, shares or interests of such entity. An entity that otherwise qualifies

under this definition will be included within the meaning of “Affiliate” even though it qualifies after the Effective Date.

“Agreement” means the terms of this Master Professional Services Agreement, together with the appendices and other exhibits attached hereto or incorporated herein by reference and any amendments thereto agreed to in writing by the Parties and any Local Country Addenda (collectively, “Master Agreement”); provided, however, that for each particular Work Order, reference to “Agreement” shall be construed solely as a reference to the agreement that arises as a result of the execution of the Work Order, which agreement shall be a two-party agreement between Supplier (or Supplier Affiliate) and the specific entity (either the entity designated above as “Citi” or a Citi Affiliate) that executes the Work Order, and shall be deemed to incorporate the terms and conditions of this Master Agreement. As of the Effective Date, the following Appendices are incorporated into and made a part of this Agreement:

Appendix 1.1: Existing Work Orders

Appendix 3.2: Form of Work Order

Appendix 3.3.1: Local Country Addenda

Appendix 3.8: Additional Terms for Customer-Facing Services

Appendix 4.2.3: Governance

Appendix 4.7.1: Key Personnel - Restricted Entities

Appendix 6.4.3: Quality of Service Metrics

Appendix 6.4.4: ADM Services Standards

Appendix 7: Service Levels

Appendix 11.1: Schedule of Supplier’s Time and Material Rates

Appendix 11.2.7: Legacy Resources

Appendix 12.6.2: Form of Work Authorization Attestation

Appendix 13: Confidentiality

Appendix 22.2: Assurance of Compliance — Export Control Laws

Appendix 22.7.1: Data Privacy Agreement by Country

“Applicable Law” means, for all countries, all national, federal, state, provincial and local (i) laws (including common law), ordinances, regulations and code and (ii) orders, requirements, directives, decrees, decisions, judgments, interpretive letters, guidance and other official releases of any Regulator that are applicable to Citi, Citi’s Affiliates, Supplier and Supplier’s Affiliates (as a service provider to Citi and Citi’s Affiliates), the Services or any other matters relating to the subject matter of this Agreement. Without limiting the foregoing, Applicable Law includes (a) all data protection, privacy or similar laws and regulations anywhere in the world applicable to persons in possession of Personal Information (as defined in Section 13.2.4), or to the processing of Personal Information, (b) any bribery, fraud, kickback or other similar anti-corruption law or regulation of any applicable country including the U.K. Bribery Act and the U.S. Foreign Corrupt Practices Act and the regulations promulgated thereunder; (c) the Truth in Lending Act and the regulations promulgated thereunder; (d) the Equal Credit Opportunity Act and the regulations promulgated thereunder; (e) the Fair Debt Collections Practices Act; (f) the Fair and Accurate Credit Transactions Act of 2003 and the regulations promulgated thereunder; (g) the Gramm-Leach-Bliley Act and the regulations promulgated thereunder; (h) the USA PATRIOT Act and the regulations promulgated thereunder; (i) any law or regulation addressing unfair, deceptive or abusive acts or practices; (j) any law or regulation addressing money laundering; and (k) any law or regulation related to economic sanctions.

“At-Risk Amount” shall mean the maximum monthly Service Level Credits available under a Work Order.

“Benchmarker” shall have the meaning set forth in Section 8.1 (Benchmarking).

“Benchmarking Report” shall have the meaning set forth in Section 8.3 (Benchmarking).

“Business Day” shall mean any day other than a Saturday, Sunday or public holiday in the location in which Citi is receiving the applicable Services.

“Change” shall have the meaning set forth in Section 4.3.1 (Change Control Procedures).

“Change Control Procedures” shall mean the procedures set forth in Section 4.3 (Change Control Procedures).

“Change Request” shall have the meaning set forth in Section 4.3.2 (Change Control Procedures).

“Citi” means, for the general purposes of this Agreement, the entity designated on the first page of this Agreement as “Citi”. However, for the particular purposes of any agreement that arises as a result of a Work Order, reference to “Citi” shall be construed solely as a reference to the specific entity (either the entity designated on the first page of this Agreement as “Citi” or a Citi Affiliate) that executes or submits such document.

“Citi Competitor” shall mean any entity that is primarily engaged in the provision of banking or financial services and has consolidated annual gross revenues greater than USD $10 billion.

“Citi Location” shall mean any location owned or leased by Citi, at which Supplier provides any Services.

“Citi NEMS” means an electronic non-employee management system (e.g., NEMS P2P and Fieldglass) used by Citi to contract for, timekeep and perform other management functions relating to third-party resources.

“Citi Policies” shall have the meaning set forth in Section 5.1 (Citi Policies and Procedures).

“Citi’s Systems” means all computer equipment (including mainframes, personal computers, servers, and client/server stations), all associated or interconnected network equipment, routers, semi-conductor chips, software, and communication lines, and all other equipment (including printers, copiers, fax machines and telephones), owned, licensed or operated by, or operated on behalf of, Citi or a Citi Affiliate, or by their respective clients, customers or services providers.

“Co-Managed Services” shall mean services for which the applicable Service Fees are based on the number of full time equivalent hours or Personnel (or “Capacity”) agreed by Citi and Supplier as being required for the proper performance of such services and for which Supplier has guaranteed the Service Fees and the corresponding Professional Day Amount. Co-Managed Services shall have a defined fixed price for the provisioned Capacity with payment milestones that are either time bound or based on breakdown of services and shall have defined Service Levels. Co-Managed Services shall be considered a subset of the definition of “Services”.

“Comparable Vendors” shall have the meaning set forth in Section 8.2 (Benchmarking).

“Confidential Information” of a Party shall have the meaning set forth in Section 13 (Confidential Information).

“Contract Year” shall mean any twelve (12) month period during the Term beginning on the Effective Date, or on each July 1st thereafter, as applicable.

“Controlling Entity” shall have the meaning set forth in Section 2.1.2(c) (Term and Termination).

“CMMI-Level 5” means the highest level of the process improvement approach under the current version of the Capability Maturity Model as developed by the Software Engineering Institute.

“Critical Service Levels” means the Service Levels identified as critical Service Levels in each Work Order.

“Customer Data” means any Confidential Information related to customers and clients of Citi and its Affiliates.

“Data Privacy Laws” shall have the meaning set forth in Section 22.7 (Data Privacy).

“Defect” means, with regard to any Service or any Deliverables, information or materials provided by Supplier, a defect, failure, malfunction, or nonconformity in such Service, Deliverable or information or materials that prevents such Service, Deliverable or information or materials from complying with, or operating in accordance with, the applicable Acceptance Criteria.

“Deliverable(s)” means and includes the item(s) described on a Work Order that is (are) to be developed or prepared for, or provided by Supplier to, Citi in furnishing the Services.

“Documentation” shall mean all operator and user manuals, training materials, guides, listings, specifications and any revisions or additions to such documents relating to any software procured, provided, operated, supported, or used by Citi or Supplier in connection with the Services.

“Effective Date” shall have the meaning set forth in the introduction to this Agreement.

“Equipment” shall mean all computing, networking, communications and related computing equipment (hardware and firmware) procured, provided, operated, supported, or used by Citi or Supplier in connection with the Services, including (i) mainframe, midrange, server and distributed computing equipment and associated attachments, features, accessories, peripheral devices, and cabling, (ii) personal computers, laptop computers, terminals, workstations and associated attachments, features, accessories, printers, multi-functional printers, peripheral devices, and cabling, and (iii) voice, data, network and monitoring equipment peripheral devices and cabling.

“Evaluation Period” shall mean (i) with respect to Service Levels, any one (1) month period during the term of a Work Order (unless otherwise set forth in the applicable Work Order), commencing on the Service Level Commencement Date and each one (1) month (or other period set forth in the applicable Work Order) anniversary thereof, or (ii) with respect to Quality of Service Metrics, each calendar quarter during the term of this Master Agreement, provided in each case that if this Master Agreement or the applicable Work Order expires or terminates prior to the end of a one (1) month period (or other period set forth in the applicable Work Order) or calendar quarter, that Evaluation Period shall end on the expiration or termination date, as applicable. Calculations using an Evaluation Period shall include all data corresponding to the relevant Evaluation Period.

“Existing Work Orders” means the service level agreements, product service level agreements, statements of work, work orders and other similar agreements (including all attachments and other

documents associated with any of the foregoing) entered into by Supplier and Citigroup Technology, Inc. or its Affiliates pursuant to the Master Professional Services Agreement entered into by and between Polaris Software Lab Limited and Citicorp North America, Inc. dated July 12, 2007 that were in effect immediately prior to the Effective Date, including those that are set forth on Appendix 1.1 (Existing Work Orders).

“Exit Fees” shall have the meaning set forth in Section 2.2.2(b) (Term and Termination).

“Form of Change Request” shall have the meaning set forth in Section 4.3.2 (Change Control Procedures).

“High Level Plan” shall have the meaning set forth in Section 4.3.4 (Change Control Procedures).

“Intellectual Property Rights” means all trade secrets, patents and patent applications, trade marks (whether registered or unregistered and including any acquired goodwill), service marks, trade names, business names, internet domain names, e-mail address names, copyrights (including rights in computer software), moral rights, database rights, design rights, rights in know-how, rights in confidential information, rights in inventions (whether patentable or not) and all other intellectual property and proprietary rights (whether registered or unregistered, and any application for the foregoing), and all other equivalent or similar rights which may subsist anywhere in the world.

“ITIL Certification” means ITIL qualification under the current version of the qualification scheme developed by The ITIL Official Accreditor at the level referenced in the applicable Work Order.

“Legacy Resources” shall have the meaning set forth in Section 11.2.7.

“Local Country Addendum” shall have the meaning set forth in Section 3.3.1 (Local Country or Regional Requirements and Agreements).

“Managed Services” shall mean services for which the applicable Service Fees are based on either the number of managed units (e.g., server instances, personal computers, etc.), or the number of processed units (e.g., function points, tickets, MIPs consumed, etc.), or other applicable Deliverables. Managed Services have a defined fixed price per managed unit, and/or per processed unit, and/or per Deliverable (“Billing Units”) with payment milestones that are tied to such Billing Units and have defined Service Levels for such Billing Units. For clarity, Billing Units shall not be denominated in number of full time equivalent hours or Personnel. Supplier shall own the performance and financial risk for such services and notwithstanding the Acceptance provisions, the payment for such services shall be subject to, but not limited to, adherence of underlying Billing Units to requirements of quality and timeliness, and other requirements. Managed Services shall be considered a subset of the definition of “Services”.

“New Work Orders” means those Work Orders entered into following the Effective Date. For the avoidance of doubt, a renewal of an Existing Work Order is not a New Work Order.

“Offshore” means location in a country that is different than the country in which the relevant recipient of the Services is located.

“Onshore” means location in the same country in which the relevant recipient of the Services is located.

“Original MPSA” means the Master Professional Services Agreement with an Effective Date of July 12, 2007, as amended from time to time thereafter, entered into by and between Polaris Software Lab Limited and Citicorp North America, Inc.

“Party” means either Supplier or Citi, individually as the context so requires, and “Parties” means Supplier and Citi, collectively.

“Personnel” means a Party’s or an Affiliate’s directors, officers, employees, non-employee workers, agents, auditors, consultants, suppliers, contractors, Subcontractors and other service providers, subcontractors and representatives, as well as, in the case of Supplier, the directors, officers, employees, agents, auditors, consultants or other representatives of any Supplier Affiliate, Subcontractor or third party utilized by Supplier, directly or indirectly, to provide any Services. For clarity, “Personnel” does not include the other Party or any third parties claiming through the other Party.

“Project Manager” shall have the meaning set forth in Section 4.2.2 (Contract Governance Organization).

“Quality of Service Metrics” shall have the meaning set forth in Section 4.2.8 (Contract Governance Organization).

“Quality Plans” shall have the meaning set forth in Section 4.17.1 (Quality Assurance).

“Reasonably Related Services” means

those Services for which it would be commercially unreasonable for Citi to continue to use Supplier following the termination of any other Services (regardless of whether such Services are provided pursuant to the same Work Order or different Work Order), including substantially similar Services provided to Citi or a Citi Affiliate in a different country, as mutually agreed between the Parties or otherwise determined as satisfying the foregoing criteria pursuant to Section 2.2.2(d).

“Regulator” or “Regulatory” means any government authority, department or agency, or any judicial or regulatory (including self-regulatory) organization having authority, oversight jurisdiction or similar power over any of the Parties or any Affiliates in any national, federal, state, provincial or local jurisdiction.

“Required Consents” means the consents (if any) required from third parties in connection with Supplier’s provision of the Services (including, without limitation, such consents required to grant Supplier the right to use and/or access and/or modify any hardware, software, firmware and other products without infringing the ownership or license rights of the owners or providers thereof).

“Service Commencement Date” means the date on which Supplier commenced its provision of Services under an Existing Work Order.

“Service Completion Date” means the date on which Supplier is scheduled to complete its provision of Services under an Existing Work Order.

“Service Fees” shall have the meaning set forth in Section 11.1 (Service Fees).

“Service Levels” means the metrics and performance standards which Supplier shall meet, and cause each Supplier Personnel to meet, in connection with the provision of the Services, including (i) those set forth in Appendix 7 (Service Levels) to this Agreement and the applicable Work Order and (ii) any other performance standards relating to the Services as may be mutually agreed upon by the Parties in writing in the applicable Work Order.

“Service Level Commencement Date” means (i) for Existing Work Orders, the Service Commencement Date, and (ii) for New Work Orders, the date on which Supplier commences providing the Services under such Work Order in a steady state, unless otherwise agreed by the Parties in the applicable Work Order.

“Service Level Credits” means the performance credits specified in the applicable Work Order that Supplier shall issue to Citi if Supplier fails to meet the Service Levels.

“Service Location” means each location, or any portion of a location, at which Supplier provides any Services, except a Citi Location.

“Services” means the services described in the applicable Work Order that are to be provided by Supplier to Citi pursuant to this Agreement, including (a) the provision of Deliverables and any Work Product and (b) the services, functions and responsibilities that are required for the proper performance or provision of the Services, if such services, functions and responsibilities are specifically described in the applicable Work Order.

“Software” means any software intended to be installed on Citi’s Systems or otherwise provided to Citi by or on behalf of Supplier in connection with the Services.

“Specialty Rate” means any of the rates set forth in the Specialty Skills section of Appendix 11.1 (Schedule of Supplier’s Time and Material Rates).

“Staff Augmentation Services” means all services relating to the provision, on a time and materials basis, of a requested number of Supplier Personnel possessing certain skills and training to perform tasks at the direction of a Citi employee. Staff Augmentation Services shall be considered a subset of the definition of “Services”.

“Staffing Services” means services performed by a single Supplier Personnel under the direction of Citi for the sole purpose of supplementing an existing Citi Personnel team at a Citi Location, and where there is no offshore component to the services performed nor does such Supplier Personnel coordinate offshore delivery for Supplier.

“Steering Committee” shall have the meaning set forth in Section 4.2.7 (Contract Governance Organization).

“Subcontractor” means a contractor, agent, service provider, third party or consultant retained by Supplier pursuant to a written agreement, or otherwise used by Supplier, including any person (whether a natural person or a corporation), directly or indirectly employed by or otherwise retained by that contractor, agent, service provider, third party or consultant.

“Supplier” means, for the general purposes of the Agreement the entity designated above as “Supplier”. However, for the particular purposes of any agreement that arises as a result of a Work Order, reference to “Supplier” is construed solely as a reference to the specific entity (either the entity designated above as “Supplier” or an Affiliate of Supplier) that executes or is deemed to have executed the Work Order.

“Supplier Materials” shall have the meaning set forth in Section 9.2 (Supplier Materials).

“Supplier Relationship Manager” shall have the meaning set forth in Section 4.2.4 (Contract Governance Organization).

“Term” shall have the meaning set forth in Section 2.1 (Term and Termination).

“Third Party Materials” shall have the meaning set forth in Section 9.3 (Third Party Intellectual Property).

“Transition Credits” means the credits issued by Supplier to Citi for Supplier’s failure to meet a Transition Milestone, as specified in the Transition Plan.

“Transition Milestones” means the required dates for completing the applicable Transition Services, as set forth in the Transition Plan.

“Transition Plan” means the plan to migrate each Service from Citi, its Affiliate or a third party service provider to Supplier, as attached to the applicable Work Order.

“Transition Services” shall have the meaning set forth Section 3.5.1 (Transition Services).

“Upgrade” and the derivatives of such term means updates, renovations, enhancements, additions and/or new versions or releases of software or Equipment.

“Work Order” means a written transactional document signed (either substantially in the form of (i) Appendix 3.2 (Form of Work Order) or (ii) of any other work order set forth in this Agreement, or electronically generated by Citi, all as set forth in Section 3.2 below) by an authorized representative of each Party and entered into pursuant to the provisions of this Master Agreement that describes the Service(s) or Deliverable(s) to be provided by Supplier, but includes Existing Work Orders and New Work Orders.

“Work Product” means and includes each Deliverable, and all ideas, concepts, know-how, techniques, inventions, discoveries, improvements, specifications, designs, methods, devices, systems, reports, studies, computer software (in object or source code), programming and other documentation, flow charts, diagrams and all other information or tangible material of any nature whatsoever (in any medium and in any stage of development or completion) relating to the subject matter of this Master Agreement or the applicable Work Order, that are conceived, designed, practiced, prepared, produced or developed by Supplier or any of its Personnel: (i) during the course of providing the Services, (ii) based upon knowledge or information learned or gained from Citi, or (iii) resulting from the use of Citi’s facilities, Personnel, or materials.

1.2 Common Words. The following words shall be interpreted as designated: (i) “or” connotes any combination of all or any of the items listed, (ii) where “including”, “include” or “includes” is used to refer to an example or begins a list of items, such example or items shall not be exclusive, and (iii) “specified” requires that an express statement is contained in the relevant document.

2. TERM AND TERMINATION

2.1 Agreement. This term of this Master Agreement (the “Term”) shall commence as of the Effective Date designated above, and shall continue in effect until superseded or otherwise terminated by agreement of the Parties or as set forth in Sections 2.1.1 (Termination of Agreement by Supplier) and 2.1.2 (Termination of Agreement by Citi) below. Upon termination of this Master Agreement, all previously-issued Work Orders shall also automatically terminate, unless specified otherwise by Citi in writing at the time of such termination.

2.1.1 Termination of Agreement by Supplier. Supplier may terminate this Master Agreement in accordance with this Section 2.1.1 if Supplier has terminated all Work Orders under Section 2.2.1 (Termination of Work Orders by Supplier).

2.1.2 Termination of Agreement by Citi. Upon the occurrence of any of the events set forth in this Section 2.1.2, Citi may, by giving written notice to Supplier and without the payment

of any costs or Exit Fees, immediately terminate this Master Agreement as of the date specified in the notice of termination:

(a) Supplier commits a material breach of this Agreement, and such breach is not cured within thirty (30) days from the date Supplier receives written notice thereof; provided that (i) breaches affecting Citi’s Confidential Information or Intellectual Property Rights, to the extent curable, must be cured within a ten (10) day period and (ii) Supplier shall use commercially reasonable efforts to cure any material breach as soon as possible;

(b) If, during a single Contract Year, Citi terminates Work Orders or Services pursuant to Section 2.2.2(a)(i) (Material Breach) that, in the aggregate, represent at least thirty-five percent (35%) of the aggregate Service Fees payable to Supplier during such Contract Year and twenty-five percent (25%) of the number of all Work Orders in effect during such Contract Year under this Agreement.

(c) There is a change in the entity possessing, directly or indirectly, the power to direct or cause the direction of the management, policies, and operations of Supplier (the “Controlling Entity”), whether through ownership of greater than fifty-one percent (51%) of the voting securities (other than due to an initial public offering), by contract or otherwise; provided that Citi provides notice to Supplier of its termination pursuant to this Section 2.1.2(c) within twelve (12) months following consummation of the transaction effecting the change in Controlling Entity; and for the sake of clarity, it is agreed that the right of Citi to terminate the Agreement shall not be exercised in the event Citi does not notify Supplier in writing during such twelve-month period of Citi’s objection to the change in the Controlling Entity;

(d) Supplier (i) files any voluntary petition in bankruptcy, (ii) has an involuntary petition in bankruptcy filed against it which is not challenged in twenty (20) days and dismissed within sixty (60) days, (iii) avails itself of or becomes subject to any petition or proceeding under any statute of any state or country relating to insolvency, liquidation, or the protection of rights of creditors, or any other insolvency, liquidation or similar proceeding for the settlement of debt, (iv) makes a general assignment for the benefit of creditors, (v) admits in writing its inability to pay debts as they mature, (vi) has a receiver appointed for substantially all of its assets, (vii) ceases conducting business in the normal course, or (viii) has a material portion of its assets attached;

(e) Supplier violates Applicable Law;

(f) A Citi Regulator recommends or requires Citi to terminate this Master Agreement; or

(g) Citi reasonably and in good faith believes Supplier has engaged in or engages in activity or practices, hereunder or otherwise, that may constitute (I) a violation of Applicable Law or (II) unethical or inappropriate business conduct, in each case based on facts and circumstances set forth in a notice delivered by Citi to Supplier with respect to such determination.

2.2 Work Orders. Each duly signed Work Order shall commence as of the effective date designated thereon, and shall continue in effect thereafter until the latest of: (i) the expiration date designated thereon (if any), (ii) the date the Services have been satisfactorily

completed or the Deliverables have been Accepted and all applicable warranty and license periods have expired or otherwise terminated, or (iii) the date of termination or expiration specified by either Party in accordance with the provisions in Sections 2.2.1 (Termination of Work Orders by Supplier) and 2.2.2 (Termination of Work Orders by Citi) below.

2.2.1 Termination of Work Orders by Supplier. Supplier may, by giving written notice to Citi, immediately terminate any Work Order, or any individual Services provided hereunder, as of the date specified in the notice of termination, if Citi materially breaches Section 11.6 (Terms of Payment) with respect to such Work Order for any reason and such material breach is not remedied within sixty (60) days (or such other reasonable period as may be agreed by the Parties) of notice to Citi specifying the breach and requiring its remedy, provided that Citi shall use commercially reasonable efforts to cure any material breach as soon as possible.

2.2.2 Termination of Work Orders by Citi.

(a) For Cause. Upon the occurrence of any of the events set forth in this Section 2.2.2(a), Citi may, by giving written notice to Supplier and without the payment of any costs or Exit Fees, immediately terminate any Work Order or individual Service provided thereunder that is materially impacted by any of the following events, as of the date specified in the notice of termination. If Citi terminates an individual Service or Work Order under this Section 2.2.2(a), Citi may also terminate all Reasonably Related Services, and any such termination of Reasonably Related Services shall be deemed a termination pursuant to this Section 2.2.2(a) and it shall not require payment of any Exit Fees.

(i) Material Breach. Supplier commits a material breach of the Work Order or Service, and such breach is not cured within thirty (30) days from the date Supplier receives written notice thereof; provided that (x) breaches affecting Citi’s Confidential Information or Intellectual Property Rights, to the extent curable, must be cured within a ten (10) day period and (y) Supplier shall use commercially reasonable efforts to cure any material breach as soon as possible; or

(ii) Citi is permitted to do so pursuant to Section 7.9 (Other Remedies), Section 7.10.1.1(b)(ii) (Baselining), Section 8.4 (Benchmarking), Section 16.1.3 (Infringement Indemnity), Section 26 (Force Majeure) or any termination rights explicitly set forth in any Work Order.

(b) For Convenience. Citi may terminate a Work Order or any Services for convenience: (i) immediately upon notice to Supplier for Staff Augmentation Services performed at a Service Location or Citi Location in India and the applicable Services Fees are charged on a time and materials basis; (ii) effective at any time following two (2) weeks prior written notice (including by e-mail) to Supplier for any Staff Augmentation Services and other Services that, in either case, are performed at a Service Location or Citi Location outside of India and charged on a time and materials basis; and (iii) upon thirty (30) days written notice (including by e-mail) to Supplier for all other Services; provided that non-renewal of a Work Order pursuant to Section 2.2.4 shall not be a termination for convenience. If Citi

terminates a Work Order or Service for convenience, Citi shall pay for any Services rendered under that Work Order until the effective date of termination and the completion of the applicable Termination Assistance Services, and those reasonable termination fees or exit fees specified in the applicable Work Order (“Exit Fees”). Notwithstanding the foregoing, with respect to Co-Managed or Managed Services terminated by Citi pursuant to this Section 2.2.2(b), Citi shall only be responsible for up to fifty percent (50%) of the agreed milestone payments for Services performed prior to the effective date of termination. If no milestone payments are indicated in the applicable Work Order, then Citi shall be responsible for payment for Services properly performed up through the effective date of termination. Citi may at any time and for its convenience terminate, with no obligation or liability to Supplier, any Work Order pursuant to which Supplier has not yet commenced performance of Services.

(c) For Other Reasons. Upon the occurrence of any of the events set forth in this Section 2.2.2(c), Citi may, by giving prior written notice to Supplier and without the payment of any costs or Exit Fees, immediately terminate any Work Order or individual Service provided thereunder, as of the date specified in the notice of termination. If Citi terminates an individual Service or Work Order under this Section 2.2.2(c), Citi may also terminate all Reasonably Related Services, and any such termination of Reasonably Related Services shall be deemed a termination pursuant to this Section 2.2.2(c) and shall not require payment of any Exit Fees.

(i) Supplier violates Applicable Law related to the Services or the Supplier’s provision of the Services to Citi violates Applicable Law;

(ii) A Citi Regulator recommends or requires Citi to terminate the Work Order;

(iii) Citi reasonably and in good faith believes Supplier has engaged in or engages in activity or practices, hereunder or otherwise, that may constitute (A) a violation of Applicable Law or (B) unethical or inappropriate business conduct, in each case based on facts and circumstances set forth in a notice delivered by Citi to Supplier with respect to such determination.

(d) Termination of Reasonably Related Services. In the event that Supplier disagrees that Services provided under a given Work Order are properly classified by Citi as a Reasonably Related Service, such disagreement shall be referred to the Steering Committee for resolution and the decision of the Steering Committee in this regard shall be final and binding.

2.2.3 For the avoidance of doubt, notice of termination for any Work Order shall not be construed to be notice of termination for any other Work Order.

2.2.4 Supplier shall provide notice to Citi of the expiration of the then-current term of each Work Order at least ninety (90) days prior to the expiration of the term of such Work Order. Citi shall have the right to renew each such Work Order by providing written notice to Supplier of its desire to renew within sixty (60) days of receipt of notice of Supplier’s request to renew. If Citi provides such notice of renewal, then the applicable Work Order shall renew following expiration of its then-current term for a renewal term equal to the then-current term. If Citi does not provide such notice of renewal with respect to any Work Order, such Work Order shall be deemed to have automatically expired as of the end date stated therein or such other end date applicable to such Work Order.

2.2.5 Notwithstanding the terms set forth above in this Section 2.2 (Work Orders), for New Work Orders and Existing Work Order(s), Citi may utilize a P2P Electronic Order Management and Payment System to transmit requests for such Services and final approved Work Orders for such Services to Supplier electronically. Except for the process-oriented use of such a P2P Electronic Order Management and Payment System to initiate, transmit and approve a Work Order for such Services, all such final accepted Work Orders submitted and approved by Citi or any Citi Affiliate through a P2P Electronic Order Management and Payment System shall be governed by all relevant terms of this Master Agreement (including without limitation those related to Service Fees, Confidential Information, data protection, and Intellectual Property Rights) and shall be deemed Work Orders issued pursuant to the terms of this Master Agreement for all purposes hereunder. Subject to the terms and conditions of this Master Agreement (including those of this Section 2.2.5), the Parties agree to receive electronic documents and accept electronic signatures relating to Work Orders and related invoices and other related documentation, in all cases through a P2P Electronic Order Management and Payment System and as may be agreed by the Parties from time to time. Electronic documents and electronic signatures through a P2P Electronic Order Management and Payment System shall be a substitute for paper-based documents and signatures, and the legal validity of a transaction will not be denied on the ground that it is not in writing on paper-based hard copies. All electronic documents shall be in the electronic format specified by Citi or implemented on Citi’s P2P Electronic Order Management and Payment System. Any electronic documents shall be transmitted or received by the Parties in a secure manner in accordance with Citi’s security policies and procedures. Each Party agrees to treat all electronic transmissions and electronic documents as confidential and to protect all such electronic transmissions and documents from improper or unauthorized access in accordance with this Agreement. For purposes of this Agreement, an electronic signature means any form of digital letters, characters, or symbols, manifested by electronic or similar means, executed or adopted by a Party with an intent to authenticate a writing. A writing is electronically signed if an electronic signature is logically associated with such writing.

2.3 Orderly Transfer.

2.3.1 Upon notice from Citi following the effective date of expiration or termination of a Work Order and continuing for up to twelve (12) months (“Termination Assistance Period”), Supplier will provide such information, cooperation and assistance to Citi, as Citi may reasonably request, to allow the Services to continue without interruption or adverse effect, with an orderly transition for the affected Services, and to assure an orderly return or transfer to Citi or Citi’s designee of all proprietary data (and related records and files) and materials of Citi, and all Work Product (in its then current condition) (the “Termination Assistance Services”).

2.3.2 Termination Assistance Services shall include, without limitation and at no charge to Citi, Supplier provision of (i) written applicable requirements, standards, policies, operating procedures and other documentation relating to the affected Services, (ii) necessary access to the systems and Supplier Locations from which affected Services were provided, (iii) necessary access to the technical environment of Supplier’s systems used at Supplier Locations and (iv) account management services for up to three (3) months performed by Supplier’s Personnel immediately prior to the effective date of expiration or termination of the relevant Work Order. If and to the extent requested by Citi, Supplier shall assist Citi in

developing a plan that shall specify the tasks to be performed by Citi and Supplier in connection with the Termination Assistance Services and the schedule for the performance of such tasks, which plan shall be subject to approval by Citi. All Termination Assistance Services to be provided by Supplier shall be provided pursuant to the terms and conditions agreed upon by the Parties in a Work Order.

2.3.3 Supplier shall not replace any Supplier Personnel that are performing Services under a Work Order as of the date that Supplier receives notice from Citi of termination of such Work Order or the date of expiration of such Work Order until the earlier to occur of: (i) the end of the Termination Assistance Period and (ii) the grant by Citi of its consent to the release of any such Supplier Personnel, which consent shall not be unreasonably withheld. In the event Supplier has breached the foregoing provisions of this Section 2.3.3, Citi may withhold up to twenty-five (25%) of the amounts to be paid to Supplier during each month of the Termination Assistance Period until Citi has determined that Supplier has cured such breach. Citi shall pay Supplier such withheld amounts within thirty (30) days following Citi’s determination that Supplier has cured such breach. For the sake of clarity, it is agreed between the Parties that Citi’s right to withhold amounts specified earlier shall not be exercised if such individual ceases performance of the Termination Assistance Services due to (a) voluntary resignation from employment, (b) dismissal from employment for misconduct (e.g., fraud, drug abuse or theft), (c) removal of such individual following his or her material failure to perform obligations pursuant to this Agreement or (d) death or disability of such individual.

2.3.4 At Citi’s request, Supplier also will provide Termination Assistance Services directly to an Affiliate of Citi or any other entity receiving Services under this Agreement. If Citi appoints a third party to assume Citi’s role in relation to any or all of the Termination Assistance Services, Supplier will provide Termination Assistance Services to that third party. Supplier will provide the Termination Assistance Services with at least the same degree of accuracy, quality, completeness, timeliness, responsiveness and resource efficiency as it provided and was required to provide in connection with the same or similar Services. The quality and level of performance of the Termination Assistance Services provided by Supplier will continue to meet or exceed the Service Levels and will not be degraded or deficient in any respect, and all Service Levels and associated Service Level Credits will still apply during this disengagement period.

2.3.5 Notwithstanding Section 2.3.1, in the event that (i) Supplier terminates this Master Agreement or any Work Order for cause, (ii) Citi terminates any Work Order or Service for convenience, or (iii) this Master Agreement or any Work Order expires and is not renewed (whether expressly or automatically), Citi will pay Supplier’s rate card rates set forth in Appendix 11.1 (Schedule of Supplier’s Time and Material Rates) for Termination Assistance Services. In the event that Citi terminates this Master Agreement, a Work Order or any Service for material breach pursuant to Sections 2.1.2(a), 2.2.2(a)(i) or 2.2.2(c), Termination Assistance Services will be provided at no additional cost to Citi.

2.3.6 If Citi relinquishes control of a business unit, division, department or Affiliate after the Effective Date of this Agreement (each such entity, a “Divested Entity”), then upon Citi’s request, Supplier will continue to provide the Services to such entity after the date such entity becomes a Divested Entity for a period of time requested by Citi, which period shall be the longer of (i) two (2) years or (ii) the term of any Transition Services Agreement with the acquiring entity, at the rates and in accordance with the terms and conditions set forth in

this Master Agreement and the applicable Work Order(s). Such continued Services will be seamless to the Divested Entity and its employees and shall not require any new databases, websites or telephone numbers. If the Divested Entity agrees in writing to abide by the terms and conditions of this Agreement, then Citi will be relieved of any payment or other liability relating to the provision of Services to the Divested Entity.

2.4 Retention of Archival Copy. In the event of expiration or termination for any reason of this Master Agreement or any Work Order, notwithstanding any provision of this Agreement to the contrary, Citi shall be entitled to retain copies of Supplier Materials (and related documentation) and Supplier Confidential Information for archival purposes and to satisfy Citi’s obligations under Applicable Law.

3. SERVICES IMPLEMENTATION

3.1 No Obligation to Purchase. This Master Agreement does not commit Citi or any Citi Affiliates to purchase any services or products. Nor does it preclude or limit Citi or any Citi Affiliate from independently acquiring or developing competitive products or services for itself or its customers, or from providing competitive products or services to its customers, provided that such activities do not cause Citi to breach its confidentiality obligations or any licenses under this Agreement. Rather, this Master Agreement merely sets forth the terms and conditions that will govern the provision of Services or Deliverables as a result of the execution of a Work Order by Supplier and the entity designated above as Citi (or an Affiliate of Citi thereof). Supplier may not refuse to provide any new services reasonably requested by Citi if Supplier is already providing such service or a similar service to Citi or to another Supplier customer. The scope and commercial terms for such new services shall be negotiated in good faith by the Parties.

3.2 Work Orders. Either the entity designated above as Supplier or any Affiliate of Supplier, and either the entity designated above as Citi or any Affiliate of Citi, and any combination of the foregoing, may enter into Work Orders under this Master Agreement. The entity that executes (or is deemed to have executed) a Work Order shall be considered the “Supplier” and “Citi” (respectively) for all purposes of the Work Order, and the Work Order shall be considered a two-party agreement between those entities. Each Work Order shall incorporate by reference the provisions of this Master Agreement as if those provisions were set forth therein in their entirety. The entity designated on this Master Agreement as “Supplier” shall be jointly and severally liable for all obligations and liabilities of any Supplier Affiliate arising under this Master Agreement and any Work Order, including arising under any breach thereof. At Citi’s discretion, Work Orders may be entered into by the Parties either: (x) by signing a document substantially in the form of a Work Order set forth in Appendix 3.2 (Form of Work Order); (y) by use of an electronic form through one of Citi’s Corporate Procurement Services’ electronic ordering application systems; or (z) a Citi NEMS. Any such electronic form generated from the use of such system shall be deemed to be a “Work Order” that is subject to the terms and conditions of this Agreement and that has been executed and accepted by both Citi and Supplier upon the issuance by Citi of that form and either Supplier’s electronic confirmation through these systems that it has accepted the Work Order or Supplier’s commencing the performance of the Services pursuant to that form. The Work Order will be deemed to have been executed and accepted by both Citi and Supplier upon Supplier’s electronic confirmation through such system that

it has accepted the Work Order or by means of Supplier commencing the performance of the Services and Deliverables requested pursuant to such Work Order.

3.3 Local Country or Regional Requirements and Agreements.

3.3.1 The provisions of Appendix 3.3.1 (Local Country Addenda) relating to country-specific or region-specific requirements apply when Citi or a Citi Affiliate is to receive the Services or Deliverables or the benefit of the Services or Deliverables in or from such country or region (“Local Country Addenda”).

3.3.2 In the event that Citi or a Citi Affiliate is to receive the Services or Deliverables or the benefit of the Services or Deliverables in any country or region outside the U.S. that is not the subject of a Local Country Addendum as of the Effective Date, and there are local legal or regulatory requirements related to the provision of such Services or Deliverables, at Citi’s request, Supplier and Citi (or a Citi Affiliate) shall enter into and be bound by a new Local Country Addendum addressing such legal or regulatory requirements. Each such Local Country Addendum shall be made a part of this Agreement and shall apply to all Services or Deliverables to the extent (and only to the extent) they are to be provided to, or for the benefit of, Citi or its Affiliates in such country or region. From time to time, Citi (or a Citi Affiliate) may request changes in the Local Country Addenda as may be required to address changes in Applicable Law and policies and their interpretation. In such case, Supplier and Citi (or a Citi Affiliate) shall undertake reasonable efforts to negotiate and agree to such changes, provided that Supplier shall accept any changes that are necessary as a result of the differences between this Master Agreement and the Original MPSA, or as a result of changes in Applicable Law.

3.3.3 Without limiting Supplier’s obligations under Section 22 (Compliance with Law) of this Agreement, Supplier expressly agrees that it will comply, and will cause its Personnel to comply, with the regulations and amendments thereto issued from time to time by: (i) the Office of the Comptroller of the Currency, Administrator of National Banks, (ii) the United Kingdom Financial Conduct Authority, (iii) the United Kingdom Prudential Regulation Authority, (iv) The American Institute of Certified Public Accountants, (v) The U.S. Department of Treasury’s Office of Foreign Assets Control and (vi) the Monetary Authority of Singapore, in each case to the extent applicable.

3.4 Required Consents.

3.4.1 Citi shall be responsible for all activities and costs (e.g., transfer or upgrade fees) arising out of Required Consents Citi must obtain to receive the Services. Supplier shall be responsible for all activities and costs arising out of Required Consents Supplier must obtain to provide the Services.

3.4.2 To the extent Citi provides Supplier with third party hardware, software, firmware or other products in connection with Supplier’s provision of Services, such materials shall be deemed Citi’s “Confidential Information” and Supplier shall not (i) use any such materials other than as necessary to provide the Services unless directed otherwise in writing by Citi, (ii) use any such materials for the benefit of any person or entity other than Citi unless directed otherwise in writing by Citi, (iii) separate or uncouple any portions of such materials, in whole or in part, from any other portions thereof, or (iv) reverse assemble, reverse engineer, translate, disassemble, decompile or otherwise attempt to create or discover any source or human readable code, underlying algorithms, ideas, file formats or programming interfaces of such materials by any means whatsoever.

3.5 Transition Services.

3.5.1 In order to migrate any existing services being performed by Citi, any Citi Affiliate or any third party service provider from Citi, its Affiliate or such third party service provider to Supplier, Supplier shall provide those Services necessary to effect such migration, as set forth in the applicable Transition Plan (collectively, “Transition Services”), and in accordance with the Transition Milestones set forth therein. Supplier shall assign a Transition Services team headed by an experienced transition manager who shall be deemed “Key Personnel” until steady-state implementation of Services under such Transition Plan is complete.

3.5.2 Supplier shall notify Citi when it believes it has completed the Transition Services. Supplier shall document and demonstrate to Citi’s reasonable satisfaction that the Transition Milestones have been fulfilled. Upon Citi’s confirmation of completion, Supplier shall commence the orderly cessation and removal of tasks and materials specific to the Transition Services, without disruption to Citi’s operations or Supplier’s ongoing Services. Supplier acknowledges that no Transition Services shall be deemed complete until Citi indicates in writing that Supplier has successfully completed the Transition Services in accordance with the process identified in the Transition Plan and all applicable Acceptance Criteria.

3.5.3 In the event that Citi determines, in its reasonable discretion, at any time or times during the Transition Services, that Citi or the quality or continuity of the services being migrated has been materially and adversely affected in any way, or that any such material and adverse effect seems reasonably likely to occur, Citi may: (i) direct Supplier to stop and proceed no further with such Transition Services until such time as Supplier shall have (x) analyzed the cause of such effect, (y) developed a reasonable plan for resuming Transition Services in such a manner as to eliminate or avoid such effect, and (z) received Citi’s written approval to proceed with Transition Services, (ii) direct Supplier to stop and proceed no further with such Transition Services, or (iii) if the material and adverse impact on the Services is the result of Supplier’s failure to implement the Transition Plan properly, terminate the applicable Work Order, with no requirement to pay any Exit Fees.

3.5.4 Supplier shall provide the Transition Services in a manner that will not (i) disrupt or have a material adverse impact on the business or operations of Citi or its Affiliates, or (ii) disrupt or interfere with Citi’s ability to obtain the full benefit of the Services. Prior to undertaking any specific Transition Service, Supplier shall discuss with Citi any risks associated with such Transition Service, and shall not proceed until Citi informs Supplier in writing that Citi is reasonably satisfied with the mitigation plans with regard to such risks. Supplier acknowledges that neither its disclosure of any such risks to Citi, nor Citi’s acceptance of Supplier’s plans to address such risks, shall limit Supplier’s responsibilities under this Agreement.

3.5.5 Supplier shall meet at least weekly (or at other mutually agreed times) with Citi to report on its progress in providing Transition Services and meeting the Transition Milestones or other timetable set forth in the Transition Plan. Supplier shall provide written reports to Citi at least weekly regarding such matters, and shall provide oral reports more frequently if reasonably requested by Citi. Promptly upon becoming aware of any information indicating that Supplier may not provide Transition Services in accordance with the Transition Milestones or timetable set forth in the Transition Plan, Supplier shall notify Citi of such

delays and shall identify for Citi’s approval specific measures to address such delays and mitigate the risks associated therewith.

3.5.6 If Supplier’s acts or omissions under the applicable Transition Plan result in a failure to meet the Transition Services termination date specified in such Transition Plan, and Citi has not exercised its right to terminate the applicable Work Order pursuant to Section 3.5.3, Supplier will issue to Citi the applicable Transition Credits in accordance with the Transition Plan. Supplier shall deduct the aggregate amount of Transition Credits from the invoice immediately following the termination date specified in the applicable Transition Plan.

3.5.7 Transition Services shall be provided without charge for up to a six (6) week transition period, or such other period set forth in the applicable Work Order, commencing as of the date Supplier commences providing Transition Services for a Work Order.

3.6 Citi Failures. Supplier’s failure to perform the Services or to meet the Service Levels shall be excused if and only to the extent Supplier’s non-performance is caused by Citi’s failure to perform its obligations under this Agreement (a “Citi Failure”), provided that (i) Supplier notifies Citi as soon as reasonably practicable after becoming aware of the Citi Failure, (ii) Supplier uses commercially reasonable efforts to provide the Services notwithstanding the Citi Failure and (iii) Supplier is able to demonstrate that the Citi Failure is the sole cause of Supplier’s non-performance.

3.7 Backups. Unless otherwise set forth in a Work Order, Supplier will perform backups of all data, information, materials, and records it creates or stores on its systems or any system that is not part of Citi’s Systems related to the Services. Backups must be made using reasonable commercial practices, on not less than a daily basis. On at least a monthly basis, Supplier shall move Citi-related backup media to an offsite storage facility located within the same country. Supplier will restore any corrupted or lost files using the most current backup media available. Upon Citi’s written request, Supplier will purge its systems of backup records (in whole or in part as directed by Citi) and will provide written certification to Citi evidencing its compliance with Citi’s request.

3.8 Customer-Facing Services. If, in connection with providing the Services, Supplier is interacting with any individual in such individual’s capacity as a past, current or potential customer of Citi (each individual, a “Customer” and those Services, the “Customer-Facing Services”), then Supplier will additionally comply with all terms and conditions set forth in Appendix 3.8 (Additional Terms for Customer-Facing Services).

4. RELATION OF PARTIES

4.1 Citi and Citi Affiliates. Supplier acknowledges that Citi and each of Citi’s Affiliates may use or benefit from the use of any Services, Deliverables or any information or materials to be provided by Supplier.

4.2 Contract Governance Organization.

4.2.1 Contract Governance Activities. Contract governance activities with respect to the Services shall consist of oversight by Citi (as a customer of Supplier’s services) of day-to-day operations pertaining to the subject matter of the Services, Service problem identification and resolution, Service Level review, changes to the Services, planning, and budgeting. Supplier shall ensure that Citi has reasonable and timely access to Supplier’s

management and subject matter experts with respect to any issue relating to Supplier’s provision of Services or the relationship between the Parties, as may be appropriate under the particular circumstances.

4.2.2 Project Managers. For each Work Order, the Parties shall each appoint an individual to serve as that Party’s primary representative under such Work Order (each, a “Project Manager”). Each Project Manager shall (i) be authorized to act for and on behalf of such Party under the applicable Work Order with respect to the day to day operation of the Services, and (ii) be responsible for attempting to resolve disputes concerning this Agreement and the provision of Services hereunder in accordance with the dispute resolution procedures set forth in Section 23 (Choice of Law and Dispute Resolution). The Project Managers are identified in each Work Order.

4.2.3 Program Managers. Each Party shall also each appoint an individual to serve as that Party’s primary representative for the entire Master Agreement (each, a “Program Manager”) and each Service category (e.g., ADM Services, Co-Managed Services, Managed Services). Each Program Manager shall (i) have overall responsibility for managing and coordinating the performance under this Master Agreement of the Party that appointed him or her, (ii) be authorized to act for and on behalf of such Party under this Master Agreement with respect to the applicable Services, and (iii) be responsible for attempting to resolve disputes concerning this Master Agreement and the provision of the applicable Services hereunder in accordance with the dispute resolution procedures set forth in Section 23 (Choice of Law and Dispute Resolution). In addition, Supplier shall immediately provide Citi’s Program Manager with a copy of any non-ordinary course notice or other written communication provided to Citi in connection with the applicable Services and/or this Master Agreement (including notices and communications relating to termination or expiration of any Work Order or any allegation of any current or prospective breach of this Master Agreement or any Work Order). The initial Program Managers are identified on Appendix 4.2.3 (Governance).

4.2.4 On-Site Account Managers. In addition to the Supplier Personnel assigned to a particular Work Order, as a part of the Services and at no additional expense to Citi, Supplier shall provide a full-time on-site account manager at each Service Location and each Citi Location as mutually agreed upon between the Parties based on business considerations.

4.2.5 Supplier Relationship Managers. The Project Managers and Program Managers referenced in Section 4.2.2 and 4.2.3 above (the “Supplier Relationship Managers”) shall serve as the initial points of accountability for the Services. The Parties agree that the Supplier Relationship Managers shall be considered Key Personnel under this Agreement and shall be subject to the provisions of Section 4.7 (Key Personnel and Transferred Resources).

4.2.6 Meetings. During the Term, the Project Managers and the Program Managers shall, unless otherwise agreed in an applicable Work Order, meet on a schedule to be established by the Parties to discuss the Services and other matters arising under this Agreement. Such meetings shall include, unless otherwise agreed in an applicable Work Order, the following:

(a) for each Work Order, at the election of the Citi Project Manager for the Work Order, a monthly meeting of the Project Managers for such Work Order to review performance and monthly reports, invoices, and employee attrition planned or

anticipated activities and changes that might impact costs and expenses, performance, and such other matters as deemed appropriate by Supplier or Citi;

(b) a quarterly meeting (i) for each Work Order, of the Project Managers for such Work Order and (ii) of the Program Managers, in each case to review the monthly reports for the calendar quarter, review Supplier’s overall performance under this Agreement, review progress on the resolution of issues, and discuss other matters as appropriate;

(c) the meetings of the Steering Committee set forth in Section 4.2.7 below; and

(d) such other meetings as Citi or Supplier may reasonably request.

4.2.7 Steering Committee. Each Party shall also each appoint an equal number of members of their respective senior management teams to an executive committee (the “Steering Committee”). The Steering Committee shall meet at least once every six (6) months to discuss strategic planning, review performance under this Agreement, and shape the ongoing relationship between the Parties. The Steering Committee shall also be responsible for attempting to resolve Disputes concerning this Master Agreement and the provision of Services hereunder in accordance with the procedures set forth in Section 23 (Choice of Law and Dispute Resolution). The initial Steering Committee members are identified on Appendix 4.2.3 (Governance). Citi and Supplier shall each have the right to replace the individuals designated as its members of the Steering Committee upon reasonable prior written notice to the other Party.

4.2.8 Citi Participation in Supplier Customer Groups. Throughout the term of this Master Agreement, Supplier shall offer Citi the opportunity to include representatives on all committees, focus groups, forums, and panels Supplier organizes with respect to customers that receive services similar to the Services, including any executive council or other similar customer group organized by Supplier.

4.3 Change Control Procedures.

4.3.1 The Parties shall use the procedures set forth in this Section 4.3 to: (i) modify, upgrade, or otherwise change the Services (including the elements and/or frequency of any task performed as part of the Services), (ii) increase or decrease the amount of a particular Service beyond what was provided in a Work Order, or (iii) change the means or manner in which the Services are provided (collectively, “Changes”).

4.3.2 The Party that wishes to make a Change shall deliver to the other Party a written request in the form that Citi provides to Supplier that will contain as much detail as is reasonably practicable regarding the nature and scope of the Change, including the proposed implementation date, and the priority of the Change in relation to other pending Changes (each such request, a “Change Request”). The Parties shall develop a process to ensure that any Change Requests made by Citi are managed and prioritized appropriately. A Party’s submission of a Change Request shall not be deemed to be a commitment to enter into a final Change order.

4.3.3 As soon as is reasonably practicable following receipt of a Change Request, the Party receiving such Change Request shall conduct an initial assessment of the requested Change and the proposed implementation date, and shall provide its initial assessment to the other Party.

4.3.4 As soon as is reasonably practicable following receipt of a Change Request (but if the matter is urgent as communicated to Supplier by Citi or relates to a Change requested pursuant to Section 22.1 (Compliance with Law), no later than twenty (20) days following receipt of a Change Request), Supplier shall deliver to Citi (at no cost to Citi) a high-level plan (“High Level Plan”), which plan shall include a description of (i) the scope of the Change Request, (ii) the estimated resources required to implement the Change Request, (iii) an approximate budget for such Change Request, and (iv) a proposed timeline for completion of such Change Request.

4.3.5 Based on the High Level Plan, the Parties shall develop a Change order that sets forth the respective obligations of the Parties with respect to the implementing the Change Request; provided that, in developing any such Change order, the Parties shall take into account each Party’s respective timelines and resources for completion of such Change orders. If the (i) Change was requested pursuant to Section 22.1 (Compliance with Law), or (ii) Parties to an applicable Work Order agree to a one-time fee or an increase or decrease in the Service Fees to be paid to Supplier because of a Change Request, Supplier shall be obligated to implement such Change. If the Parties are unable to agree to such a one-time fee or increase or decrease in the Service Fees, then the Parties shall submit such dispute for resolution in accordance with the dispute resolution procedures set forth in Section 23 (Choice of Law and Dispute Resolution).

4.3.6 Any and all documentation relating to a Change and the performance by the Parties of their respective obligations under such documentation shall be subject to the terms and conditions of this Master Agreement and the applicable Work Order. The Parties shall coordinate their respective efforts to efficiently implement a Change with the goal of enabling Supplier to continue providing the Services in accordance with the terms of this Master Agreement and the applicable Work Order, and with the goal of not disrupting and not having a material adverse impact on the business or operations of Citi or its Affiliates. A Change order will become effective upon its signing by the Program Managers of Citi and Supplier. Upon implementation of the Change, the changed services shall then be deemed “Services” and subject to the provisions of this Agreement.

4.3.7 Routine changes made in the ordinary course of Supplier’s provision of Services that are performed within the then-existing resources used to provide Services and that do not affect Service Levels (including changes to operating procedures, schedules and Equipment configurations) shall be made at no additional cost to Citi and without the requirement of a Change order.

4.3.8 Notwithstanding anything to the contrary in this Agreement, Supplier shall not, without Citi’s prior written consent, make any change, including the implementation of technological changes, that (i) causes an adverse impact on Citi, including a change that requires Citi to retrain its employees, imposes costs on Citi, or changes the methodology for calculations, or (ii) adversely affects the functions or performance of, or decreases the operational efficiency of, the Services.

4.3.9 Any work that modifies the obligations of the Parties to a Work Order on an ongoing basis may require an amendment to such Work Order, or the Parties may agree that an amendment is preferable to a Change order. If so, Supplier shall prepare a draft amendment to such Work Order setting forth the effect of the amendment on the Services, and the Service Fees payable thereunder.

4.4 Independent Contractor. Supplier will provide all Services as an independent contractor. Neither this Agreement nor Supplier’s provision of Services shall create an association, partnership, joint venture, or relationship of principal and agent, master and servant, or employer and employee, between Citi and Supplier, and neither Party will have the right, power or authority (whether expressed or implied) to enter into or assume any duty or obligation on behalf of the other Party.

4.5 Supplier’s Personnel. Supplier will (if requested by Citi at any time before or during performance of any Services pursuant to a Work Order) provide information substantiating the qualifications of any individual who Supplier intends to assign, or has assigned, to provide Services pursuant to a Work Order. At Citi’s option, Supplier will, at no cost to Citi, for Staff Augmentation Services and Co-Managed Services, (i) use an industry standard certification firm (e.g., Brainbench, Sylvan) to test all individuals whom Supplier intends to assign or re-assign, or has already assigned or re-assigned, to provide such Services pursuant to any Work Order, (ii) cause such individuals to maintain the certification and qualifications current and relevant during the term of the Work Order, and (iii) provide the results of Citi-required third party assessments and certifications to Citi prior to assignment, re-assignment or proposed assignment. For the avoidance of doubt, all individuals presented to Citi shall be subject to Citi’s Supplier Personnel resource assessment process, must be qualified in the technology and role to which the individual is assigned pursuant to the applicable Work Order and have a passing grade in the relevant certification test and/or third-party assessment prior to being on-boarded. The minimum passing grade shall be determined by Citi at Citi’s sole and absolute discretion. Citi will be entitled to review such information and interview such individual in order to confirm the qualifications. After an individual has been assigned to provide Services pursuant to a Work Order, Supplier will not, within twenty-four (24) months following the date of such assignment, reassign or utilize such individual in connection with any assignment other than such Services without the prior written consent of Citi. In addition, Supplier will assign its Personnel to Services in a manner that minimizes disruptions caused by the need for reorientation. Supplier will ensure that its Personnel will not hold themselves out as employees or agents of Citi, nor seek to be treated as employees of Citi for any purpose, including claims of entitlement to fringe benefits provided by Citi, or for disability income, social security taxes or benefits, Federal unemployment compensation taxes, State unemployment insurance benefits or Federal income tax withholding at source. Supplier is solely responsible for all employer-related responsibilities with respect to its Personnel including, but not limited to maintaining all required insurance coverages, filing applicable tax returns hereunder, and making all required payments and deposits of taxes in a in a manner consistent with its status as an independent contractor. When, subject to Section 19.1 (Supplier Affiliates and Subcontractors), an Affiliate of Supplier is executing a Work Order with Citi under this Master Agreement, Citi consents to Personnel employed by Supplier being assigned to provide Services under that Work Order. Any such Personnel employed by Supplier shall be deemed to be employees of such Supplier Affiliate for purposes of each such Work Order being executed by that Supplier Affiliate.

4.6 Replacement of Supplier’s Personnel.

4.6.1 Supplier will immediately with notice (except with respect to Services performed by Supplier Personnel outside of India, in which case Citi shall determine, in its sole discretion, the notice period to be provided to Supplier (Personnel Replacement Notice”)) replace any individual assigned by Supplier to provide Services pursuant to a Work Order (each, a

“Replaced Supplier Personnel”), and bar such individual from providing Services for Citi, if Citi notifies Supplier that the individual (i) is not compatible with Citi employees connected with the Work Order, (ii) has failed to comply with any Applicable Law or with Citi’s security or work place policies or procedures (whether or not specified herein), (iii) has failed (in Citi’s sole determination) to provide Services in a professional and competent manner, or (iv) is unacceptable to Citi for any other lawful reason. Supplier further agrees to replace any individual assigned to provide Services pursuant to a Work Order and to bar such individual from providing Services for Citi immediately upon Supplier’s determination that the individual is unable or unwilling to provide the Services or to develop the Deliverables in a timely and professional manner. If Supplier removes an individual from performance of Services either at the request of Citi for cause or for Supplier’s own purposes, then Supplier will (at its expense) (x) provide the training and orientation required to enable the replacement Personnel to provide Services as required and (y) provide for an overlap period of six (6) weeks, such overlap period being modifiable at Citi’s option, where both the Supplier Personnel being removed and the replacement Supplier Personnel are assigned to support the relevant Work Order (and during such overlap period, Citi shall only be responsible for the charges associated with the individual who is being replaced). Supplier shall provide replacement Staff Augmentation Personnel acceptable to Citi within thirty (30) days (or within sixty (60) days, if the Replaced Supplier Personnel performed the role of project manager or was billable to Citi at a Specialty Rate) following Supplier’s receipt of a Personnel Replacement Notice. If Supplier is unable to comply with the requirement set forth in the immediately preceding sentence, Supplier agrees to pay or credit Citi the amount equivalent to the number of days on which replacement Staff Augmentation Personnel was unavailable to perform Services multiplied by the daily rate applicable to such Personnel.

4.6.2 If Citi seeks, pursuant to Section 4.6.1, the removal or replacement of any Supplier Personnel for Staff Augmentation Services within the six (6) week period commencing as of the date such individual was initially assigned, Supplier shall not charge or invoice Citi for any work performed by such Supplier Personnel. If Citi seeks, pursuant to Section 4.6.1, the removal or replacement of any Supplier Personnel Citi within the eight (8) week period commencing as of the date such individual was initially assigned, Supplier shall not charge or invoice Citi for fifty percent (50%) of the work performed by such Supplier Personnel.

4.6.3 With respect to any Supplier Personnel providing Staff Augmentation Services or Co-Managed Services and any Key Personnel providing other Services, Supplier shall give Citi no less than six (6) weeks prior written notice when any Supplier Personnel providing such Services to Citi under any Work Order will cease working under such Work Order for any reason other than when the removal is directed by Citi or when such cessation is due to circumstances beyond Supplier’s control and was not reasonably foreseeable by Supplier (e.g., unplanned disability leave, death, quitting without notice), in which case Supplier will notify Citi promptly upon becoming aware of such circumstances. Supplier will (at its expense) provide an overlap period of six (6) weeks, such overlap period being modifiable by mutual consent (including consent given via email), during which both the departing Supplier Personnel and the replacement Supplier Personnel are assigned to support the relevant Work Order (and during such overlap period, Citi shall only be responsible for the charges associated with the individual who is departing). If such six (6) week overlap period (or any portion thereof) is not possible, Supplier shall provide a replacement Supplier

Personnel for a period of six (6) weeks (or the difference between the actual period of overlap and six (6) weeks) without charge, such period being modifiable by mutual consent (including consent given via email).

4.6.4 Supplier shall not remove, reassign or replace an individual providing Termination Assistance Services unless (i) Supplier has received the prior written consent of Citi thereto or (ii) such individual ceases performance of the Termination Assistance Services due to (w) voluntary resignation from employment, (x) dismissal from employment for misconduct (e.g., fraud, drug abuse or theft), (y) removal of such individual following his or her material failure to perform obligations pursuant to this Agreement or (z) death or disability of such individual. In the event of any violation of the foregoing, Citi shall be entitled to, among all other available remedies, withhold twenty five percent (25%) of the monthly fees under the relevant Work Order until such unauthorized removal is remedied.

4.6.5 Except for fixed price engagements for which payment milestones are deliverables-based, Supplier shall not materially change the Onshore/Offshore mix of Supplier Personnel for the provision of a Service without Citi’s prior written approval.

4.7 Key Personnel and Transferred Resources.

4.7.1 Citi may designate up to thirty percent (30%) of Supplier Personnel or particular positions as key personnel for a particular Work Order (“Key Personnel”). The initial list of names and/or positions of each of the Key Personnel for an applicable Work Order shall be set forth in such Work Order. Citi may from time to time change and add positions designated as Key Personnel. Supplier shall not assign Key Personnel to any project of any entity listed in Appendix 4.7.1 (Key Personnel - Restricted Entities) to provide similar services for a similar line of business of any such entity listed therein while such individual is working on the Citi account and for six (6) months after being reassigned from the Citi account, nor shall Supplier reassign Key Personnel as permitted hereunder any earlier than twenty-four (24) months from the date that such Key Personnel commenced performance of Services for Citi without the prior written consent of Citi.

4.7.2 Before assigning an individual to a Key Personnel position, whether as an initial assignment or as a replacement, Supplier shall provide Citi with (i) any information regarding the individual (including a resume) that may be reasonably requested by Citi and (ii) opportunities to interview the individual as reasonably requested by Citi. Supplier shall only assign to a Key Personnel position an individual who is pre-approved by Citi in writing.

4.7.3 During the term of a Work Order or any period during which Termination Assistance Services are being performed thereunder, Supplier shall not reassign or replace, or permit the reassignment or replacement of, any Key Personnel unless (i) Supplier has received the prior written consent of Citi for such reassignment or replacement or (ii) such Key Personnel ceases performance of the Services due to (w) voluntary resignation from employment, (x) dismissal from employment for misconduct (e.g., fraud, drug abuse or theft), (y) removal of such Key Personnel following his or her material failure to perform obligations pursuant to this Agreement or (z) death or disability of such Key Personnel. Notwithstanding anything to the contrary elsewhere in the Agreement, the restriction against reassignment or replacement of Key Personnel set out in the previous sentence shall be only for a maximum period of twenty four (24) months commencing from the start date of such Key Personnel’s engagement in the applicable Work Order, including Key

Personnel engaged to perform Transition Services. The prior written consent of Citi referenced in this Section 4.7.3 with respect to each Key Personnel, may be withheld by Citi in its sole and absolute discretion if such requested reassignment or replacement would occur during the first eighteen (18) months of such Key Personnel’s engagement in the applicable Work Order, but such consent with respect to such Key Personnel shall not be unreasonably withheld thereafter during the remaining term of the Work Order. Supplier shall have in place at all times a retention plan applicable to Key Personnel. Notwithstanding anything to the contrary in Section 27, in the event of any termination (voluntary or otherwise) of any Key Personnel from employment with Supplier, Citi may interview and hire such individual.

4.7.4 If Citi decides, in its sole discretion, that any Key Personnel should not continue in that position, then Citi may request removal of that individual. Supplier shall promptly replace that individual pursuant to Section 4.7.2 above. If Supplier is unable to replace such Key Personnel with an individual approved by Citi (which approval may not be unreasonably withheld) and there is significant impact on the Services, and Citi had reasonable grounds to request removal of the individual, then Supplier’s inability to replace such individual shall constitute a material breach of the applicable Work Order.

4.7.5 Supplier acknowledges that Citi may have critical knowledge vested among Citi employees currently deployed within the Citi locations. In order to carry out an effective transition of knowledge and requirements with respect to certain Services or Work Orders, it may be necessary for Supplier to offer employment to such Citi employees (“Transferred Resources”). Where and when such a requirement becomes necessary, the Parties will discuss and mutually agree on the number of such Citi employees to whom Supplier may make offer of employment. The Parties agree to negotiate in good faith written terms to carry out such a transition, based upon the following minimum requirements: (i) Supplier will not terminate the employment of a Transferred Resource for a period of twelve (12) months from the effective transfer date applicable to the respective Transferred Resource, except for cause or unless Citi otherwise agrees in writing, (ii) Supplier shall make its offer of employment on terms that Supplier normally would make under its hiring practices, including any requirement for relocation based on Supplier’s business requirements as a global service provider and consistent with Supplier’s technical solutions offered to Citi, (iii) Supplier will offer salary and benefits at a level which, taken as a whole, will not be less favorable to the Transferred Resource than what they were receiving from Citi or a Citi Affiliate in the twelve (12) months preceding their transition to Supplier, and effective from the Transferred Resource’s employment effective date with Supplier, Supplier shall become responsible for such Transferred Resource’s salary and benefits, and (iv) the Parties will agree rates that Supplier will be entitled to charge Citi for such Transferred Resources. Citi and Supplier agree that, subject to the requirements set forth above, all such Transferred Resources will remain “at will” employees from the perspective of the individuals concerned. The Parties acknowledge and agree that the provisions of this Section 4.7.5 shall constitute a limited exception to the obligations assumed by Supplier under Section 27 (Soliciting for Hire) of this Agreement, which obligations shall not be deemed to have been waived hereby.

4.8 Employee Attrition. Supplier shall, at all times, have in place measures reasonably designed to maintain its employee attrition rate at a level consistent with general industry standards for providers of services similar to the Services. Citi may reasonably request, and Supplier shall provide to Citi upon such request, information reasonably related to

employee attrition in connection with Supplier’s provision of Services under this Agreement. For any Staff Augmentation Services or Co-Managed Services, any Supplier Personnel leaving the Citi account prior to having serviced Citi’s account for less than twenty-four (24) months will be considered unplanned attrition.

4.9 Identification Information. Supplier shall provide a valid social security number or unique tax ID or equivalent identification number for any Supplier Personnel assigned to a Work Order and working at a Citi Location or requiring access to a Citi system.

4.10 Service Locations and Citi Locations.

4.10.1 The Services contemplated by each Work Order shall be provided from the Service Locations or Citi Locations expressly set forth in such Work Order. The Services may only be provided from another Service Location or Citi Location after approval by Citi in writing with respect to that Work Order and written approval by Citi of the security procedures at any new Service Location. Supplier shall reimburse Citi for any incremental expense incurred by Citi as a result of a Supplier-initiated relocation to a new Service Location or Citi Location.

4.10.2 Supplier shall provide a dedicated secure area at each Service Location in which only Services for Citi and applicable Citi Affiliates will be performed, and Supplier shall not provide any Services from any other area without the specific prior written approval of Citi.

4.10.3 Supplier will have operational, administrative, financial, and maintenance responsibility for all hardware, software and other Equipment used or provided by Supplier (including, without limitation, upgrades, replacements, additions, and refreshes) and Service Locations. Without limiting the generality of the foregoing, Supplier will provide all standard desktop computer hardware and software necessary for Supplier to provide the Services from the Service Locations, consistent with then-current industry standards. All standard desktop hardware and software used for personnel collaboration and productivity such as Windows 7 and/or Office 2010, email clients, etc. will be provided by Supplier for work performed from a Supplier Offshore location. Supplier’s purchase of technology for purposes of servicing Citi’s account shall comply with Citi’s then-current technology purchasing guidelines, which shall be provided by Citi to Supplier from time to time in writing. For a specific Work Order, Citi will supply any custom Hardware or Software needed for project execution or if Supplier procures the same, it shall be invoiced to Citi based on actuals with Citi’s request and approval.

4.10.4 Citi may, in its sole discretion, require Supplier to display, at Citi’s cost, Citi’s name and/or trademarks (collectively, “Citi Marks”) on signage on the exterior facade of the area dedicated to Citi’s captive tier at the Service Location (the “Citi Signage”). The Citi Marks to be used for the Citi Signage, if any, shall be selected by Citi, and Citi shall have the sole discretion to design and approve the Citi Signage. No signage using Citi Marks shall be displayed without Citi’s advanced written consent. To the extent any other signage (except Supplier signage) is or would be visible when viewing any Citi Signage, such other signage shall not: (i) be greater in size than the Citi Signage or (ii) advertise the name and/or trademarks of any Citi Competitor, including any such Citi Competitor’s products or services. Supplier shall remove, or have removed the Citi Signage within ten (10) Business Days of Citi’s request. All Citi Signage shall be the sole and exclusive property of Citi, and all benefits arising from the use of the Citi Marks shall inure to the benefit of Citi.

4.10.5 At Supplier’s expense, each Service Location from which Services are provided shall comply with the policies and procedures and other requirements described in Section 5.1 (Policies and Procedures) (including, without limitation, all policies and procedures and other requirements regarding (i) secure floor space and (ii) hardware/software refresh cycles). To the extent any Upgrades are made to Citi’s Systems in order to keep such systems generally current with those of other leading financial institutions or in order to receive services from other leading service providers, any corresponding Upgrades to hardware, software or other Equipment used by Supplier to provide the Services shall be done at Supplier’s sole expense, irrespective of any agreed upon refresh cycles. Any Upgrades to hardware, software or other Equipment used by Supplier to provide the Services that are necessitated by Upgrades to Citi’s Systems shall be made at Citi’s cost. The cost of any Upgrades to be performed at Citi’s expense shall be invoiced to Citi on a pass-through basis without markup.

4.10.6 Disaster Recovery Plan. Supplier shall have an actionable Continuity of Business Plan and Disaster Recovery Plan in place for each Service Location for the continuation of business (and provide evidence of its current and periodic testing if requested by Citi) so that despite any disruption in Supplier’s ability to provide the Services or to perform its other obligations hereunder from any particular Service Location or through the efforts of any particular Personnel, Supplier will promptly be able to provide the Services and perform its obligations from an alternate location or with replacement Personnel. Supplier shall ensure that such plans satisfy and remain in compliance at all times with Citi’s business continuity standards that are provided or made available by Citi to Supplier. Supplier’s Continuity of Business Plan and Disaster Recovery Plan, including test results, shall be subject to review by Citi. Supplier will include in the Disaster Recovery Plan written instructions or other information necessary for Citi to continue to receive Services from Supplier under circumstances where Supplier has had to invoke its Disaster Recovery Plan. Supplier shall provide a copy of the Disaster Recovery Plan to Citi within ten (10) days of the Effective Date of this Agreement, and annually thereafter. Without limiting the foregoing, Supplier’s Disaster Recovery Plan and related processes and controls will include, at a minimum, annual testing, as well as a process to promptly notify Supplier’s customers in the event any Disaster Recovery Plan or related processes or controls must be put into effect. Supplier will ensure that any Subcontractor of Supplier maintains a Disaster Recovery Plan and related processes and controls that apply to Supplier to the same extent as Supplier’s Disaster Recovery Plan applies to Citi. If requested by Citi or Citi’s Affiliates, Supplier will participate, at no cost or charge to Citi, in Citi’s disaster recovery exercises. If any data or other electronic information or materials related to the conduct of work under this Agreement is in Supplier’s possession or control, Supplier shall perform periodic backup of all such data or other electronic information or materials in compliance with Citi procedures specified in writing to Supplier and industry standards where not specified, which backup shall be stored securely to facilitate disaster recovery. Without prejudice to the foregoing, at Citi’s request, and upon reasonable notice, Supplier shall provide Citi with such information regarding the Supplier Continuity of Business Plan and Disaster Recovery Plan as Citi reasonably deems necessary. Supplier shall thereafter keep Citi informed of any material alterations to Supplier’s Continuity of Business Plan and Disaster Recovery Plan.

4.11 Data Links.

4.11.1 Supplier is required to be linked to one or more Citi location(s), as designated by Citi in mutual consent with Supplier (such consent not to be unreasonably withheld, delayed or

conditioned), via high speed data link(s) (each, a “Data Link”) with appropriate bandwidth as reasonably required in accordance with the requirements of this Section. Unless otherwise agreed to by Citi and Supplier in writing, the cost of this and additional Data Link(s) will be borne by Supplier. The cost of any network demark Equipment (e.g., routers) that needs to be installed at such premises and the last mile connectivity (up to Citi’s firewall) will be borne by Supplier. The cost of any Equipment behind any such firewall will be borne by Citi.

4.11.2 Supplier will provide no less often than quarterly reports to Citi detailing data, voice and video usage originating to and from each Service Location.

4.11.3 Supplier shall ensure redundancy on the last mile circuits (no single point of failure) between Supplier’s and Citi’s networks.

4.11.4 Usage of Data Links must not exceed an average of seventy percent (70%) of available bandwidth over a sixty (60) minute time period over a ten (10) hour day for normal use. Occasional file transfer requirements are exempt from this. Citi will provide assistance in measuring the Data Link utilization. In a calendar month if in seventy percent (70%) of the samples the Data Link utilization exceeds seventy percent (70%), Supplier must promptly, and in no event later than thirty (30) days after the end of such month, share the upgrade plans for the Data Link(s) with Citi and, upon mutual agreement of Citi and Supplier, Supplier will initiate necessary actions to reduce future Data Link utilization. Supplier must complete implementation of such plan within one hundred twenty (120) days after the date of the mutual agreement of Citi and Supplier on such upgrade plan.

4.11.5 Supplier may request, and with Citi’s prior written approval, in Citi’s sole discretion, may buy network lines and Equipment at Citi’s internal prices, when possible. All Equipment connected to Citi’s System must adhere to Citi’s published standards and technology stacks. Citi will provide such standards to Supplier and update them regularly.

4.12 Co-Location Space. At Citi’s sole discretion, Supplier agrees to make available at no cost to Citi, adequate office space, internet access, and telephones (“Ready Desks”), for any Citi Personnel visiting the Service Location on a short-term basis for purposes such as audits and meetings. Further, upon Citi’s request, Supplier will make available, at no cost to Citi, Ready Desks facilities for the number of Citi’s Personnel equal up to five percent (5%) of the total number of Supplier Personnel working at the applicable Supplier facility for Citi at that time, and to Citi Personnel performing work on a long term basis with the Supplier Personnel in connection with this Agreement, including without limitation any work in connection with Section 2.3 (Orderly Transfer) of this Agreement. Citi will be responsible for compliance with all employment-related Applicable Laws and payroll withholding taxes and other Regulatory requirements with respect to Citi Personnel assigned to work at Supplier’s facilities. Supplier shall ensure that none of these Citi Personnel are actively involved in managing, assigning or directing the day to day activities of Supplier, and Supplier will immediately alert Citi’s Program Manager if Supplier becomes aware of such a situation. In the event that the requirement for such Ready Desks is greater than [***] percent [****] of the total number of Supplier Personnel working for Citi at that time, the Parties will negotiate in good faith the terms under which the excess requirement will be covered.

4.13 Required Relocation Events. If, in Citi’s reasonable determination, at any time during the term of a Work Order or any period during which Termination Assistance Services are

being performed thereunder: (i) the security or business continuity risks presented by the performance of Services at the Service Locations outside the United States (the “Non-U.S. Locations”) are significantly increased, (ii) the inflation and currency risk impact to Citi are significantly increased, (iii) Citi determines that the perception or reputation of Citi or its Affiliates in their marketplaces is negatively impacted, including as a result of the political or social climate or business environment or the enactment or enforcement of any Applicable Law affecting any of the Non-U.S. Locations, or (iv) a country in which a Service Location is located is placed on the United States Department of State’s “Warning List” ((i) through (iv) are hereinafter referred to as the “Required Relocation Event(s)”), Citi will have the right, exercisable by delivering written notice to Supplier, at Supplier’s cost, to require Supplier to relocate the applicable Services from the applicable Non-U.S. Locations to another site providing services similar to the applicable Services within another country that is reasonably acceptable to Citi (provided that the provision of Services from such site will remediate the risk or exposure that was the basis of the Required Relocation Event). Such relocation will be accomplished as soon as reasonably practicable under the circumstances with a view to avoiding any non-compliance with Applicable Law. Upon reasonable notice from Supplier, Citi will discuss such relocation in good faith. If the provision of Services from another Supplier site does not remediate the risk or exposure that was the basis of the Required Relocation Event or another Supplier site does not have the capacity required to be able to assume the Services to be relocated, then Supplier may discuss an alternate course of action with Citi and only if the suggested alternate course of action is not acceptable to Citi, Citi may terminate all or part of the affected Services without payment of any Exit Fees.

4.14 Requested Relocation Events. If, in Citi’s reasonable determination, at any time during the Term or any period during which Termination Assistance Services are being performed, Citi determines for any other reason (other than a Required Relocation Event) to relocate the applicable Services from the applicable Non-U.S. Locations (hereinafter referred to as the “Requested Relocation Event(s)”), Citi will have the right, exercisable by delivering written notice to Supplier, at Citi’s cost, to require Supplier to relocate the applicable Services from the applicable Non-U.S. Locations to another site providing services similar to the applicable Services within another country that is reasonably acceptable to Citi (provided that the provision of Services from such site will remediate the risk or exposure that was the basis of the Requested Relocation Event). Such relocation will be accomplished as soon as reasonably practicable under the circumstances with a view to avoiding any non-compliance with Applicable Law. Upon reasonable notice from Supplier, Citi will discuss such relocation in good faith. If the provision of Services from another Supplier site does not remediate the risk or exposure that was the basis of the Requested Relocation Event or another Supplier site does not have the capacity required to be able to assume the Services to be relocated, then Supplier may discuss an alternate course of action with Citi and/or Citi may terminate all or part of the affected Services, subject to payment of any Exit Fees.

4.15 Extension to Suppliers. Supplier will cooperate with Citi to identify opportunities for Citi to reduce the cost of obtaining technology from their suppliers. Towards this end, Supplier agrees that, at the request of Citi, Supplier will provide services in connection with Citi’s procurement of software/systems from Citi’s suppliers, and related integration, implementation or customization Services. Any amounts paid by Citi or its suppliers for services provided by Supplier pursuant to a work order or other agreement entered into

between any such supplier and Supplier in connection with such supplier’s engagement with Citi shall be credited towards Citi’s fulfillment of any minimums, and against the thresholds used to determine volume discounts or rebates, under this Master Agreement or any Work Order designated by Citi.

4.16 Continuous Improvement.

4.16.1 Solely with respect to Services other than Staff Augmentation Services, Supplier shall (i) continually seek to identify methods of reducing its charges, (ii) notify Citi on or before each anniversary of the commencement or start date of the applicable Work of such methods and the estimated potential productivity and cost savings associated with each such method, and (iii) implement effective as of such date such methods and savings to ensure a [*************] from year-to-year with a minimum of [***] in year-over-year cost reduction in the applicable Services Fees. If Supplier fails to achieve such minimum [*************] and [*****************************] with respect to any given [*********] ending each [******], Supplier shall promptly issue [******] to Citi in an [****************************************] and [*************************] and [***********] and the [*********************]. At least once each year, Supplier will identify and propose the implementation of a technology or process that is likely to improve the efficiency and effectiveness of the Services (including cost savings).

4.17 Quality Assurance.

4.17.1 Throughout the Term and at no additional charge to Citi, Supplier will use diligent efforts to improve the quality, efficiency and effectiveness of the Services to keep pace with industry best practices. Supplier will do this by (i) identifying and applying ‘best practice’ techniques and methodologies in providing and delivering the Services, (ii) training Supplier Personnel in new techniques and technologies used generally within Supplier’s organization or the various services industry and approved by Citi for use in rendering the Services, (iii) making investments to maintain the currency of the resources used by Supplier to render the Services, and (iv) continuously using diligent efforts to improve the cost-effectiveness of the Services. Without limiting the generality of the foregoing, Supplier shall develop, within three (3) months after the Service Commencement Date of each New Work Order, or in such other timeframe as may be agreed by the Parties with respect to such New Work Order, plans that ensure that all aspects of the Services to be provided under such Work Order are the subject of quality management systems (“Quality Plans”).

4.17.2 Supplier may not begin to implement the Quality Plans without Citi’s prior written consent to the Quality Plans, which consent shall not be unreasonably withheld, delayed, or conditioned. Supplier acknowledges and agrees that Citi’s consent to the Quality Plans shall not act as an endorsement of the Quality Plans, and shall not relieve Supplier of its responsibility for ensuring that the Services are provided in accordance with this Agreement.

4.17.3 Supplier shall ensure that all Services are carried out in compliance with the Quality Plans, and shall perform monthly internal quality audits to monitor the performance of the Services against the Quality Plans and report any non-compliance to Citi. Supplier shall maintain such internal audit reports for at least twelve (12) months and provide them to Citi upon Citi’s request.

4.17.4 Citi may audit Supplier’s quality management systems as they pertain to the Services (including all relevant Quality Plans and quality manuals and procedures) at regular intervals. Supplier shall cooperate with Citi in connection with such audits, including by providing Citi with all information and documentation, internal quality audit reports, and access to any relevant Supplier Personnel and/or premises, which Citi reasonably requires in connection with its rights under this Section 4.17, at no additional cost.

4.18 Remediation for Non-Compliance. Supplier shall promptly notify Citi if Supplier is not complying in any material respect with the provisions of this Agreement. Following such notice or upon Citi’s request if it reasonably appears to Citi that Supplier is not complying in any material respect with the provisions of this Agreement, the Parties shall meet and discuss appropriate remediation actions; provided that Citi shall also retain all other rights and remedies available to Citi under this Agreement or at law or in equity.

4.19 Notice of Inability to Carry Out Services. Supplier shall immediately notify Citi of any (i) development affecting Supplier or any of its Affiliates that could reasonably be expected to have a material impact on Supplier’s ability to carry out the Services effectively and, to Supplier’s knowledge, in compliance with Applicable Law, and (ii) error in the performance of a Service that, if not corrected, is reasonably likely to lead to a breach of this Agreement or the applicable Work Order, in each case, even if such development or error did not cause Supplier to fail to provide such Service in accordance with a Service Level.

5. POLICIES AND PROCEDURES

5.1 General. Supplier will comply and ensure that its Personnel and Supplier’s own security and workplace policies and procedures comply with (i) Citi’s security and privacy policies (including without limitation its information security standards and those standards referenced in Section 5.2), (ii) Citi’s work place policies and procedures in effect for any facility of Citi or a Citi Affiliate where the Services are provided, and (iii) policies, procedures and guidelines (including Citi’s Code of Conduct) promulgated by Citi or a Citi Affiliate that are designed to adhere to Applicable Law or designed to address Regulatory issues, and (iv) any other Citi policies provided by Citi to Supplier in writing which are applicable to the Services provided by Supplier (collectively, “Citi Policies”). In the event of any conflict between the obligations of Supplier under this Agreement or under any Citi Policy, Supplier shall comply with the more restrictive obligation(s). Supplier will ensure that all Services are provided in a manner that will minimize any interference with Citi’s or its Affiliates’ normal business operations. In addition, Supplier shall inform Citi in writing within twenty-four (24) hours whenever any of its Personnel who are engaged in performing Services stop performing such Services, for any reason. Supplier shall make all reasonable efforts to obtain from such Personnel any ID’s, system access cards, or any other privileges assigned to them by Citi, which remain the sole property of Citi at all times, and return them to Citi within five (5) Business Days after such Personnel stop performing Services.

5.2 BS 7799. BS 7799 is a British security standard designed to ensure information security in organizations covering information and data security. It also encompasses information technology systems security, network security, physical security and business continuity. Citi requires, and Supplier agrees that it will obtain and maintain, certification of BS 7799 compliance or, alternatively, ISO 27001:2007 compliance.

5.3 Costs. Citi shall pay any costs incurred by Supplier to modify the Services to render them compliant with any changes to the Citi Policies following the Effective Date pursuant to Section 5.1(i),(ii) and/or (iii), provided, however, that Supplier shall bear any costs incurred by Supplier in connection with any such modifications necessary to ensure that the Services are provided in accordance with Applicable Law or industry best practices.

5.4 Equipment and Network Security. Logs generated on servers and other devices (including, without limitation, firewall, IDS, and authentication systems) shall be retained by Supplier for at least 180 days. If access to Citi’s Systems is required in order for Supplier to fulfill its obligations to Citi, then Citi shall determine the nature and extent of such access. If Citi or any of its Affiliates provides Supplier with access to Citi’s Systems, then (i) any and all information relating to such access shall be considered Citi’s Confidential Information and shall be subject to the obligations of confidentiality set forth in Section 13 (Confidential Information) herein and (ii) Supplier shall comply with any instructions from Citi or its Affiliates related to such access. Supplier will not download, install or access any software application on Citi’s Systems without Citi’s prior written permission. In addition, any and all access to Citi’s Systems shall be subject to the following.

5.4.1 Citi’s Systems shall be used solely to provide Services for Citi, and not for any other purpose.

5.4.2 Access to Citi’s Systems and Citi Confidential Information shall be restricted to Supplier’s Personnel who are on-boarded by Citi and who need access in order for Supplier to fulfill its obligations under this Agreement, and no access rights will be transferred to any other individuals without the prior written consent of Citi.

5.4.3 Supplier will ensure that its Personnel do not attempt to break, bypass or circumvent Citi’s security systems, or attempt to obtain access to any hardware, programs or data beyond the scope of the access granted by Citi in writing.

5.4.4 Without limiting any of its other rights, Citi reserves (for itself and its Affiliates) the rights to restrict and monitor the use of Citi’s Systems, and to access, seize, copy and disclose any information, data or files developed, processed, transmitted, displayed, reproduced or otherwise accessed in conjunction with use of Citi’s Systems. Supplier will advise its Personnel concerning Citi’s reservation of its rights hereunder.

5.4.5 All user identification numbers and passwords for Citi’s Systems disclosed to Supplier, and any information obtained from the use of Citi’s Systems, shall be deemed Citi’s Confidential Information.

5.4.6 If Supplier or any Supplier Personnel becomes aware of a breach any provision of this Section, Supplier shall promptly notify Citi of such breach and cooperate as requested by Citi in any investigation of such breach.

5.4.7 A material failure by Supplier or Supplier’s Personnel to comply with the provisions of this Section shall constitute a material breach of this Agreement.

5.5 Deliverable Guidelines. Supplier will ensure that all Deliverables comply with Citi’s branding, design, usability and security guidelines that are provided by Citi to Supplier. If a Deliverable fails to satisfy the applicable requirements, then Supplier will be responsible for correcting any omissions or deviations at its expense. Any computer software Work Product developed by Supplier hereunder shall be accompanied by copies of applicable fully commented source code and Documentation to enable Citi’s Personnel to operate and

replicate all applicable executables and data files, using only such materials together with commercially available off-the-shelf tools and components.

5.6 Substance Abuse. Supplier will ensure that its Personnel who are natural persons and are assigned to provide Services to Citi do not sell, distribute, transfer, manufacture, process, possess, use or report to duty under the influence of illegal drugs or misuse alcohol or legal drugs within Citi’s facilities, on Citi’s property, or during the provision of Services for Citi. Citi may require Supplier Personnel be tested (at Supplier’s expense) for illegal drugs or misuse of alcohol or legal drugs, as a condition of providing Services to Citi. If any such Supplier Personnel refuses to submit to the test or if any such Personnel’s test results are positive for illegal drugs or the misuse of alcohol or legal drugs or otherwise unsatisfactory to Citi, Supplier agrees (i) to promptly remove such Supplier Personnel from any assignment with Citi or its Affiliates under this Agreement or any other agreement between Supplier (or its Affiliates) and Citi (or its Affiliates) and (ii) that such Personnel will not be assigned to provide Services to Citi or its Affiliates thereafter. Citi, at its sole discretion, may alter the type and method of testing at any time.

5.7 Criminal Background Checks. Supplier will not assign to Citi, or retain on assignment to provide Services to Citi, any Personnel that Supplier knows, suspects, or has reason to believe has been convicted of, pled guilty to, or participated in a pretrial diversion for, a crime of involving dishonesty, breach of trust, money laundering, or any other similar type of crime. Citi may require Supplier’s Personnel to complete and successfully pass a criminal background check (that may include fingerprinting), as a condition of providing Services for Citi. Each criminal background check will be subject to Citi’s standards and be conducted at Supplier’s expense. If a criminal background check on one of Supplier’s Personnel is conducted by or on behalf of Supplier (and not by Citi or Citi’s designee), then Supplier will provide written evidence of the criminal background check performed and the results thereof, upon Citi’s request.

5.8 Working Hours. Unless specified in an applicable Work Order, Supplier’s Personnel will observe the working hours, work rules and holiday schedule of Citi when working on Citi’s facilities, unless otherwise directed or agreed by Citi. The adherence by Supplier’s Personnel to such working hours, work rules and holiday schedules shall not justify any failure by Supplier to comply with agreed upon schedules and deadlines. Supplier acknowledges that Citi’s normal, professional workday consists of a minimum of eight (8) working hours, exclusive of time required for personal breaks and meals.

5.9 Diversity Initiative. Supplier acknowledges that Citi has implemented a Supplier Diversity Program, which, among other initiatives, encourages the use of minority and women, disabled and veteran-owned small businesses as suppliers and subcontractors (“Diverse Suppliers”) to the fullest extent possible. To assist Citi in complying with these goals, Supplier will, consistent with its other obligations hereunder and to the extent it is using Subcontractors or otherwise purchasing goods or services in connection with Supplier’s performance of its obligations under this Agreement, make good faith efforts to allocate not less than fifteen percent (15%) of the amount Supplier is spending with respect to its Subcontractors towards goods and services sourced from Diverse Suppliers. On an ongoing basis, Supplier will identify the efforts to be undertaken to achieve this goal, and any procurement opportunities that may exist relating to this Agreement that may be purchased from Diverse Suppliers. Supplier will provide Citi with information relating to Supplier’s expenditures, either direct or indirect, with Diverse Suppliers by completing a “Diversity

Profile Tier 2 Form” (which Citi may provide on a quarterly basis) and sending the completed form to Citi within fourteen (14) days following the later of: (i) the close of the calendar quarter during which Citi submits a Diversity Profile Tier 2 Form to Supplier or (ii) the date Supplier receives a Diversity Profile Tier 2 Form from Citi. Citi will keep and treat all Diversity Profile Tier 2 Forms in accordance with Citi’s confidentiality obligations as set forth in Section 13 (Confidentiality). Supplier will submit all completed Diversity Profile Tier 2 Forms to the attention of the Citigroup Supplier Diversity Program, 111 Wall Street, 7th floor, New York, NY 10005, Attn: Director, Supplier Diversity Program.

6. ACCEPTANCE OF DELIVERABLES AND PERFORMANCE OF SERVICES

6.1 Acceptance Test. After a Deliverable has been provided to Citi, or during the performance of the Transition Services or otherwise prior to the go-live date of a Service to be provided to Citi, Citi (or its designee) will be entitled to test the Deliverable or Service to determine if it operates in accordance with, and otherwise conforms to, the Acceptance Criteria. Supplier will provide (at no additional cost to Citi) such assistance as Citi may reasonably require to conduct the acceptance testing. Unless otherwise specified on the Work Order, Citi will have ninety (90) days from the date the Deliverable is received by Citi or the Service is made available to Citi, as applicable, to conduct acceptance testing, and may use its own internal test procedures.

6.2 Acceptance or Rejection. If Citi determines that a Deliverable or Service successfully operates in accordance with, and otherwise conforms to, the Acceptance Criteria, then Citi will notify Supplier that Citi accepts the Deliverable or the Service, as applicable. If Citi determines that a Deliverable or Service does not operate in accordance with, or otherwise conform to, the applicable Acceptance Criteria, then Citi will provide Supplier with a notice describing the Defect. Supplier will have ten (10) Business Days from the date it receives Citi’s notice of Defect to correct (at no additional cost to Citi) the Deliverable or Service. If Supplier delivers a corrected version of the Deliverable or Service, then Citi will be entitled to repeat the testing process. If (through no fault of Citi) Supplier fails to deliver, within the ten (10) Business Day period, a version of the Deliverable or Service that conforms to the Acceptance Criteria, then Citi may reject the Deliverable or Service and terminate the applicable Work Order (in whole or in part) upon notice to Supplier, with no payment of Exit Fees. If, within ninety (90) days from the submission of such Deliverable or Service for testing, or such other period specified in the relevant Work Order, Citi does not communicate the notice of acceptance or Defect with respect to such Deliverable or Service, then the Deliverable or Service, as applicable, will be deemed Accepted by Citi. Acceptance of a Deliverable or Service shall not constitute a waiver by Citi of any rights it may have based on Supplier’s warranties.

6.3 Completion of Delivery of Services and Deliverables. Delivery of all Deliverables or Services under a Work Order shall be deemed to have been satisfactorily completed only upon Citi’s Acceptance of all Services or Deliverables. If (through no fault of Citi) all of the Services and Deliverables have not been provided in an acceptable manner by the date set forth on the Work Order as the “Completion Date”, Citi may terminate the Work Order (in whole or in part) upon notice to Supplier, with no payment of Exit Fees.

6.4 Performance of Work.

6.4.1 Each Work Order for production support Services shall set forth the number of Supplier Personnel required to hold ITIL Certification, and the required level of ITIL Certification for each such Supplier Personnel.

6.4.2 Supplier and all Supplier Personnel will comply with the applicable duties imposed on Citi by the licenses and support agreements for all Citi software. Failure to comply with this Section shall be deemed a material breach of this Agreement.

6.4.3 All Services shall be performed in accordance with the Service Levels set forth in Appendix 7 (Service Levels), the applicable Work Order and the Quality of Service Metrics set forth on Appendix 6.4.3 (Quality of Service Metrics). During the applicable Evaluation Period set forth on Appendix 6.4.3 (Quality of Service Metrics), Supplier and Citi shall maintain an accurate record of the Quality Metric Credits accrued with respect to each Quality of Service Metric. Supplier shall promptly pay to Citi the aggregate amount of Quality Metric Credits accrued during the applicable Evaluation Period. “Quality Metric Credits” shall mean the performance credits specified in Appendix 6.4.3 (Quality of Service Metrics) that Supplier shall pay to Citi if Supplier fails to meet the Quality of Service Metrics.

6.4.4 In providing ADM Services, Supplier must (i) adhere to all guiding principles as specified in the ADM Services Standards document attached hereto as Appendix 6.4.4 (ADM Services Standards), and any updates thereto provided by Citi from time to time and (ii) perform such Services at least at CMMI Level 5 at all Service Locations and at all Citi Locations, provided that in the event of a conflict between the ADM Services Standards and the requirements of CMMI Level 5, the provisions of the ADM Services Standards shall control. Failure to comply with this Section 6.4.4 shall be deemed a material breach of the applicable Work Order.

6.5 Cooperation with Citi Vendors. Supplier will cooperate and collaborate with Citi and all third parties providing goods and services to Citi (“Vendors”), to the extent reasonably required by Citi or as otherwise reasonably necessary to identify and address issues and problems affecting the implementation and management of the Services, including (i) specifying the respective responsibilities of Supplier and each Vendor in order to ensure for the proper and complete implementation and performance of all Services to Citi’s reasonable satisfaction and in accordance with any applicable Service Levels, (ii) providing applicable requirements, standards and policies for the Services, in writing, so that any enhancements or developments by the Vendor may be operated by Supplier, (iii) providing reasonably requested assistance and support services to the Vendors, (iv) granting access to Supplier’s systems and Service Locations to the extent that access is required in order for the Vendors to fulfill its obligations to Citi, and (v) participating in service review meetings with Vendors, as requested by Citi from time to time.

7. SERVICE LEVELS

7.1 General. Supplier and Citi will each comply, and will ensure that their Personnel comply, with the obligations set forth in Appendix 7 (Service Levels).

8. BENCHMARKING

8.1 Beginning in 2015, and no less frequently than biennially thereafter, the Parties will engage the services of an independent third party (the “Benchmarker”) to benchmark the rates in

the then-current Appendix 11.1 (Schedule of Supplier’s Time and Material Rates) and any other rates used to set Service Fees (the “Rate Card Benchmarking”), the cost of which will be paid by Citi. From time to time, at Citi’s request, Citi will engage the Benchmarker to benchmark the Service Fees, Billing Units and Service Levels associated with a defined set of the Services (a “Services Benchmarking” and, together with the Rate Card Benchmarking, a “Benchmarking”). Any Benchmarker shall not be, or be wholly owned or controlled by, a competitor, or an affiliate of a competitor, of Supplier. The Parties will agree to a list of acceptable Benchmarkers from which Citi shall select, subject to the consent of Supplier (which shall not be unreasonably withheld, delayed or conditioned), a Benchmarker to perform the Benchmarking. The Benchmarker will be required to enter into customary confidentiality agreements with both Supplier and Citi, and all results of the benchmark and materials created pursuant to the benchmark shall be Confidential Material of Citi and Supplier, and shall only be used in connection with this Agreement or, in the case of both Citi and Supplier, for their own internal evaluation of similar agreements with third parties.

8.2 The Benchmarker shall perform the benchmarking in accordance with the Benchmarker’s reasonable documented procedures, which shall be provided to the Parties prior to the start of the benchmarking process. For any Rate Card Benchmarking, the Benchmarker shall compare the rates in the then-current Appendix 11.1 (Schedule of Supplier’s Time and Material Rates) and any other rates used to set Service Fees based on the location of the Supplier Personnel, the role of such Personnel, and whether they have any Specialty Skills, with the rates, based on comparable geographies, comparable roles and comparable skills, offered by Comparable Vendors to similarly situated customers, in terms of industry. For any Services Benchmarking, the Benchmarker shall compare the Service Fees, Billing Units, Service Levels and other aspects of the Services (e.g., type of service, geography, volume, onsite-offshore resource ratio, term) under this Agreement, a Work Order or a series of related Work Orders, to the fees, service levels and other aspects of offerings (e.g., type of service, geography, volume, onsite-offshore resource ratio, term) of a like mix of amounts and types of the same services offered by Comparable Vendors to similarly situated customers, in terms of industry and geography to which the applicable services are provided. “Comparable Vendors” shall mean suppliers of ADM Services mutually agreed between the Parties, as applicable with reputation substantially similar to that of Supplier Company. In the event of any disagreement between the Parties as to whether any such supplier is a Comparable Vendor, the same shall be referred to the Steering Committee for resolution, whose decision shall be final and binding. The Benchmarker will conduct the benchmarking in a reasonably prompt manner.

8.3 Each Party shall be provided a reasonable opportunity to review, comment on and request changes to the Benchmarker’s findings. Following such review and comment, the Benchmarker shall issue and deliver to each Party: (a) in the case of a Rate Card Benchmarking, a final report of its findings and conclusions, including any differences between the rates in the then-current Appendix 11.1 (Schedule of Supplier’s Time and Material Rates) and any other rates used to set Service Fees with those offered by the Comparable Vendors for comparable geographies, comparable roles and comparable skills or, (b) in the case of a Services Benchmarking, a final report of its findings and conclusions, including any differences between the Service Fees, Billing Units and Service Levels and those offered by the Comparable Vendors (the final report under clause (a) or (b), the “Benchmarking Report”).

8.4 Following the Parties’ receipt of a Rate Card Benchmarking Report, if any material difference exists between the rates in the then-current Appendix 11.1 (Schedule of Supplier’s Time and Material Rates) and any other rates used to set Service Fees, on the one hand, and those offered by the Comparable Vendors for comparable geographies, comparable roles and comparable skills, on the other, the Steering Committee will discuss the results and agree upon an equitable adjustment to Appendix 11.1 (Schedule of Supplier’s Time and Material Rates) and to any other rates used to set Service Fees. Factors that the committee will consider include: currency movements; various inflation indices; and relationship issues affecting pricing. The committee shall agree upon adjustments, if any, in a timely manner so that such adjustments can be effectuated on the first day of the first quarter following, by at least thirty (30) days, the completion of the Rate Card Benchmarking Report.

8.5 Following the Parties’ receipt of a Services Benchmarking Report, if any difference exists between the Service Levels offered or Service Fees and billing Units charged by Supplier in connection with the Services, and the service levels offered or service fees charged by the Comparable Vendors, such that adjusting for such difference would represent either a material change in the applicable Service Levels, the applicable Service Fees, or the applicable Billing Units, the Steering Committee will discuss the results and agree upon an equitable adjustment to applicable Service Levels, the applicable Service Fees and/or the applicable Billing Units. Factors that the committee will consider include: currency movements; quality of resources engaged from Supplier; productivity of Supplier; various inflation indices; and relationship issues affecting pricing. The committee shall agree upon adjustments, if any, in a timely manner so that such adjustments can be effectuated on the first day of the first quarter following, by at least thirty (30) days, the completion of the Services Benchmarking Report.

8.6 If, for any reason, there are any disputes related to Benchmarking that remain unresolved within a reasonable time period following escalation to senior management pursuant to Section 23 (Choice of Law and Dispute Resolution) of the Agreement, then the Citi may elect, in its sole discretion, to terminate the Work Order(s) to which the benchmarked rates, Service Levels, Service Fees or Billing Units apply, with such termination pursuant to Section 2.2.2(b) (For Convenience) of the Agreement.

9. PROPRIETARY RIGHTS

9.1 Rights to Property Covered Under Separate Agreement With Citi. The Parties specifically acknowledge and agree that the rights and obligations of the Parties with respect to any of Supplier’s proprietary software, any third party software, or any other intellectual property that Citi has licensed (or agrees to license) under a separate, duly signed, written agreement shall be determined in accordance with the provisions of the applicable agreement and shall not be included within the meaning of the phrase “Supplier Materials”, as defined in Section 9.2.

9.2 Supplier Materials. Citi acknowledges that in developing or providing the Services, a Deliverable, or any other Work Product, Supplier may utilize pre-existing proprietary methodologies, tools, models, software, procedures, documentation, know-how and processes owned by Supplier (“Supplier Materials”). If any Supplier Materials are incorporated into a Deliverable or provided in conjunction with the Services, a Deliverable, or any other Work Product, Supplier will so notify Citi, and Supplier will be conclusively

deemed to have (at no additional cost) granted to Citi and its Affiliates a perpetual, worldwide, irrevocable, royalty-free, non-exclusive license (i) to use, execute, reproduce, display, perform, distribute, and prepare derivative works of Supplier Materials in conjunction with the use of the Services, Deliverable or other Work Product, and (ii) to authorize or sublicense others from time to time to do any or all of the foregoing. If the performance of a Deliverable can be impaired as a result of a defect or malfunction in Supplier Materials, then Supplier will provide (at no additional cost) Citi with the means for correcting any such defect or malfunction.

9.3 Third Party Intellectual Property. If Supplier intends to provide the Services or develop a Deliverable or other Work Product in a manner that requires Citi to use any software or other intellectual property of a third party (“Third Party Materials”) in order to use such Services, Deliverable, or other Work Product, then Supplier will (i) provide Citi with prior notice, specifying in reasonable detail, the nature of the dependency on the Third Party Materials and its owner, and (ii) arrange for Citi to obtain (for no additional cost or on such terms as may be acceptable to Citi) a perpetual, irrevocable, royalty-free, non-exclusive right and license to use the Third Party Materials in connection with Citi’s or its Affiliates’ use of the Services, Deliverables or other Work Product. Supplier agrees that it will not commence work on (or invoice Citi for any fees related to) any such Services, Deliverable or other Work Product until Citi notifies Supplier that Citi has obtained such rights in or to the Third Party Materials as Citi deems to be necessary and sufficient to enable Citi to use the Services, Deliverables or other Work Product as contemplated by this Agreement.

9.4 Work Product. Subject to the provisions set forth in Sections 9.1, 9.2 and 9.3, all Work Product resulting from the Services shall be the property of Citi and all Intellectual Property Rights in and to such Work Product shall vest exclusively in Citi to the fullest extent permitted under Applicable Law. Towards that end, Supplier agrees to maintain adequate and current records of all pertinent information and data (including notes, sketches, drawings, etc.) relating to all Work Product and to deliver such records to Citi upon Citi’s request, and Supplier will assist Citi in every proper way that may be reasonably required to secure for Citi the exclusive ownership of all Intellectual Property Rights in and to the Work Product that Citi is entitled to own pursuant to the terms of this Agreement, including executing all applications, specifications, oaths, assignments and all other instruments which Citi shall deem necessary in order to obtain and secure the Intellectual Property Rights in and to such Work Product. All Work Product that Citi is entitled to own pursuant to the terms of this Agreement shall be marked as follows: “© (year) by (Legal name of Citi or Citi Affiliate). All rights reserved”, and if any such Work Product is software, Supplier will program such software to display the foregoing legend in the opening screens produced at the initiation of any session in which such software may be accessed by a video-graphic device, as well as on such reports and print pages.

9.5 Assignment of Rights to Work Product. Supplier acknowledges that neither Supplier nor its Personnel will retain any Intellectual Property Rights in the Work Product beyond those rights expressly designated in this Section 9. To the extent any Intellectual Property Rights to any Work Product (for any reason whatsoever) do not vest in Citi by virtue of the terms of this Agreement, Supplier hereby irrevocably and unconditionally assigns, transfers and conveys to Citi (or its designee) all such Intellectual Property Rights, in and to the Work Product, and Supplier further hereby irrevocably and unconditionally agrees (if subsequently required in order to fulfill the purposes of this Section) to assign, transfer and convey (or to cause its Personnel to assign, transfer and convey) exclusively to Citi (or its

designee) all such Intellectual Property Rights, in and to such Work Product. Supplier acknowledges and agrees that: (i) any assignment made by Supplier or its Personnel in accordance with this Section 9 shall extend throughout the world, shall be in perpetuity, shall not lapse for any reason whatsoever (including Citi not exercising the rights assigned to it), and shall constitute an integral part of this Agreement, and (ii) no amount(s) shall be payable by Citi to Supplier (or its Personnel) for any such assignment, other than the amount(s) explicitly set forth in the applicable Work Order.

9.6 Supplier understands and agrees that as between the Parties, Citi is the exclusive owner of and holds and shall retain, all right, title and interest in and to Citi’s Intellectual Property Rights and Supplier shall have no ownership or use rights therein except as expressly set forth in this Agreement.

10. TRAINING

10.1 If training is required in order to properly use the Services, the Deliverables or any information or materials provided to Citi in connection with this Agreement, Supplier will provide on-site training for all users designated by Citi’s Project Manager, at times agreed to by the Parties. All initial training by Supplier in the proper use of the Services, Deliverables or any information or materials provided to Citi in connection with this Agreement, shall be at no additional charge, unless a fee for such training is specified in the Work Order. Supplier agrees to provide [***********************************************] per Contract Year of onsite training in project management and process improvement at a time and schedule mutually agreed upon.

10.2 Supplier in conjunction with Citi Project Manager or other Personnel designated by Citi will develop a Citi-specific training program for Supplier Personnel tailored to the specific needs of each Citi sector to which the Services relate.

11. FEES, PAYMENT AND TAXES

11.1 Service Fees. The fees to be paid by Citi for Services or Deliverables properly provided by Supplier pursuant to this Agreement (“Service Fees”) are set forth in the applicable Work Order and are based on the rate card attached hereto as Appendix 11.1 (Schedule of Supplier’s Time and Material Rates), as such rate card may be adjusted in accordance with Section 11.3 (Pricing Adjustments). Citi will not be liable to Supplier for payment of any fees or expenses related to the Services that are not expressly set forth in a Work Order. Citi will not be charged any fees for any service or product (including software) that may be activated, installed or provided to Citi, its Affiliates or its or their Personnel that is not set forth on a duly-executed Work Order. For purposes of clarification, whether through use of a software key, a “click-through” or “opt-in” election or otherwise, such activation by Personnel of Citi or its Affiliates shall be of no force or effect for purposes of determining whether any services or products (including software) have been ordered by Citi or its Affiliates.

11.1.1 Pricing Adjustments. Following the receipt of a Rate Card Benchmarking Report, [*******************************************************************]. If a Rate Card Benchmarking Report is not delivered in 2015 or in any successive odd Contract Year, then, at least sixty (60) days prior to the end of such Contract Year, Supplier may

request Citi’s consent to increase Supplier’s rates for the succeeding Contract Year by no more than the lesser of: (i) the [*********] applicable to the country in which the Service are provided; and (ii) the [****************************************************]. In addition, if the Parties agree to a fee schedule covering certain services for a specified period (which fee schedule will be attached hereto as part of Appendix 11.1 (Schedule of Supplier’s Time and Material Rates)), then such fee schedule will apply to the purchasing of Services by Citi or an Affiliate for the period specified, unaffected by Supplier’s rate increases. The following country specific Agreed Annual Caps and Price Indices have been agreed upon by the Parties.

11.1.2 For all Services provided by or on behalf of Supplier within the United States or any other country for which an Agreed Annual Cap has not been expressly agreed upon by the Parties hereby or by means of an amendment to the Agreement, the [***************]. For all Services provided by or on behalf of Supplier within the United States or any other country for which a Price Index has not been expressly agreed upon by the Parties hereby or by means of an amendment to the Agreement, the Price Index is the Consumer Price Index for All Urban Consumers (CPI-U) Published by: The Bureau of Labor Statistics.

11.1.3 For all Services provided by or on behalf of Supplier within [*****], the [*************] and the Pricing Index is the CPI IW published by the Govt. of India, Labour Bureau (base year 2001), as available at labourbureau.nic.in.

11.2 Professional Day.

Unless explicitly specified in an applicable Work Order, the following Sections 11.2.1, 11.2.2, 11.2.3, 11.2.4 and 11.2.5 will apply:

11.2.1 If Supplier is to be compensated for its Services on a time and materials basis, Supplier shall be compensated on the basis of the “Professional Day” (consisting of eight (8) working hours, exclusive of time required for personal breaks and meals) calculated according to Sections 11.2.2, 11.2.3, and 11.2.4.

11.2.2 Subject to Sections 11.2.3 and 11.2.4, in consideration of Supplier’s providing Services under a Work Order for eight (8) hours or more on any calendar day (including, but not limited to, weekends and holidays), Citi will pay Supplier therefor the amount described in such Work Order as the amount for a Professional Day (the “Professional Day Amount”).

11.2.3 Citi shall not pay Supplier more than the Professional Day Amount in consideration of Supplier’s providing Services under a Work Order on any calendar day (including, but not limited to, weekends and holidays) unless Supplier so performs for more than [***********] during such day and Citi agrees in writing (before Supplier begins to so perform during any time that exceeds such [*************] that it will pay more than the Professional Day Amount therefor, with the rate of such payment calculated by dividing the Professional Day Amount by [******].

11.2.4 In the event that Supplier performs Services under a Work Order on any calendar day (including, but not limited to, weekends and holidays) for less than [******], Citi will pay Supplier an amount determined by multiplying the number of full (but not partial) hours during such day during which Supplier so performs by the number determined by dividing the Professional Day Amount by eight. Without limiting the foregoing, Supplier shall not bill for resources idled or unutilized as a result of connectivity failure (unless such connectivity failure is solely the fault of Citi).

11.2.5 Citi shall not be required to pay Supplier for more than forty (40) hours of Services under any Work Order in any calendar week (including, but not limited to, weekends and holidays) unless Supplier so performs for more than [*********] during such week and Citi agrees in writing (before Supplier begins to so perform during any time that exceeds such [*********] to pay for more than such [********], in which case such excess hours worked will be billed at straight time (not overtime) rates.

11.2.6 With respect to Service Fees, Supplier agrees that at no time shall any more than (a) [*************] of the total number of Supplier Personnel providing Services under all Work Orders be charged to Citi [********************] set forth on Appendix 11.1 (Schedule of Supplier’s Time and Material Rates) (the [*******]), and at no time shall any more [***********] of the total number of such Supplier Personnel be charged to Citi at the Specialty Rates. Supplier shall provide Citi with a report setting forth the actual number of Supplier Personnel in each Service Fee or rate category by no later than five (5) business days following the end of each calendar month. In the event Supplier [**************] set forth in this Section 11.2.6, Supplier shall promptly [*********************] Service Fees required to render Supplier [**********************]. At no time shall Citi [*************************************].

11.2.7 Notwithstanding anything to the contrary set out elsewhere in the Agreement, Citi hereby agrees that the Supplier Personnel listed in Appendix 11.2.7 (“Legacy Resources”) are subject to rates above the standard rates or Specialty Rates set forth on Appendix 11.1 (Schedule of Supplier’s Time and Material Rates) and [**************************]. For the avoidance of doubt, Citi hereby agrees that Supplier is entitled to continue to charge rates for the Legacy Resources over and above the rates set out in Appendix 11.1 (Schedule of Supplier’s Time and Material Rates) for Existing Work Orders and Staff Augmentation Services. Additionally, prior to the renewal or extension of a Legacy Resource or a Work Order covering Services performed by one or more Legacy Resources, Supplier shall provide the Citi Project Manager with a proposal for replacing the Legacy Resource, eliminating Citi’s dependency on such Legacy Resource. If such proposal is rejected by the Citi Project Manager, Supplier shall provide evidence of such proposal and rejection to the Citi Supplier Manager, Resource and Location Relationship Manager or the Director of the Global Staffing office in order to obtain express written approval to extend or renew such Legacy Resource or Work Order covering Services performed by one or more Legacy Resources. Where applicable, Legacy Resources shall be identified as such in a Work Order. Once a Legacy Resource has lost its status as a Legacy Resource, such Legacy Resource may not revert back to Legacy Resource status thereafter. Within ten (10) Business Days following the end of each month, Supplier shall provide Citi managers designated by Citi a report setting forth the names of all of the then-current Legacy Resources and their SOEID, assigned Project names and applicable rates, and for any new or extended Legacy Resources, evidence of approval must be provided. For the avoidance of doubt, nothing in this Section 11.2.7 shall be deemed to limit, restrict or otherwise modify Citi’s rights under Section 4.6 (Replacement of Supplier Personnel).

11.2.8 From time to time, the Parties may agree to exclude certain Supplier Personnel whose rates are above the standard rates or Specialty Rates set forth on Appendix 11.1 (Schedule of Supplier’s Time and Material Rates) and who are not Legacy Resources from the determination of Supplier’s compliance with the [******]. Within ten (10) Business Days

following the end of each month, Supplier shall provide Citi managers designated by Citi a report setting forth the names of all of the then-current Supplier Personnel subject to this Section 11.2.8 and their SOEID, assigned Project names and applicable rates.

11.2.9 Supplier Personnel who provide Staff Augmentation Services to Citi [***************************] shall be billable [****************************]. By way of example only, a Supplier Personnel whose Home Country is India and who is assigned to perform Staff Augmentation Services in the United States for [********************************************************************].

11.3 Taxes.

11.3.1 Supplier shall be responsible for the remittance to the appropriate governmental authority of all taxes, levies, duties, assessments and deductions of any nature required by Applicable Law in connection with the provision or use of the Services or Deliverables (hereinafter, collectively referred to as “Taxes”), to the extent Supplier is required to pay any such Taxes under Applicable Law. Supplier shall include and itemize any such Taxes in any applicable invoice for the Services or Deliverables to which such Taxes pertain. Supplier shall promptly forward to the appropriate governmental authorities all such Taxes collected from Citi, as required by Applicable Law. Taxes may only be charged to Citi on production of a valid invoice issued by Supplier. Where allowable, Supplier shall not charge or recharge Citi for any Tax that is a value-added tax (commonly referred to as “VAT”) incurred by Supplier or its Affiliates if such Tax could have been recovered by Supplier or its Affiliates. Upon Citi’s request Supplier agrees to provide adequate documentation to support any such Tax charges.

11.3.2 Supplier shall identify, in any Work Order, any other Taxes required by Applicable Law in connection with the provision of any Services. In addition, Supplier will notify Citi in a timely manner if Supplier will not invoice for, nor collect and remit any Taxes in accordance with the first paragraph of this Section 11.3; provided, however, that such notice shall not be required under circumstances where the Parties have previously agreed in writing that Citi shall self-assess and directly pay to the appropriate governmental authorities such Taxes. (In such event, upon request from Supplier, Citi will make available to Supplier a copy of a direct pay or exemption certificate for the applicable governmental authority.) Supplier agrees to reimburse Citi for any and all liability, fee, penalty, interest, deduction or cost or expense that may be assessed against, or incurred by, Citi, as a result of Supplier’s failure to remit or notify Citi of Taxes in accordance with this Section. In addition, if Supplier fails to provide Citi with timely notice of any audit that could result in an increase in the amount of Taxes assessed hereunder, then Citi shall not be required to pay any additional Taxes assessed as a result of such audit.

11.3.3 If Citi is required to withhold and pay any withholding Tax imposed at source on any amount payable to Supplier under this Agreement, the amount of such payment shall be credited toward any amounts paid or owed by Citi to Supplier. Upon request from Supplier, Citi shall make available to Supplier evidence of any such payment. If Applicable Law applicable to Supplier requires Supplier to document such payments within a certain timeline and format to enable Supplier take credit for such taxes withheld by Citi, and Supplier has provided Citi with reasonable prior written notice of such timeline and format, Citi shall use reasonable efforts to comply with such requirements.

11.3.4 Supplier shall be solely responsible for the payment of all other Taxes incurred in connection with Supplier’s business or this Agreement, including personal property taxes, franchise taxes, corporate excise or corporate privilege, property or license taxes, all taxes relating to Supplier’s Personnel, and all taxes based on the net income or gross revenues of Supplier or that have a similar effect.

11.3.5 The Parties agree to cooperate with each other to enable each to more accurately determine its own Tax liabilities and to minimize such liabilities to the extent legally permissible.

11.4 Expenses.

11.4.1 Supplier will only be reimbursed for expenses incurred that are reasonable, warranted and cost effective, and that have been approved in advance by Citi or any Citi-designated Project Manager. Unless agreed otherwise in writing, all approved expenses and pass-through charges will be reimbursed at cost (as actually incurred), without mark-up. Supplier shall submit to Citi copies of receipts for all Citi-approved expenses for which Supplier seeks reimbursement.

11.4.2 Supplier acknowledges it is being retained because of its expertise. Accordingly, Supplier will not request payment or reimbursement for time spent educating Supplier’s Personnel, for any costs or fees associated with training Supplier’s Personnel (including time required for orientation of replacement Personnel), or for any third party assessments or certifications, whether or not requested by Citi. Supplier will not request payment for any charges reflecting duplication of services or costs (including more than one of Supplier’s Personnel attending the same meeting, or conversations among Supplier’s Personnel), unless such duplication is essential for Supplier’s proper performance of its obligations. Further, Supplier will not be reimbursed for charges incurred for or by its support staff, for any overhead items, or for the time spent preparing invoices.

11.4.3 Supplier Personnel who are assigned by Supplier to provide Services on a time and materials basis under this [***************************************************] for (i) [********************************], (ii) [**********************************]. The [*********************], and such Supplier Personnel may submit expenses for such costs incurred, if such Personnel are asked by Citi to travel to Citi or Supplier locations [******************************************] association with their engagement hereunder. Except as otherwise provided in this Agreement or a Work Order, each Party is fully and solely responsible for its own expenses.

11.5 Terms of Payment. No amount arising under this Agreement shall be due from Citi prior to Citi’s receipt of a fully executed copy of the applicable Work Order, and Citi’s receipt of an invoice in a format approved by Citi, which shall include: (i) a reference to this Master Agreement and the applicable Work Order, (ii) separately itemized charges for the Services, Deliverables or other items covered therein, with reasonable detail describing the basis for the charges, (iii) copies of receipts or other documentation supporting charges for expenses or taxes, and (iv) all other data reasonably required by Citi. Unless otherwise specified in a Work Order, Supplier may only invoice Citi for charges payable as follows: (x) for fixed fee Services (1) where Acceptance testing is applicable, upon Acceptance of Services, Deliverables and of any applicable information or materials, and (2) where Acceptance testing is not applicable, following satisfactory completion of all Services, and (y) for time and materials Services, (1) where Acceptance testing is applicable, following Acceptance of

the Services and of any other applicable information or materials or (2) where Acceptance testing is not applicable, monthly in arrears for time and materials related to the Services rendered by Supplier Personnel during the prior month under such Work Order. All invoices and the related underlying data (including, without limitation, time-accounting data) shall be submitted to Citi at the billing address designated on the applicable Work Order and, to the extent requested by Citi, electronically in a data format specified by Citi. Supplier agrees to render invoices in alternate currencies for Services arising under any given Work Order following receipt of request from Citi. Each properly and accurately prepared invoice shall be payable within thirty (30) days after its receipt by Citi. Supplier specifically covenants that it will not use any methods of electronic repossession for any reason. Unless otherwise expressly specified in the applicable Work Order, all references to payments or credits in this Agreement refer to payments or credits in United States dollars. Notwithstanding anything to the contrary set forth herein, if Supplier’s compensation for Services is based on a time and materials rate structure, Supplier will have all of its Personnel complete and submit (through a Citi NEMS) each of their timesheets for approval within thirty (30) days following the first day of the period to be covered by such timesheet; and Supplier hereby waives all rights to demand or receive payment from Citi for any Services for which time/hours worked was not submitted for approval via a Citi NEMS within such thirty (30) day period; provided, however, that the thirty (30) day period will be extended for so long as any systems or other failures of Citi prevent Supplier Personnel from entering such timesheets. Citi shall use commercially reasonable efforts to approve properly submitted timesheets within thirty (30) days of submission. Citi will not be liable for any interest or other late fees or past due invoices. Supplier specifically covenants that it will not use any method of electronic repossession for any reason. Supplier shall ensure that Supplier has rendered invoices and provided same to Citi for all Services performed during any calendar year by no later than January 8 of the following year. Supplier expressly acknowledges and agrees that, notwithstanding anything to the contrary in this Agreement, Citi shall have no liability for payment to Supplier of any invoices not so received by Citi pursuant to the preceding sentence.

11.6 Disputed Invoices. Upon notice to Supplier, Citi may withhold payment of any fees and charges on Supplier’s invoice(s) that Citi reasonably disputes. Pending settlement or resolution of the dispute, which the Parties shall negotiate in good faith to resolve, Citi’s non-payment of such disputed items shall not constitute default by Citi and shall not entitle Supplier to suspend or delay its provision of Services, Deliverables or of any information or materials.

11.7 Transaction Information. For three (3) years after an invoice has been paid, Supplier will maintain and (upon Citi’s reasonable request) make available the records necessary to substantiate the correctness of the invoice. In addition, if requested by Citi, Supplier shall make available to Citi detailed transactional information related to products and services that have been acquired by Citi and its Affiliates under this Agreement. The transactional information will be provided by Supplier in an electronic data format specified by Citi, and will include: (i) standard invoice and service attributes contained in Supplier’s systems, and (ii) sufficient details to allow Citi and its Affiliates to link the invoice and service attributes to Citi’s invoice payment.

11.8 Premium Fee Adjustment.

11.8.1 If the Services require, Supplier may request and Citi may undertake, if agreed to in writing, to pay a premium (hereinafter referred to as “Premium Fee Adjustment”) over and above the rates set forth on Appendix 11.1 (Schedule of Supplier’s Time and Material Rates). The Premium Fee Adjustment may be considered for an individual, who must be identified by name, and possess certain required skills, which are deemed Scarce Skills. For the purposes of this Section, unless otherwise specified in a Work Order, “Scarce Skills” are defined as (i) skills not widely used within the financial services industry, and (ii) skills for which none of Citi’s other vendors has over fifty (50) full-time equivalents, as determined by Citi.

11.8.2 The maximum allowable Premium Fee Adjustment for such an individual who possesses Scarce Skills is a maximum markup of [***********] (unless otherwise agreed in writing by Citi) over the otherwise applicable rate set forth on Appendix 11.1 (Schedule of Supplier’s Time and Material Rates), and is payable for such individual or any qualified replacement individual only (i) if identified and agreed to in writing by and between the Parties in the executed Work Order or an amendment thereto, (ii) if the individual has at least [********] of prior work experience in the Scarce Skills area not including Citi work experience unless mutually agreed otherwise by both Parties in a Work Order, (iii) if the individual has been interviewed by the hiring Citi Project Manager, and (iv) [**********************************] Appendix 11.1 (Schedule of Supplier’s Time and Material Rates), as such rate may be adjusted in accordance with Section 11.1.1 (Pricing Adjustments). Upon [******] to the rate set forth in Appendix 11.1 (Schedule of Supplier’s Time and Material Rates), Supplier may replace the then-current individual with a qualified replacement individual.

11.9 [*********************************************************************************************** ************************************************************************************************ ************************************************************************************************ *******************************************************].

12. REPRESENTATIONS AND WARRANTIES AND COVENANTS

12.1 Authority and Non-Infringement. Supplier represents, warrants and covenants that: (i) Supplier has all rights and authority required to enter into this Agreement and each Work Order, and to provide the Services and Deliverables contemplated by this Agreement, free from all liens, claims, encumbrances, security interests and other restrictions; (ii) subject to the applicable terms and conditions of this Agreement and the applicable Work Order, Citi and its Affiliates will be entitled to use and enjoy the benefit of all Services, Deliverables and any information or materials provided to Citi in connection with this Agreement, without adverse interruption or disturbance by Supplier or by any person or entity asserting a claim under or through Supplier; and (iii) the Services, Deliverables and any information or materials provided to Citi in connection with this Agreement, and the use thereof (and the exercise of any license rights with respect thereto) by Citi or its Affiliates in accordance with the terms and conditions of this Agreement, will not infringe (whether directly, contributorily, by inducement or otherwise), misappropriate or violate the Intellectual Property Rights or other rights of any third party, or violate any Applicable Law.

12.2 Capacity and Supervision. Supplier represents and warrants that: (i) it has the ability and capacity to perform the Services pursuant to this Agreement, (ii) it has obtained any

authorizations required by Applicable Law to perform the Services and (iii) it will properly supervise the provision of the Services by its Personnel, and will adequately manage the risks associated with the Services.

12.3 Anti-Bribery, Personal Dealings and Non-Subornation.

12.3.1 Supplier represents, warrants and covenants that in connection with this Agreement neither Supplier nor any of its Personnel has made or offered to make (or will make or offer to make), directly or indirectly, any unlawful payments to or has conferred or offered to confer (or will confer or offer to confer), directly or indirectly, any benefit upon any person, including for the avoidance of doubt (i) in any country or territory, any person who holds a legislative, administrative, judicial, executive or military position of any kind (whether appointed or elected) of any federal, state, provincial or local jurisdiction or exercises a public function for any jurisdiction, public agency or public enterprise (including any officer, official, employee or agent of any government, any government-owned or government-controlled entity or any public international organization or any person acting in an official capacity for or on behalf of any government entity), or (ii) any political party, party official or candidate for public office, in violation of any anti-bribery-related Applicable Law, including the U.S. Foreign Corrupt Practices Act (FCPA) and the U.K. Bribery Act (UKBA). Supplier further represents, warrants and covenants that neither Supplier nor any of its Personnel has otherwise violated, or will violate, any anti-bribery-related Applicable Law, including the FCPA and the UKBA, or has made or offered to make (or will make or offer to make), directly or indirectly, any payments to or has conferred or offered to confer (or will confer or offer to confer), directly or indirectly, any benefit upon: (a) any employee, agent or fiduciary of any third party with the intent to influence the conduct of that employee, agent or fiduciary in any manner relating to this Agreement, or (b) any person (1) with the intent to induce (or to reward) the recipient or another person to do or omit to do any act in violation of his or her duties or responsibilities, to reward any conduct or to otherwise improperly influence any person in any manner relating to this Agreement, or (2) if that person’s acceptance of a payment or benefit would itself constitute a violation of his or her duties or responsibilities.

12.3.2 Supplier further represents, warrants and covenants that no Citi Personnel or any of their immediate family members has received or will receive, directly or indirectly, anything of value of any kind from Supplier or its Personnel in connection with this Agreement.

12.3.3 Supplier represents, warrants and covenants that Supplier will conduct its business on behalf of Citi in compliance with this Section 12.3 and with Citi’s Anti-Bribery and Corruption Program statement provided by Citi to Supplier, and any and all other Citi anti-bribery and corruption statements, programs, policies and standards that Citi has in effect or may put into effect and which have been provided to or otherwise made available to Supplier (including through any Citi external website).

12.4 Conformity to Acceptance Criteria; Absence of Defects. Supplier represents, warrants and covenants that throughout the applicable warranty period, each Deliverable will conform to the Acceptance Criteria. If Supplier receives notice of a Defect during the warranty period, then Supplier will correct the Defect as promptly as possible and, in any event, within ten (10) Business Days of receiving such notice, at no additional charge. If Supplier is unable or unwilling to correct a Defect that has been identified during the warranty period, then Citi may terminate the applicable Work Order (in whole or in part) upon notice to Supplier, with no payment of Exit Fees. Unless otherwise specified on the

Work Order, the warranty period for purposes of Deliverable performance shall be six (6) months from the date Citi accepts the Deliverable. In addition, unless specified otherwise in a Work Order, after a Defect has been corrected by Supplier and the corrected Deliverable has been delivered to Citi, the applicable warranty period for such Deliverables will be extended to the extent required by Supplier to correct the Defect to ensure Citi has at least ninety (90) days of warranty coverage following the date that Supplier provided to Citi the corrected Deliverable. Supplier’s responsibilities include, but are not limited to:

(a) Communicating Defects to Citi’s Project Manager and updating Citi’s Project Manager on the status immediately upon occurrence;

(b) Correcting Defects which occur during the warranty period, and providing appropriate documentation for such corrections to Citi, on a mutually acceptable schedule, in accordance with the Change Control Procedures and release management processes; and

(c) Correcting all Severity One (1) or Severity Two (2) problems which are attributable to Supplier that occur during the warranty period as directed by Citi, and providing appropriate documentation for such corrections produced and delivered to Citi, in accordance with the Change Control Procedures and release management processes.

12.5 Standard of Service. Supplier represents, warrants and covenants that: (i) the Services, Deliverables and any information or materials provided to Citi in connection with this Agreement will be provided in a timely and professional manner, by qualified and skilled individuals with appropriate expertise, and in conformity with Section 6.4 (Performance of Work), the standards generally accepted in Supplier’s industry and the financial services industry, and (ii) the Services will conform to the Services description set forth in this Agreement, including any applicable Work Orders. If Supplier fails to provide the Services at the level described in this Agreement, then such failure is deemed a material breach of this Agreement. If Supplier is unable or unwilling to re-perform the Services as warranted, then Supplier shall issue to Citi, in addition to all other remedies at law or in equity available to Citi, a credit in an amount equal to the fees paid to Supplier for the deficient Services.

12.6 Supplier’s Personnel Policies. Supplier represents, warrants and covenants that it maintains and effectively administers comprehensive policies and procedures for qualifying its Personnel who are natural persons and are assigned to provide Services for Citi, and that such policies and procedures include work authorization verification, background checks of such Personnel’s education, employment history, and criminal convictions (using passport), and pre-employment drug testing. Supplier further represents, warrants and covenants that (i) through its personnel policies and procedures, it endeavors to employ the best qualified candidates with appropriate character and honesty; and (ii) it has established and effectively administers ongoing controls and procedures to ensure Supplier’s full compliance with all immigration-related Applicable Law, including validating that all Supplier Personnel assigned to Citi are authorized to work throughout the assignment in full compliance with all immigration-related Applicable Law. Upon request, Supplier will promptly provide Citi with written evidence of work authorization for any or all of Supplier Personnel assigned to Citi and its compliance with immigration-related Applicable Law. With respect to its Personnel assigned to Citi within the United States:

12.6.1 Supplier further represents, warrants and covenants that: (i) it is in compliance, and will remain in compliance, with the Immigration Reform and Control Act of 1986 (IRCA); (ii) it maintains and effectively administers comprehensive policies and procedures to comply with Form I-9 - Employment Eligibility Verification for its Personnel; and (iii) its Personnel providing Services from a location within the United States are providing Services in compliance with the Immigration and Nationality Act of 1952, as amended, including without limitation, IRCA, the L-1 (Intracompany Transferee) Reform Act of 2004, and the H-1B Visa Reform Act of 2004, all applicable regulations and requirements of U.S. Department of Homeland Security, U.S. Department of Labor, and U.S. Department of State, and any other immigration-related Applicable Law; and (iv) its Personnel providing Services from a location within the United States do not or will not hold B-1 or B-2 non-immigrant status or participate in the U.S. Visa Waiver Program in connection with the provision of Services;

12.6.2 Supplier agrees to execute and provide to Citi the Work Authorization Attestation attached as Appendix 12.6.2 prior to any one of its Personnel providing Services at any Citi office located in the Unite d States; and

12.6.3 In the event that any of Supplier Personnel providing Services from a location within the United States are in breach of this Section 9.5, Supplier, at its sole cost and expense, will: (i) immediately remove those Personnel; (ii) promptly provide replacement Personnel with equal or better skills as the Personnel that has been removed; (iii) promptly provide all training to replacement Personnel (at no cost or charge to Citi) to enable the replacement Personnel to provide Services required under the applicable Work Order; and (iv) following completion of all required training, provide one (1) month of replacement Personnel Services under the applicable Work Order at no cost or charge to Citi.

12.7 Disabling Devices. Supplier represents, warrants and covenants that it will use reasonable efforts: (i) to eliminate, in any computer systems it uses to exchange software or other data electronically with Citi or its customers, any computer code designed to damage, disrupt, disable, harm, or otherwise impede in any manner, the orderly operation of any software, data files, firmware, hardware, computer system or network (“Virus”) and (ii) to ensure, during the writing, execution and copying of any Software delivered in connection with this Agreement, that such Software is free from any Virus, with such reasonable efforts including testing, prior to delivery, any Software and any media on which it is to be delivered with a current version of a leading anti-virus application. Supplier further represents, warrants and covenants that the Software shall not contain any computer code or any other procedures, routines or mechanisms designed: (x) to disrupt, disable, harm or impair in any way the Software’s (or any other software’s) orderly operation based on the elapsing of a period of time, exceeding an authorized number of copies, or advancement to a particular date or any other measure (sometimes referred to as “time bombs”, “time locks”, or “drop dead” devices), (y) to cause the Software to damage or corrupt any of Citi’s or its Affiliates’ (or their respective customers’) data, storage media, programs, equipment or communications, or otherwise interfere with Citi’s or its Affiliates’ operations, or (z) to permit Supplier, its Personnel, its licensors or any other third party to track or monitor usage of the Software or Citi’s Systems or to otherwise access the Software (or Citi’s Systems) for any reason (sometimes referred to as “traps”, “access codes” or “trap door” devices). Supplier will not unilaterally (i.e., without appropriate judicial order) remove, deinstall, repossess, modify, delete, damage, deactivate, disable, or interfere with the Software for any reason (including a dispute relating to this Agreement).

12.8 Open Source. Except to the extent expressly disclosed on the applicable Work Order, Supplier represents, warrants and covenants that the Deliverables or Software: (i) do not contain any Open Source Code, and (ii) will not require the use of any Open Source Code in order to function in its intended fashion. In addition, Supplier represents, warrants and covenants that the Deliverables or Software are not licensed under any terms otherwise subjecting Citi or its Affiliates to any obligations not expressly set forth in this Agreement. Supplier further represents, warrants and covenants that it will not, via an update, upgrade or otherwise, incorporate any Open Source Code into any version of the Deliverable or Software to be installed on Citi’s Systems without Citi’s prior written consent in each instance. “Open Source Code” means any software licensed under an agreement that requires Citi to do any of the following as a condition of use, modification, or distribution either of the software itself or of other software incorporated into, derived from, or distributed with the licensed software (each an “OSS Program”): (a) make available any source code, object code, or design information regarding an OSS Program; (b) grant any permission to create modifications to or derivative works of an OSS Program; (c) include attribution of authorship or copyright notices in connection with the use, modification, or distribution of an OSS Program; (d) replicate and distribute license terms in connection with the use, modification, or distribution of an OSS Program; or (e) grant any royalty-free licenses under Citi’s Intellectual Property Rights in and to an OSS Program. Open source licensing agreements include the GNU General Public License, the MIT License, and any other licenses listed on http://opensource.org/licenses/alphabetical (or successor URL).

12.9 No Other Components. Supplier represents, warrants and covenants that, except as expressly set forth in the Work Order, (i) no additional purchases or licenses are required for effective use of the Services; and (ii) to the extent that any Services or Deliverables are used in conjunction with a web browser, no plug-ins or non-standard browser components are required for effective use of the Services.

12.10 Disclaimer. EXCEPT FOR THE REPRESENTATIONS AND WARRANTIES EXPRESSLY SET FORTH IN THIS AGREEMENT OR ESTABLISHED BY APPLICABLE LAW AS RIGHTS THAT CANNOT BE WAIVED OR LIMITED BY CONTRACT, EACH PARTY DISCLAIMS ALL OTHER REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

13. CONFIDENTIAL INFORMATION

Supplier and Citi will each comply, and will ensure that their Personnel comply, with the obligations set forth in Appendix 13.

14. RIGHT TO AUDIT.

14.1 Record Retention. Supplier shall maintain complete and accurate accounts, books and records of and supporting documentation for all transactions both financial and non-financial, that result from or are created in Supplier’s performance of the Services. Supplier shall develop and maintain, for a period of seven (7) years or any longer period required by Applicable Law or set forth in a Work Order, up-to-date records relating to:

(a) all Services provided;

(b) financial transactions in accordance with generally accepted accounting principles applied on a consistent basis; and

and Supplier shall provide a copy of these records in hard copy and agreed electronic form to Citi at such intervals as and when reasonably requested by Citi, but at least annually.

14.2 Audit.

14.2.1 Citi, Citi’s and its Affiliates’ internal and external auditors, attorneys, accountants, and agents, and Regulators of Citi or its Affiliates (collectively, “Citi’s Audit Personnel”) shall have the right from time to time to (i) obtain access to Supplier’s books and records, data centers, Service Locations, and relevant Supplier Personnel, to enable Citi’s Audit Personnel to audit, at Citi’s sole expense, any aspects of the provision of Services by Supplier to Citi (including Supplier’s Service Locations, operating practices, policies, processes and procedures relating to the Services and the fees and charges invoiced by Supplier to Citi), including Supplier’s ability to provide the Services contemplated under this Agreement and any Work Order, (ii) conduct an audit of Supplier’s operations and business to confirm Supplier’s compliance with its confidentiality obligations under this Agreement, (iii) copy or take extracts from any records (redacted to remove references to matters other than those related to the Services), (iv) interview Supplier’s Personnel, (v) run computer programs and perform any other functions necessary for control assessment and/or investigations, and (vi) examine Supplier’s performance of its duties under this Agreement, including audits of practices and procedures, systems, applications development and maintenance procedures and practices, general controls (e.g., organizational controls, input/output controls, system modification controls, processing controls, system design controls, and access controls), Quality Plans and related quality management systems, management of any Subcontractors, and security practices and procedures, disaster recovery and back-up procedures. The scope of each audit may include, without limitation, the following: (i), (ii) Supplier’s compliance with the terms and conditions of this Agreement and all Work Orders including, without limitation, those concerning Service Levels, Section 5.1 (Policies and Procedures), Section 22 (Compliance with Law), (ii) Supplier’s Disaster Recovery Plan (as described in Section 4.10.6 (Disaster Recovery Plan)), (iii) Supplier’s information security practices, (iv) Supplier’s policies (including its legal and compliance policies), and (v) any internal and/or external audit reports regarding Supplier’s operations, controls, or financial condition, when available. The scope of audits will be determined by Citi and may extend beyond the Services environment if other Supplier resources (other systems, environmental support, recovery processes, etc.) are used, but only as and to the extent those other resources relate to the Services provided to Citi. Supplier will grant Citi’s Audit Personnel access to systems necessary to conduct an on-site or remote audit. Notwithstanding the rights and duties set forth in this Section, Supplier will provide, at any time requested by Citi, any records kept in the ordinary course of business that pertain to the Services.

14.2.2 Supplier will provide Citi’s Audit Personnel with such information, assistance and access to Supplier’s premises, employees, and documentation as is reasonable in order that they may fully and promptly carry out each audit, including by (i) providing reasonable access to Supplier Personnel books and records reasonably related to such audit, (ii) installing and operating audit software, and (iii) providing prompt and complete responses to reasonable

information requests by Citi’s Audit Personnel, as applicable; provided that Citi will permit Supplier the opportunity to deliver any information required by Citi prior to Citi carrying out any audit hereunder, which may render an audit visit unnecessary. Supplier shall also ensure that all Subcontractors will provide Citi’s Audit Personnel effective access to their premises, employees, and documentation as is reasonable to fully and promptly carry out each audit.

14.2.3 Subcontractor Audits, Records and Information. Except with respect to contracts with Subcontractors retained by Supplier solely to perform the activities described in Section 19.4 (Excluded Activities) below (and not to provide any Services or other activities contemplated under this Agreement or any Work Order), Supplier shall ensure that its contracts with its Subcontractors include provisions that permit Citi and its Regulators to have reasonable access to the books and records of each Subcontractor, as well as the right to perform audits of said Subcontractors under the same terms and conditions as described in Section 14.2 (Audits). Furthermore, Supplier will conduct regular audits of its Subcontractors no less frequently than once in each rolling 12-month period to ensure that each Subcontractor is in full compliance with the obligations and responsibilities of Supplier as contemplated in this Agreement and in any Work Order under which a Subcontractor is being used by Supplier. Supplier will provide Citi with written certification promptly after its completion of each audit required pursuant to this Section and each certification will either confirm that the Subcontractor is in full compliance or identify any and all non-compliance by the Subcontractor. Upon Citi’s request, Supplier will provide Citi with a copy of the results of each Subcontractor audit.

14.2.4 Supplier shall at no additional charge, subject to this sub-section, annually engage its service auditor to prepare a report on controls placed in operation and tests of operating effectiveness (Type II SSAE-16 SOC-1 reports) for all Services, and shall provide a copy of such report to Citi as soon as it is available, but no later than thirty (30) days prior to the end of Citi’s fiscal year. In addition, by January 31 of each year, Supplier shall provide Citi with a letter attesting (i) to the controls in place as of the most recent Type II SSAE-16 SOC-1 report, (ii) that that such controls were still in effect as of December 31 of the previous year, and (iii) that such controls were in effect as the date of issuance of the financial statements covering all or part of such year.

14.2.5 Vulnerability Assessment. If any Citi Confidential Information (as defined in Section 13 (Confidential Information)), including any Customer Data, is maintained or in any manner stored on a website or web accessible system, Supplier will disclose to Citi, which disclosure may be included in the Work Order. If Citi Confidential Information is maintained or stored by Supplier as contemplated above then, at least annually, Supplier will cooperate with Citi in the conduct of a vulnerability assessment, or “Ethical Hack”, of the system that hosts Citi’s and its Affiliates’ websites and/or information, including permitting, and releasing from liability, a third party specialist retained by Citi or its Affiliate to perform the Ethical Hack function.

14.2.6 Requirement for Notice. With the exception of the Vulnerability Assessment described in Section 14.2.5 (Vulnerability Assessment) above and as otherwise provided in this Section 14.2.6, audits conducted by Citi’s Audit Personnel under Sections 14.2.1, 14.2.2, 14.2.3 and 14.2.4 must be preceded by reasonable notice to Supplier (unless otherwise prohibited by Applicable Law), and audits are conducted at intervals deemed necessary by Citi, during normal business hours of the facilities being audited. Supplier will make its facilities,

Personnel, records and similar items available at any time without prior notice if: (i) requested by Regulators pursuant to an audit of Citi, or (ii) by Citi’s or its Affiliates’ internal or external auditors pursuant to an audit specifically investigating an incident or suspected incident posing a risk to Citi’s business or reputation.

14.3 Audit Results.

14.3.1 Following any audit or examination, Supplier will, upon Citi’s request, meet with Citi to review the audit or examination report and discuss any changes suggested by the report. If Citi’s audit or examination identifies a bona fide problem that, in Citi’s reasonable opinion, presents a material risk of breach of Supplier’s obligations (including its representations) under this Agreement, then, at Citi’s request, Supplier shall promptly correct such problem at Supplier’s cost and expense.

14.3.2 If Citi’s exercise of its rights under this Section 14 results in audit findings that any Service Fees have been overpaid by Citi, then upon receiving notice of such audit findings, the appropriate reduction will be made to the next applicable invoice(s). If such audit findings show that Citi overpaid Service Fees by five percent (5%) or greater, Supplier shall bear any commercially reasonable costs associated with such audit.

14.4 Sarbanes Oxley. At all times during the Term and continuing thereafter until the later of the completion of the audit of Citi’s financial statements or the completion and filing of Citi’s annual report, in each case for the fiscal year during which this Agreement expires and/or terminates (the “Compliance Period”), subject to Section 14.2 (Audit), Supplier shall, and shall cause any Supplier Affiliates or Subcontractors providing Services hereunder to enable Supplier to:

(a) provide Citi with a Type II SSAE-16 SOC-1 report, to enable Citi to comply with its obligations under the Sarbanes Oxley Act; and

(b) provide to Citi or its auditors and counsel on a timely basis and at Supplier’s cost, all information, reports, and other material which Citi and/or its auditors or counsel may request in order to (i) evaluate and confirm that Citi is in compliance with its obligations under the Sarbanes Oxley Act, and (ii) enable Citi’s auditors to provide the auditors’ attestation contemplated by the Sarbanes Oxley Act.

15. PUBLICITY

Supplier will not disclose the identity of Citi as a customer of Supplier or the existence, nature or terms of this Agreement (including, for purposes of clarification, any Work Order) without the prior written consent of Citi, which Citi may withhold in its sole discretion. Neither Party will use the other Party’s proprietary indicia, trademarks, service marks, trade names, logos, symbols or brand names, or otherwise refer to or identify the other Party in advertising, publicity releases, or promotional or marketing publications or correspondence to third parties without, in each case, securing the prior written consent of the other Party.

16. INDEMNITY

16.1 Infringement Indemnity.

16.1.1 Supplier will defend, hold harmless and indemnify Citi, its Affiliates and their Personnel (collectively, the “Citi Indemnitees”) from and against any and all losses, claims,

liabilities, costs and expenses (including taxes, fees, fines, penalties, interest, reasonable expenses of investigation and attorneys’ fees and disbursements) as incurred (collectively “Damages”) arising out of, or relating to, a claim by a third party that the Services, the Deliverables or any other information or materials being provided, directly or indirectly, by Supplier, or that the Citi Indemnitee’s use thereof or exercise of any license rights related thereto, infringes (whether directly, contributorily, by inducement or otherwise), misappropriates or violates such third party’s Intellectual Property Rights or other rights, provided that Supplier shall not have any liability to Citi under this Section 16.1.1 to the extent that any infringement or claim thereof is attributable to: (i) the combination, operation or use of such materials with equipment, software or other materials not supplied by Supplier or contemplated under the applicable Work Order where, but for such combination, such materials would not themselves be infringing, (ii) or (iii) modifications of such materials by Citi, its designees or anyone else other than Supplier or its designees without authorization by Supplier where, but for such modifications, such materials would not have been infringing.

16.1.2 Citi will defend, hold harmless and indemnify Supplier, its Affiliates and their Personnel (collectively, the “Supplier Indemnitees,” and, together with the Citi Indemnitees, the “Indemnitees”) from and against any and all Damages arising out of, or relating to, a claim by a third party that the use of any materials provided by Citi to Supplier for use in the provision of the Services pursuant to this Agreement infringes (whether directly, contributorily, by inducement or otherwise), misappropriates or violates such third party’s Intellectual Property Rights or other rights, provided that Citi shall not have any liability to Supplier under this Section to the extent that any infringement or claim thereof is attributable to: (i) the combination, operation or use of such materials with equipment, software or other materials not supplied by Citi where, but for such combination, such materials would not themselves be infringing, (ii) use of such materials in a manner not authorized by Citi or (iii) modifications of such materials by Supplier, its designees or anyone else other than Citi or its designees where, but for such modifications, such materials would not have been infringing.

16.1.3 If Citi is prohibited from using the Services or Work Product, or any part thereof, as a result of, or in connection with, any claim or cause of action contemplated by the indemnity set forth in Section 16.1.1, then, in addition to any other rights or remedies Citi may have, at law or in equity, Citi may permit Supplier to promptly take the following actions, at Supplier’s sole expense and in the following order of precedence: (i) procure for Citi the right to continue using the infringing item, or (ii) modify the infringing item so that it becomes non-infringing or replace the infringing item with a non-infringing item, provided that the non-infringing item: (x) has equivalent functionality and performance as the infringing item, (y) yields substantially equivalent results as the infringing item, and (z) is compatible with Citi’s existing operating system and hardware platforms. If, within a reasonable period of time, Supplier has not so procured the non-infringing item, or modified or replaced the infringing item, Citi may, by notice to Supplier, terminate the applicable Work Order, in whole or in part, without payment of any Exit Fees, and return the infringing item to Supplier, and Supplier shall promptly refund to Citi all amounts paid under the terminated Work Order, or the portion of such amount attributable to the terminated portion thereof, as the case may be.

16.2 General Indemnity. Supplier will defend, hold harmless and indemnify the Citi Indemnitees from and against any and all third-party claims for Damages arising out of, or relating to:

16.2.1 any claim by any Subcontractor or independent contractor of Supplier or by any Personnel of Supplier, in each case in connection with or arising from such person’s or entity’s role as Subcontractor, contractor or Personnel of Supplier, including (as an example) any claim alleging that any Citi Indemnitee should be deemed the “employer” or “joint employer” of any of Supplier’s Personnel;

16.2.2 any breach by Supplier (or its Personnel) of any of the obligations assumed under, or the representations, warranties or covenants provided in, Sections 3.4 (Required Consents), 12.7 (Disabling Devices), 13 (Confidential Information) and 27 (Soliciting for Hire) of this Agreement;

16.2.3 any gross negligence or willful misconduct of Supplier or its Personnel;

16.2.4 any act or omission by Supplier that results in personal injury or death, or damage to property;

16.2.5 any act or omission that violates any Data Privacy Law; or

16.2.6 any inadequacy in the facilities and the physical and data security controls at any Service Location.

16.3 Indemnification Procedures. If an Indemnitee seeks indemnification under this Agreement, the Indemnitee will: (i) give prompt notice to Supplier concerning the existence of the indemnifiable event, (ii) grant authority to Supplier to defend or settle any related action or claim, and (iii) provide, at Supplier’s expense, such information, cooperation and assistance to Supplier as may be reasonably necessary for Supplier to defend or settle the claim or action. An Indemnitee’s failure to give prompt notice shall not constitute a waiver of the Indemnitee’s right to indemnification and shall affect Supplier’s indemnification obligations only to the extent that Supplier’s rights are materially prejudiced by such failure or delay. Notwithstanding anything to the contrary set forth herein, (i) an Indemnitee may participate, at its own expense, in any defense and settlement directly or through counsel of its choice, and (ii) Supplier will not enter into any settlement agreement on terms that would diminish the rights provided to the Indemnitee or increase the obligations assumed by the Indemnitee under this Agreement, without the prior written consent of the Indemnitee. If Supplier elects not to defend any claim as is required under this Agreement, the Indemnitee will have the right to defend or settle the claim as it may deem appropriate, at the cost and expense of Supplier, and Supplier will promptly reimburse the Indemnitee for all costs, expenses, settlement amounts and other Damages.

16.4 Notification of Third Party Claims. Supplier will promptly notify Citi concerning any threat, warning, claim or action against Supplier or its customers or suppliers, that could have an adverse impact on Citi’s use of any Services or Deliverable provided or made available to Citi pursuant to this Agreement.

17. INSURANCE REQUIREMENTS

17.1 Required Coverage. During the Term and for so long as any Work Order has not yet expired or been terminated, Supplier will maintain, at its own expense, insurance coverage with limits of no less than those set forth below, and with insurers with a minimum A.M.

Best Financial Strength rating of “A- (Excellent)” and Financial Size rating of “VII”, or equivalent ratings from other valid rating agencies and under forms of policies satisfactory to Citi.

17.1.1 Professional Liability Insurance (“Errors and Omissions” or “E&O”) in the minimum amount of $2,000,000 per occurrence, covering losses from any act, errors, omissions, negligence, breach of contract and/or misrepresentations related to Supplier’s obligations under this Agreement. E&O insurance must be maintained for (a) so long as this Agreement is in effect (or a longer period if any Work Order has not yet expired or been terminated) and (b) for a period of two (2) years after the later of (i) the date this Agreement is terminated and (ii) the date on which all Work Orders have expired or been terminated. Additionally, Supplier will maintain Technology E&O insurance including coverage for loss or disclosure of electronic data, media and contents rights, software copyright infringement and, network security failure, and Privacy and Network Security/Cyber Liability insurance including coverage providing protection against liability for (1) systems attacks, (2) denial or loss of service, (3) attacks or spread of malicious software code, (4) unauthorized access and use of Citi’s Systems, and (5) liability arising from the loss of disclosure of confidential electronic data.

17.1.2 Fidelity/Crime Insurance in the minimum amount of $2,000,000 per occurrence providing coverage for any loss sustained by Citi or an Affiliate as a result of any dishonest act by Supplier’s Personnel (whether acting alone or in collusion with others), including but not limited to theft, forgery, alteration, or transfer of funds (electronically or otherwise). Such insurance must cover (i) property of Supplier, (ii) property of others, which Supplier holds in its care, custody and control, and (iii) property of others for which Supplier is legally liable.

17.1.3 Commercial General Liability including broad form contractual liability and personal injury endorsement, providing coverage against liability for bodily injury, death, and property damages in the minimum amount of $1,000,000 per occurrence and no less than $2,000,000 annual aggregate.

17.1.4 Automobile Liability in the minimum amount of $1,000,000 Combined Single Limit per occurrence for bodily injury and property damage (covering owned, non-owned and hired vehicles).

17.1.5 Workers Compensation insurance covering Supplier’s employees pursuant to Applicable Law and at the statutory limits required for each such state, and Employers Liability coverage in the minimum amount of $1,000,000 per loss.

17.1.6 Privacy and Network Security (sometimes also known as Cyber Liability) in a minimum amount of $2,000,000 per occurrence providing protection against liability for (i) systems attacks, (ii) denial or loss of service attacks, (iii) spread of malicious software code, (iv) unauthorized access and use of computer systems, and (v) liability arising from the loss or disclosure of confidential electronic data.

17.1.7 Umbrella/Excess Liability providing excess liability coverage in the minimum amount of $5,000,000 per occurrence, to supplement the primary coverage limits for Commercial General Liability, Automobile Liability and Employers Liability provided under the policies listed above.

17.2 Certificates of Insurance. Within ten (10) days following the Effective Date of this Agreement and annually thereafter, Supplier will provide Certificates of Insurance,

evidencing that the policies required in Section 17.1, are in full force and effect. Each Certificate shall provide that the issuing insurance company shall provide Supplier with no less than thirty (30) days written notice prior to any cancellation, termination, or material alteration of the policy. Supplier shall provide Citi with no less than thirty (30) days written notice prior to any cancellation, termination, or material alteration of any policy. In addition, each policy required pursuant to Sections 17.1.3, 17.1.4, 17.1.5 (Employers Liability only) and 17.1.7 shall name Citi, its Affiliates and their assignees as an additional insured party. Each policy required pursuant to Sections 17.1.2, 17.1.6 and 17.1.7 shall name Citi, its Affiliates and their assignees as loss payees.

17.3 No Limitation. The requirements set forth above as to types, limits and approval of insurance coverage to be maintained by Supplier will not in any manner limit the liabilities and obligations assumed by Supplier under this Agreement.

18. LIMITATION OF LIABILITY

EXCEPT TO THE EXTENT OTHERWISE EXPRESSLY PROVIDED IN THIS SECTION, NEITHER PARTY WILL BE LIABLE TO THE OTHER PARTY (OR TO ANY PERSON OR ENTITY CLAIMING THROUGH THE OTHER PARTY) FOR LOST PROFITS OR FOR SPECIAL, INCIDENTAL, INDIRECT, CONSEQUENTIAL OR EXEMPLARY DAMAGES ARISING OUT OF OR IN ANY MANNER CONNECTED WITH THIS AGREEMENT OR THE SUBJECT MATTER HEREOF, REGARDLESS OF THE FORM OF ACTION AND WHETHER OR NOT SUCH PARTY HAS BEEN INFORMED OF, OR OTHERWISE MIGHT HAVE ANTICIPATED, THE POSSIBILITY OF SUCH DAMAGES.

EXCEPT TO THE EXTENT OTHERWISE EXPRESSLY PROVIDED IN THIS SECTION, NEITHER PARTY SHALL BE LIABLE TO THE OTHER PARTY (OR TO ANY PERSON OR ENTITY CLAIMING THROUGH THE OTHER PARTY) FOR DIRECT DAMAGES IN CONNECTION WITH [**********************************************************]. FOR ALL CLAIMS ARISING IN THE FIRST CONTRACT YEAR, THE AMOUNT IN THE PRECEDING SENTENCE SHALL EQUAL [*****************************************].

THE LIMITATIONS OF LIABILITY SET FORTH IN THIS AGREEMENT SHALL NOT APPLY TO DAMAGES (i) RESULTING FROM THE GROSS NEGLIGENCE, OR THE WILLFUL OR INTENTIONAL MISCONDUCT OF A PARTY OR ITS PERSONNEL, (ii) STEMMING FROM PERSONAL INJURY, DEATH, OR PROPERTY DAMAGE CAUSED BY A PARTY OR ITS PERSONNEL, (iii) ARISING FROM CLAIMS FOR WHICH EITHER PARTY HAS AGREED TO INDEMNIFY THE OTHER PARTY PURSUANT TO THE PROVISIONS OF THIS AGREEMENT, (iv) ARISING FROM EITHER PARTY’S BREACH OF ITS OBLIGATIONS PURSUANT TO SECTION 13 (CONFIDENTIAL INFORMATION), OR (v) ARISING FROM ANY VIOLATION OF ANY APPLICABLE LAW INCLUDING, BUT NOT LIMITED TO, ANY DATA PRIVACY LAW.

19. SUPPLIER AFFILIATES AND SUBCONTRACTORS

19.1 From time to time, the Parties may specify in a Work Order that Services shall be performed under such Work Order by a Supplier Affiliate, or a Supplier Affiliate may be a party to a Work Order. If a Work Order specifies that the Services will be performed by a

Supplier Affiliate, or if a Supplier Affiliate is a party to a Work Order, such Affiliate shall be treated as the “Supplier” with respect to such Work Order. Polaris Consulting & Services Ltd shall ensure the performance of all of such Supplier Affiliate’s obligations hereunder, and shall accept liability for any and all acts or omissions of such Affiliate, as though such obligations, acts and omissions were those of Polaris Consulting & Services Ltd. In the event of any failure by such Supplier Affiliate to perform its obligations hereunder, or any acts or omissions giving rise to a claim, Polaris Consulting & Services Ltd agrees that Citi may look to Polaris Consulting & Services Ltd for recourse before making, and without having to make, any demand to such Affiliate in connection with any such failure or claim. In providing Services under a Work Order, such Supplier Affiliate shall comply with all of Supplier’s obligations under this Agreement, including those set forth in Sections 4.10.6 (Continuity of Business and Disaster Recovery Plans), 5.1 (Policies and Procedures), 5.4 (Equipment and Network Security), 13 (Confidential Information) and 22 (Compliance with Law).

19.2 Supplier will not use a Subcontractor (including Supplier Affiliates) to perform Supplier’s obligations under this Agreement without obtaining Citi’s prior written approval. Citi’s approval of a Subcontractor shall not constitute a waiver of any rights Citi may have based on Supplier’s representations and warranties. Furthermore, Citi’s approval of a Subcontractor for a particular Work Order will not be deemed to be approval for use of that Subcontractor for any other Work Order. Supplier will be fully responsible for all acts and omissions of its Subcontractors and for any failure of its Subcontractors to comply with all applicable obligations and responsibilities of Supplier under this Agreement and any applicable Work Orders. If Supplier is permitted to utilize a Subcontractor to perform any obligations under this Agreement, Supplier shall (i) enter into agreements with any such Subcontractors to ensure that (a) Subcontractors are obligated to fully uphold and comply with the same obligations and responsibilities as Supplier under this Agreement and any applicable Work Orders, including those under Sections 5 (Policies and Procedures), 9 (Proprietary Rights), 13 (Confidential Information), 15 (Publicity), 22 (Compliance with Law) and 27 (Soliciting for Hire) and (b) the same rights that Citi has with respect to Supplier under this Agreement and any applicable Work Orders have been secured from each Subcontractor and (ii) monitor its Subcontractors’ performance of any obligations under this Agreement or any Work Order and report to Citi on such performance as required by Citi policies or as Citi may request. Supplier shall identify each Subcontractor on the applicable Work Order in which Supplier intends to use that Subcontractor. Nothing in this Agreement shall be construed to create any contractual relationship between Citi and any Subcontractor, nor any obligation on the part of Citi, to pay or to ensure the payment of any money due to any Subcontractor.

19.3 Removal of a Subcontractor. Citi may (upon providing written notice to Supplier) demand immediate removal of, and discontinued use of, a Subcontractor if, in Citi’s sole discretion, Citi believes or determines that continued use of that Subcontractor could be detrimental to Citi and/or its Affiliates. Upon receipt of notice from Citi, Supplier must promptly cease use of Subcontractor for the provision of Services to Citi and its Affiliates under any and all Work Orders and ensure Subcontractor does not directly or indirectly provide Services to Citi at any time under any subsequent Work Order.

19.4 Excluded Activities. Except with respect to Supplier’s obligations to be fully responsible for all acts and omissions of its Subcontractors, and for any failure of its Subcontractors to comply with all obligations and responsibilities of Supplier under this Agreement and any

applicable Work Order, the requirements of this Section 19 do not apply to Supplier’s use of Subcontractors for: (i) incidental engagements by Supplier of individual experts or consultants as independent contractors, (ii) to outsource routine functions unrelated to provision of the Services, (iii) development or modification of Supplier’s commercially available software, provided that the development or modification is not funded by Citi, or (iv) Supplier’s standard telephone or email technical support of its products or services; provided that, in each of (i) through (iv) above, the Subcontractor does not require access to or use of Citi Confidential Information.

20. ASSIGNMENT

Citi may, with notice to Supplier, assign this Agreement or any Work Order or any of its rights or interests hereunder, or delegate any of its obligations hereunder, to (i) a Citi Affiliate, (ii) Citi’s successor pursuant to a merger, reorganization, consolidation or sale, or (iii) an entity that acquires all or substantially all of that portion of Citi’s assets or business for which the Services or Deliverables were acquired or are being used. Except as otherwise provided above, neither Party may assign this Agreement or any Work Order or any of its rights or interests hereunder, nor delegate any obligation to be performed hereunder, without the prior written consent of the other Party. Any attempted assignment or delegation in contravention of this Section shall be null and void, and of no force or effect. This Agreement shall be binding upon, and shall inure to the benefit of, the legal successors and permitted assigns of the Parties.

21. NOTICES

21.1 Any notice, demand or other communication (collectively “notice”) required or permitted under this Agreement shall be made in writing and shall be deemed to have been duly given: (i) when actually received by the representative(s) designated to receive notices for the intended recipient, or (ii) when delivered to the address set forth for such representative(s) in the introductory table of this Agreement (or if applicable, the introductory table of the Work Order), provided the notice is sent to such representative(s) by certified or registered mail (return receipt requested) or commercial express courier (with tracking capabilities). Notices concerning this Agreement shall be given to the person who signed this Agreement on behalf of the intended recipient. Notices concerning a particular Work Order shall be sent to the person who signed such document. A copy of all notices from Supplier shall be sent to Citigroup Technology, Inc., c/o Global Technology Sourcing and Services, [****************************], Attention: Contract Administrator. A copy of any notice from Supplier that alleges Citi committed a material breach shall be sent by certified or registered mail (return receipt requested) or commercial express courier (with tracking capabilities) to the address set forth in the preceding sentence, c/o General Counsel’s Office, Attn: Managing Attorney responsible for Intellectual Property and Technology. Either Party may change its address(es) or representative(s) for receiving notices upon notice to the other.

21.2 Required Notices. In addition to any other notice requirements set forth in this Agreement or in any Work Order, Supplier shall provide prompt written notice to Citi of any of the following: (i) any interruption of Services (including interruption or unavailability of any systems Supplier uses to deliver Services); (ii) any force majeure event or any other event that would cause Supplier to invoke its Disaster Recovery Plan (as contemplated in Section 4.10.6 (Disaster Recovery Plan) or Section 26 (Force Majeure); (iii) any incident of a

kind and nature as described in Section 13.13 (Security Incident Reporting Process); (iv) regulatory or enforcement actions taken against Supplier or any failure of Supplier and its Personnel to comply with its obligations under Sections 5.1 (Policies and Procedures) or 22 (Compliance with Law); (v) a change in the Controlling Entity; (vi) permitted assignment by Supplier of this Agreement or any of its obligations under this Agreement, and (vii) any other developments, changes, events or incidents that could put at risk or otherwise impede or interfere with Supplier’s ability to provide and deliver to Citi, and Citi’s ability to receive and use, the Services in full compliance with Supplier’s obligations under this Agreement and any Work Order and in a manner consistent with how Services have been provided (and received) prior to a development, change, event or incident. All notices required under this Section 21.2 must specify the impact to Citi and its Affiliates and the corrective action to be undertaken by Supplier.

22. COMPLIANCE WITH LAW

22.1 General.

22.1.1 In performing its obligations under this Agreement, Supplier will comply, and will cause its Personnel to comply, with the requirements of all Applicable Law.

22.1.2 Each Party shall at all times monitor all Applicable Laws. During the term of this Agreement, Supplier acknowledges and agrees that Supplier and its Personnel have an affirmative obligation to promptly report to Citi any concerns about, or indications of, actual or possible violations of Applicable Law to which they become aware. Supplier will instruct its Personnel to report any concerns to Citi, and, without limiting the foregoing, will further instruct its Personnel to report any concerns through the use of any central or other reporting mechanism used or made available by Citi for this purpose (including but not limited to any Ethics Hotline). If any change in Applicable Law requires Citi to adopt specific standards regarding its services providers which relate to the Services or Supplier’s methods of doing business as a result of changes in Applicable Law, then Supplier must make all modifications to the Services or its methods of doing business as are required to enable Citi to comply with any changes in Applicable Law. Supplier will make all required changes at no charge to Citi. Citi shall notify Supplier in advance of the applicable performance by Supplier of any Applicable Laws that impose obligations on Citi, solely to the extent such Applicable Laws are relevant to Supplier’s provision of the Services. With respect to obligations arising under Applicable Laws regulating Citi’s banking operations, including Applicable Laws concerning the conduct of banking services and the prevention of money laundering, Citi shall provide Supplier with specific operating instructions, which Supplier shall follow. Supplier shall provide the Services in compliance with all Applicable Laws applicable to Supplier as a provider of technology services (including ADM Services), in compliance with all Applicable Laws which apply to Citi to the extent that Supplier has been made aware of such Applicable Laws by Citi, and in compliance with the foregoing operating instructions.

22.1.3 In the event that an Applicable Law or a change in Applicable Law (in each case, whether or not enacted or in force) might reasonably impact the Services, Supplier or Citi, as applicable, shall propose, using the Change Control Procedures, appropriate modifications to the Services to render the Services compliant with such Applicable Law or change in Applicable Law. Upon agreement of the Parties pursuant to the Change Control Procedures, Supplier shall promptly implement such modifications. Supplier shall pay any

costs associated with implementing any modifications to the Services required to render them compliant with Applicable Laws and changes in Applicable Laws applicable to Supplier and/or one of its Affiliates as providers of technology services (including ADM Services). Citi shall pay any costs associated with implementing any modifications to the Services (including changes to the Service Levels) required to render them compliant with Applicable Laws and changes in Applicable Laws applicable to Citi; provided that if the modification is being made on behalf of multiple Supplier customers, Citi shall only pay the incremental costs (i) attributed to a reasonable proportion of Services received by it from Supplier that are impacted by such modification, as compared to the total services provided by Supplier to all customers that are impacted by such modifications, and (ii) for making any modification specifically for Citi. For purposes of this Section 22.1.3, “changes in Applicable Law” shall include cases where an Applicable Law has not yet changed, but is reasonably expected to change.

22.1.4 The Parties shall periodically review the Services to assess their impact upon Citi’s compliance with Applicable Law. Supplier shall provide Citi such information and assistance as Citi may reasonably request in connection with such reviews.

22.1.5 If, at any time, Citi determines that Supplier’s compliance with any Service Level will result in Citi violating any Applicable Law, the Parties shall amend such Service Level to ensure that Citi is not violating any Applicable Law. The applicable commercial and other impact shall be discussed and agreed upon between the Parties.

22.2 Export Controls. Without limiting the generality of Section 22.1 (General Compliance with Law), Supplier specifically agrees to comply, and to cause its Personnel to comply, with the current or future requirements of all Applicable Laws that regulate the importation or exportation of goods and technologies, and in particular, to comply with the Export Administration Regulations of the United States (including obtaining all required authorizations or licenses) as they pertain to any technical data, computer software, or any product (or any part thereof), process, or service that is the direct product of any such technical data or computer software (hereinafter referred to collectively or individually without distinction as “Export Controlled Products”) to which Supplier’s Personnel have access while engaged by Citi. Supplier acknowledges that the Export Administration Regulations of the United States prohibit the disclosure, exportation or re-exportation (directly or indirectly) of any Export Controlled Products: (i) to any country, or to any citizens or residents of any country, that is included within Country Group E:1 on Supplement No.1 to 15 CFR chapter VII, subchapter C, part 740, as such Supplement No. 1 currently exists or may hereafter be amended from time to time (hereinafter, Supplement No.1”), or (ii) to any country, or to any citizens or residents of any country, that is included within Country Group D:1 on Supplement No.1, if the Export Controlled Product is destined to a military end user or intended for any military use. Supplier acknowledges that a current version of Supplement 1 may be viewed by: (i) accessing the web site located at http://www.access.gpo.gov/bis/ear/ear_data.html, (ii) scrolling down to “Part 740Spir - Supplement No. 1 to Part 740, Country Groups”, and (iii) clicking on the Download Format preferred. Supplier understands that countries other than the U.S. may restrict the import or use of strong encryption products or other items and may restrict exports, and Supplier agrees that it shall be solely responsible for compliance with any such import or use restriction. Supplier represents that it is not currently debarred, suspended or otherwise prohibited or restricted from exporting, reexporting, receiving, purchasing, processing or otherwise obtaining any item, product, article, commodity, software or technology regulated

by any agency of the United States, and Supplier will promptly notify Citi if any of the foregoing occurs. If requested by Citi, Supplier shall cause its Personnel to execute and return to Citi the appropriate form of Assurance of Compliance - Export Control Laws set forth as Appendix 22.2 (Assurance of Compliance — Export Control Laws). Each Party acknowledges that certain activities undertaken in connection with the Services may be subject to export control-related Applicable Laws and/or re-export, import and use control-related Applicable Laws. Citi shall be responsible for obtaining any necessary export, re-export, import and use licenses, permits, registrations or other permissions necessary for Citi to receive the Services, including with respect to any Citi Intellectual Property Rights provided to Supplier in connection with the Services. Supplier shall be responsible for obtaining any necessary export, import and use licenses, permits, registrations, or other permissions necessary for Supplier to provide the Services, including with respect to any Supplier Materials provided to Citi or the applicable Citi Affiliate. The Parties shall reasonably cooperate with one another (including providing necessary information) with respect to obtaining any required licenses, permits, registrations or other permissions pursuant to this Section 22.2.

22.3 Rights in Bankruptcy. All licenses, usage rights, access rights and other similar rights granted pursuant to this Agreement shall, for purposes of Section 365(n) of the Bankruptcy Code, 11 U.S.C. § 101 et seq., be deemed to be licenses of rights to “intellectual property” as defined under Section 101(35A) of the Bankruptcy Code, and the Supplier Materials and Third Party Materials and any related documentation shall be deemed to be “embodiment(s)” of “intellectual property.” Citi shall retain and may fully exercise all of its rights and elections under the Bankruptcy Code or equivalent legislation in any other jurisdiction. Without limiting the generality of the foregoing, Supplier acknowledges that the rights and license granted to Citi pursuant to this Agreement shall not be affected by Supplier’s rejection of this Agreement in bankruptcy, and shall continue subject to the provisions of this Agreement. Upon the bankruptcy of Supplier, Citi shall further be entitled to a complete duplicate of (or complete access to, as appropriate) any such intellectual property comprising or relating to the Supplier Materials and Third Party Materials, and such, if not already in its possession, shall be promptly delivered to Citi, unless Supplier elects to continue, and does so continue, to perform all of its obligations under this Agreement.

22.4 Insider Trading and Tipping Notice. Supplier acknowledges that Applicable Law and Citi’s policies and procedures prohibit any person or entity from (i) trading any securities (including stocks, bonds, options or any other securities) when such person or entity has material, nonpublic information about those securities, or (ii) disclosing such information to any other person or entity that may sell or purchase such securities.

22.5 Cooperation with Governmental or Regulatory Agencies. Supplier acknowledges that Citi and its Affiliates are subject to Regulatory oversight under which Citi’s Regulators have the authority to exercise the same examination and Regulatory authority over Citi’s and its Affiliates’ suppliers that conduct certain functions or operations as if Citi or its Affiliates were themselves conducting these functions or operations. Supplier shall promptly cooperate and comply with the requests of any Regulator of Citi or any of its Affiliates.

22.6 Nondiscrimination and Equal Employment Opportunity. Without limiting the generality of Section 18.1 (General) above, Supplier will comply, and will cause its

Personnel to comply, with the requirements of the Equal Opportunity Clause including (i) 41 CFR 60-300.5(a) which prohibits discrimination against qualified protected veterans, and requires affirmative action to employ and advance in employment qualified protected veterans, and (ii) 41 CFR 60-741.5(a) which prohibits discrimination against qualified individuals on the basis of disability, and requires affirmative action to employ and advance in employment qualified individuals with disabilities.

22.7 Data Privacy.

22.7.1 Notwithstanding any other provision of this Agreement, Supplier shall ensure at all times that it, and all of the Equipment and software utilized by it, is in compliance with (i) Title V of the Gramm-Leach-Bliley Act of 1999 or any successor federal statute to the Gramm-Leach-Bliley Act of 1999, and the rules and regulations thereunder, all as may be amended or supplemented from time to time, (ii) the European Commission Data Protection Directive (95/46/EC) or Data Protection Act 1998 or any implementing or related legislation of any member state in the European Economic Area, (iii) the Health Insurance Portability and Accountability Act of 1996, (iv) the Sarbanes-Oxley Act of 2002 (Pub. L. 107-204, 116 Stat. 745), and (v) any and all other relevant data privacy laws, regulations or directives, wherever they may be found (“Data Privacy Laws”). Further, pursuant to Section 13 (Confidential Information) Citi shall have the right to audit Supplier to verify compliance with relevant Data Privacy Laws. It is expressly understood that Supplier is solely responsible for such compliance and in determining which, if any, laws, regulations or directives are applicable, and Supplier shall timely notify Citi when such laws, regulations or directives are applicable to any Work Order. The Parties further agree that they shall enter into separate country specific data privacy agreements, as needed, and shall attach such agreements to this Agreement as Appendix 22.7.1 (Data Privacy Agreement by Country), which shall be incorporated into this Agreement by reference (“Data Privacy Agreements”). Such Data Privacy Agreements shall reflect data privacy compliance requirements for the respective country that Supplier shall implement.

22.7.2 Without prejudice to Section 22.7.1 above, the Parties agree that Supplier is a data processor when processing personal data relating to the staff or customers of Citi. If a supervisory authority for data protection considers, or Citi reasonably considers, that Supplier is a data controller, not a data processor, then Supplier agrees to make such changes to this Section 22.7.2 as Citi may reasonably require. When Supplier processes personal data as a data processor, it shall:

(a) only carry out processing on the instructions of Citi from time to time and promptly comply with any such instructions;

(b) include in any contract with permitted Subcontractors who will process personal data directly or indirectly on behalf of Citi, and who have been approved by Citi pursuant to Section 19.2 (Supplier Affiliates and Subcontractors), provisions in favor of Citi which are equivalent to those in this Section 22.7 including sufficient guarantees in respect of the appropriate technical and organizational measures governing the data processing;

(c) promptly refer to Citi any queries from data subjects, any data protection supervising authority, or any law enforcement authority, for Citi to resolve;

(d) at no additional cost, promptly provide such information to Citi as may be reasonably required to allow it to comply with the rights of data subjects, including

subject access rights, or with information notices served by the relevant law enforcement authority or to facilitate timely resolution of any of the foregoing or any related matter;

(e) comply with the security breach notification procedures that may be provided by Citi from time to time, and promptly notify Citi in writing if this Section 22.7 has, may have been, or is likely to be breached, in sufficient detail to enable Citi to mitigate any liability it may incur;

(f) cooperate with Citi to assist Citi in investigating and mitigating any breach of this Section 22.7 (including the provision of regular updates on the status of the breach);

(g) ensure that the Services are provided in accordance with Citi’s information security policies and procedures;

(h) take security measures to prevent unauthorized or accidental access to, alteration, disclosure, or loss and destruction of information; and

(i) only transfer personal data to another country if and to the extent expressly permitted in a Work Order or expressly authorized by Citi in writing. To the extent that personal data of Citi located in the European Union is transferred to a country outside of the European Union, Supplier shall ensure an adequate level of protection for the rights of the data subject after written authorization by Citi which may be granted subject to such conditions as Citi thinks are necessary to ensure adequate protection of the data.

22.7.3 Supplier must take reasonable precautions (having regard to the nature of its other respective obligations under this Agreement) to preserve the integrity of any data of Citi and to prevent any corruption or loss of such data. Supplier shall implement (and update from time to time as needed) the appropriate technical, organizational, and security measures (including any specific security measures specified in a Data Privacy Agreement) to protect Citi data against unauthorized or unlawful processing and against accidental loss, destruction, damage, disclosure, or alteration and provide Citi with a written detailed description of such measures promptly on request from time to time.

22.7.4 Supplier and Citi shall agree on a back-up procedure that shall require both Parties to back up data, and in any event Supplier must make a back-up copy of Citi’s data every day and record the copy on media from which Citi’s data can be re-loaded in the event of any corruption or loss of Citi’s data.

22.7.5 In the event that Citi’s data is corrupted or lost as a result of any default by Supplier, Citi may, in addition to any other remedies that may be available to it either under this Agreement or otherwise, elect to pursue either of the following remedies:

(a) Citi may require Supplier at its own expense to restore or procure the restoration of Citi’s data; or

(b) Citi may itself restore or procure restoration of Citi’s data, and shall be repaid by Supplier for any reasonable expenses so incurred.

23. CHOICE OF LAW AND DISPUTE RESOLUTION

23.1 Governing Law. The laws of the State of New York shall in all respects govern and be used to construe this Agreement, and all matters arising out of or related to this Agreement,

as though this Agreement was entered into, and was to be entirely performed within, the State of New York, without regard to its conflict of laws principles that would lead to the application of the laws of another jurisdiction. The Parties expressly disclaim the applicability of, and waive any rights based upon, the Uniform Computer Information Transactions Act or United Nations Convention on Contracts for the International Sale of Goods. For the avoidance of doubt, nothing stated in this Agreement will prejudice or limit the rights or remedies of either Party to enforce any award or decree under the laws of any jurisdiction where property or assets of the other Party may be located. The Parties expressly and irrevocably acknowledge and agree that Part 1 of India’s Arbitration and Conciliation Act of 1996 shall not apply to this Agreement.

23.2 Escalation.

23.2.1 Any dispute, controversy or claim arising out of or relating to this Agreement (“Dispute”) shall be referred in writing by Citi or Supplier to the Supplier Program Manager and the Citi Program Manager. If the Dispute is not resolved within three (3) Business Days after such referral, the Parties shall immediately escalate the Dispute pursuant to Section 23.2.2 below.

23.2.2 If, for any reason, the Dispute is not resolved within thirty (30) days after the referral of the Dispute to the Program Managers as provided in Section 23.2.1 above, two (2) senior executives of Supplier and two (2) senior executives of Citi shall meet (including by teleconference) for the purpose of resolving the Dispute by negotiation. During such negotiation, such representatives shall attempt to produce a joint written recommendation, including actions to be taken with respect to any issues not agreed upon or remaining unresolved. The Parties agree to be bound by any such joint written recommendation. Nothing in this Section (including a Party invoking this Section or a Party’s delay or failure to invoke this Section) is to be construed as a waiver of either Party’s exercise or partial exercise of any right or remedy under this Agreement.

23.3 Arbitration. If, for any reason, any Dispute is not amicably resolved in the manner provided by Section 23.2 (Escalation) above, then, within sixty (60) days after the Dispute is referred to the Program Managers in the manner provided by Section 23.2.1, any unresolved matters still in dispute between the Parties shall be referred, in writing, by either Supplier or Citi, for final and binding arbitration administered by the Court of Arbitration of the International Chamber of Commerce (“ICC Court”) in accordance with its Rules of Arbitration then in effect (“ICC Rules”) except as modified herein.

23.3.1 The arbitration shall be conducted as follows: (i) all proceedings in any such arbitration shall be conducted in English, and the arbitration proceedings shall be held in, the award rendered in, and the seat of arbitration shall be, New York City, New York, (ii) the arbitration shall be conducted by three (3) arbitrators (“Tribunal”), one (1) of whom shall be appointed by Supplier, one (1) of whom shall be appointed by Citi, and one (1) of whom shall be appointed by the ICC Court, and (iii) the Tribunal shall have the power to award interest on any sums awarded as due and payable up to the date of payment of such sums. Each Party shall bear its own costs and expenses incurred in connection with the arbitration.

23.3.2 Notwithstanding any term of the ICC Rules otherwise, the Parties expressly agree that, if two (2) or more arbitrations arise between the Parties to this Agreement, whether out of or in relation to this Agreement or otherwise, none of the arbitrations so arising shall be consolidated unless all of the claims in all the arbitrations potentially subject to

consolidation are made under this Agreement. Thus, for the avoidance of doubt, no consolidation may arise out of Article 10(c) of the 2012 ICC Rules of Arbitration, or any equivalent provision thereof in any subsequent version of the ICC Rules.

23.3.3 By agreeing to arbitration, the Parties do not intend to deprive any court of its jurisdiction to issue an injunction, attachment or other appropriate equitable and interim relief or the enforcement of any award, and, for any such action, each of the Parties irrevocably and unconditionally consents and submits to the exclusive jurisdiction and venue of the Courts of the State of New York and the Federal Courts of the United States of American located within the Borough of Manhattan, New York, New York (“New York Courts”). In any such action, each Party further (i) irrevocably waives, to the fullest extent it may effectively do so, any objection, including any objection to the laying of venue or based on the grounds of forum non conveniens or any right of objection to jurisdiction on account of its place of incorporation or domicile, which it may now or hereafter have to the bringing of any such action or proceeding in any New York Court, (ii) irrevocably consents to service of process by first class certified mail, return receipt requested, postage prepaid, or in any other manner provided by Applicable Law, and (iii) AND TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, EACH OF THE PARTIES HERETO IRREVOCABLY WAIVES ALL RIGHT TO TRIAL BY JURY IN ANY ACTION, SUIT, PROCEEDING OR COUNTERCLAIM ARISING OUT OF OR RELATING TO THIS AGREEMENT OR ANY OF THE TRANSACTIONS CONTEMPLATED BY THIS AGREEMENT.

23.3.4 Judgment upon the award rendered may be entered in any court of competent jurisdiction and any New York Court, and application may also be made to such courts for a judicial recognition of the award or an order of enforcement thereof.

24. REMEDIES

24.1 Equitable Relief — Party Breaches. Each Party acknowledges that the failure to perform its duties under Sections 13 (Confidential Information) or 15 (Publicity) may cause the other Party to suffer irreparable injury for which the injured Party will not have an adequate remedy available at law. Accordingly, the injured Party may seek to obtain injunctive or other equitable relief to prevent or curtail any such breach, threatened or actual, without posting a bond or security and without prejudice to such other rights as may be available under this Agreement or under Applicable Law.

24.2 Equitable Relief — Supplier Personnel Breaches. Without limiting the provisions of Section 24.1, Supplier acknowledges that a breach of Sections 5.1 (Policies and Procedures), 5.2 (BS7799), 5.4 (Equipment and Network Security), 9 (Proprietary Rights), 13 (Confidential Information) or 15 (Publicity) of this Agreement by Supplier’s Personnel, existing or past, who have provided any Services under any Work Order or have had access to Citi’s Confidential Information may cause Citi to suffer irreparable injury for which Citi will not have an adequate remedy available at law. Accordingly, Citi shall be entitled to injunctive or other equitable relief to prevent or curtail any such breach, threatened or actual, without posting a bond or security and without prejudice to such other rights as may be available under this Agreement or Applicable Law. Supplier shall fully and unconditionally cooperate with Citi to pursue any injunctive or equitable relief against any Supplier Personnel who have provided any Services under any Work Order or have had access to Citi Confidential Information (whether such personnel are still employed by

Supplier or work elsewhere) whose actions are, in Citi’s reasonable judgment, deemed to be in breach of this Agreement, in the local courts of such Personnel’s current domicile or such other jurisdictions as may be appropriate in Citi’s reasonable discretion.

24.3 Recovery of Fees.

24.3.1 For Services Other than Deliverables. If Citi terminates a Work Order in whole or in part pursuant to Section 2.2.2(a) (Termination of a Work Order by Citi for Cause), Section 2.2.2(c) (Termination of a Work Order by Citi for Other Reasons), Section 6.2 (Acceptance or Rejection), Section 6.3 (Completion of Delivery of Services and Deliverables), or Section 12.4 (Conformity to Acceptance Criteria; Absence of Defects), then such termination shall be without any further financial liability or obligation of Citi (for the portion terminated) and Supplier shall, within five (5) Business Days of such termination, refund to Citi all Service Fees prepaid by Citi pursuant to such terminated Work Order with respect to the remainder of the then-current term of such Work Order, plus fees prepaid by Citi for services related to the Services or Deliverables and for any other products provided by Supplier to Citi that were provided in conjunction with the Services or Deliverables and cannot be utilized effectively or completely by Citi.

24.3.2 For Deliverables. If Citi terminates a Work Order in whole or in part pursuant to Section 2.2.2(a) (Termination of a Work Order by Citi for Cause), Section 2.2.2(c) (Termination of a Work Order by Citi for Other Reasons), Section 6.2 (Acceptance or Rejection), Section 6.3 (Completion of Delivery of Services and Deliverables), or Section 12.4 (Conformity to Acceptance Criteria; Absence of Defects), then such termination shall be without any further financial liability or obligation of Citi (for the portion terminated) and Supplier shall, within five (5) days of such termination, refund to Citi all Service Fees paid by Citi pursuant to such terminated Work Order, plus fees paid for services related to the Services or Deliverables and for any other products provided by Supplier to Citi that were provided in conjunction with the Services or Deliverables and cannot be utilized effectively or completely by Citi given the non-conformance of the Services or Deliverables.

24.4 Cumulative Remedies and Offsets. Except as otherwise expressly provided in this Agreement, all remedies in this Agreement are cumulative and in addition to (not in lieu of) any other remedies available to a Party at law or in equity. In the event of a claim by Citi for loss or damages for which Supplier is responsible, Citi shall be entitled to adjust the amounts claimed against future or outstanding payments due, or which may become due, to Supplier.

25. WAIVER

No course of dealing, failure by either Party to require the strict performance of any obligation assumed by the other hereunder, or failure by either Party to exercise any right or remedy to which it is entitled, shall constitute a waiver or cause a diminution of the obligations or rights provided under this Agreement. No provision of this Agreement shall be deemed to have been waived by any act or knowledge of either Party, but only by a written instrument signed by a duly authorized representative of the Party to be bound thereby. Waiver by either Party of any default shall not constitute a waiver of any other or subsequent default.

26. FORCE MAJEURE

26.1 Force Majeure. A Party will be excused from a delay in performing, or a failure to perform, its obligations under this Agreement to the extent such delay or failure is caused by reason of any event beyond the reasonable control, and without any fault, of such Party (including acts of God, fire, explosion, accident, floods, earthquakes, embargoes, epidemics, war, acts of terrorism, nuclear disasters, or other similar events) (each, a “Force Majeure Event”). In such event, the performance times shall be extended for a period of time equivalent to the duration of the Force Majeure Event; provided that in order to avail itself of the relief provided in this Section, a Party must act with due diligence to remedy the cause of, or to mitigate or overcome, such delay or failure. For purposes of this Section, the phrase “due diligence” shall, at a minimum, require Supplier to maintain in full compliance at all times with a contingency plan for the continuation of business (and provide evidence of its current and periodic testing if requested by Citi) so that despite any disruption in Supplier’s ability to fulfill its service obligations from any particular location (including, without limitation, all Service Locations) or through the efforts of any particular individuals, Supplier will be able to fulfill its service obligations from an alternate location or with replacement individuals.

26.2 Upon the occurrence of a Force Majeure Event, the affected Party shall promptly give written notice to the other Party of the Force Majeure Event and of the expected duration of such Force Majeure Event.

26.3 During any period that, despite implementing and complying with the continuity of business plans, Supplier is wholly or partially prevented from, or delayed in, providing one or more Services under a Work Order, or one or more such Services is interrupted or suspended, due to a Force Majeure Event:

(a) Supplier shall use commercially reasonable efforts to (i) avoid or remove the applicable Force Majeure Event, and (ii) resume normal performance of the affected Service with the least possible delay.

(b) Citi shall not pay Supplier for the affected Services, provided that if and to the extent that Supplier subsequently performs the affected Services and Citi suffered no harm (including the cost of a replacement services provider) because of Supplier’s delay in providing the affected Services, Citi shall pay Supplier in accordance with the applicable Work Order.

(c) Within ten (10) days following the Force Majeure Event, the Parties will mutually agree on a reasonable date on which Supplier will resume providing the affected Services (the “Resumption Date”), which timeline shall take into account the size, type and severity of the Force Majeure Event and the alternative options for restoration of such Services. If Supplier does not resume providing the Services on or before the Resumption Date, the Services will be treated as a breach and the provisions applicable for a normal breach under a Work Order as set forth in this Agreement shall apply.

27. SOLICITING FOR HIRE

27.1 Supplier will not directly or indirectly solicit for employment or services any Citi employee working with Supplier under a Work Order while such Work Order is in effect, nor during the [*******] month period following the termination or expiration of such Work Order.

27.2 Except as otherwise set forth in this Section 27, Citi may request approval by Supplier for Citi to directly or indirectly solicit for employment or services any Supplier employee who has been assigned by Supplier to provide Services to Citi under a Work Order for at least six (6) months if Citi determines, in its sole discretion, to do so in connection with a change to Citi’s business plans or strategy (e.g., exiting or entering a new market, changes to sourcing and supplier strategy). Supplier shall promptly respond to such requests, and if Supplier rejects a request, the Parties agree that such request may be subject to review by the Citi Global Head of Resource and Location Strategy to decide to approve such request or uphold Supplier’s rejection thereof. The Parties agree that the decision of the Citi Global Head of Resource and Location Strategy is final. Citi shall have no liability or obligation to Supplier or such employees in connection with any resulting hires.

27.3. Notwithstanding any other provision in this Section 27, and without limiting any other rights Citi may have hereunder, Citi shall have the right at any time to solicit for employment and hire any Key Personnel who have been assigned by Supplier to provide services to Citi under a Work Order (regardless of the work location of such Key Personnel), and without any obligation or liability to Supplier or Supplier’s Personnel.

27.4 If at any time during the term of this Agreement, (v) Citi elects or is required to insource (i.e., transfer in-house into Citi’s operations) any Services performed by Supplier in order for Citi to comply with Applicable Law or as a result of Regulatory direction, recommendation, finding or similar guidance, (w) any of the events described in Section 2.1.2(d) occurs; (x) Supplier is unable or unwilling to perform its obligations required under this Agreement or any Work Order, (y) Citi terminates a Work Order pursuant to Section 2.2.2(i), or (z) an incident or suspected incident involving Supplier that poses a risk to Citi’s business or reputation, then none of the restrictions set forth in this Section 27 will apply to Citi and Citi may solicit or hire any Supplier Personnel at any time thereafter, without any obligation or liability to Supplier whatsoever.

27.5 If there is a change in the entity possessing, directly or indirectly, the power to direct or cause the direction of the management, policies, and operations of Supplier or of any Supplier Affiliate providing Services to Citi as set forth in Section 2.1.2(c), which change Citi has notified Supplier in writing of its objection, at Citi’s sole discretion, then Citi shall have the right, commencing as of the effective date of such change, to hire (a) up to [********] percent [****] of Supplier’s or such Supplier Affiliate’s Personnel performing Services and who were engaged by Citi to perform Services under a Work Order or through a Citi NEMS, wherever such Personnel are physically located. Supplier agrees to release Citi from any obligations or liabilities arising therefrom in the event of any such hiring by Citi.

27.6 Without limiting any other rights Citi may have under this Section 27, Citi shall have the right at any time to solicit for employment and hire any Supplier Personnel providing Staffing Services, subject to Citi paying any hiring fee indicated in the applicable Work Order. If no such fee is indicated therein, Citi may exercise the foregoing right without liability for payment of any such fee. Notwithstanding the foregoing, Citi shall have the right to solicit for employment and hire any Personnel who (a) has performed Staffing Services that are not related to an India-based engagement for a minimum of [*****] months and (b) reports to a Citi project manager located at a Citi Location, without any obligation (including payment of a hiring fee after such [******] month period) to Supplier or such Personnel.

27.7 If Supplier has engaged a Subcontractor to provide Services under a Work Order pursuant to Section 19.2, Citi shall have the right to solicit for employment and hire any employees of such Subcontractor, subject to Citi paying Supplier any hiring fees indicated in the applicable Work Order. If no such fee is indicated therein, Citi may exercise its right under this Section 27.7 without liability for payment of any such fee to Supplier or the applicable Subcontractor.

27.8 Supplier agrees to include provisions in its agreements with its Subcontractors as may be necessary to enable Citi to exercise the rights contemplated under this Section 27 without Citi having any obligation or liability (under any theory of law) to any Subcontractor. For the purposes of this Section, the advertisement of employment opportunities by a Party in any public forum (including magazines, trade journals, publicly accessible internet sites, classified advertisements, or job fairs open to the public) shall not be considered “solicitation”, and the hiring of an individual as a result of his or her response to such a general employment advertisement or in response to his or her unsolicited employment inquiry shall not constitute a breach of this Agreement.

27.9 Notwithstanding anything to the contrary in this Section 27, Citi shall have the right to solicit for employment and hire, subject to the limitations set forth herein, up to [*****] percent [****] of Supplier Personnel assigned to a Project under a given Work Order following written notice from Citi that Supplier has materially failed to provide the Services in accordance with the terms of such Work Order and has not remediated such failure within a period of not less than ninety (90) days following receipt of such written notice. Unless otherwise agreed by the Parties, such failure by Supplier to so remediate shall automatically result in termination of the applicable Work Order as of the end of such ninety (90) day period. Citi’s right to solicit and hire under this Section 27.9 shall only apply to Supplier Personnel performing Services pursuant to Managed Services Work Orders, and shall be specifically limited to Supplier’s Personnel who have been assigned to a Managed Services Project as a billable resource and have been working for a period of at least [******] months under such Managed Services Work Order. For the avoidance of doubt, any Work Order is subject to termination by Citi in accordance with the terms of Section 2.2.2(a)(i), and in the event of any such termination, the provisions of this Section 27.9 shall not apply.

28. CONSTRUCTION

28.1 Interpretation. In the event of any conflict between the provisions of any of this Agreement, any Local Country Addendum, and any Work Order, such conflict shall be resolved in the following manner:

28.1.1 in the event of a conflict between the provisions of an applicable Local Country Addendum and the provisions of the remainder of this Agreement, the conflicting provisions of the applicable Local Country Addendum will govern with respect to Services and Deliverables provided to, or for the benefit of, Citi in the country covered by such Local Country Addendum, but only to the extent that they impose the more comprehensive duty and/or responsibility and/or obligation on Supplier; and

28.1.2 in the event of a conflict between the provisions of a Work Order and the provisions of the remainder of this Agreement other than any applicable Local Country Addendum, the conflicting provisions of the Work Order shall govern with respect to Services and Deliverables being provided pursuant to such Work Order.

28.1.3 In the event of a conflict between the provisions of a Local Country Addendum and the provisions of a Work Order, the conflicting provisions of the applicable Local Country Addendum will govern with respect to Services and Deliverables provided to, or for the benefit of, Citi in the country covered by such Local Country Addendum, but only to the extent that they impose the more comprehensive duty and/or responsibility and/or obligation on Supplier.

Each Party acknowledges and agrees that any interpretation of this Agreement shall not be construed against a Party by virtue of its having drafted the terms and conditions hereunder.

28.2 Modification.

28.2.1 Subject only to any express exception set forth in the appendix, schedules, exhibits, addenda and other documents attached hereto or specifically incorporated herein by reference or in any Work Order, the terms, conditions, covenants and other provisions of this Agreement may be modified, amended, supplemented or otherwise changed only by a written instrument (excluding e-mail or similar electronic transmissions) that specifically purports to do so and is physically executed by a duly authorized representative of each Party.

28.2.2 In no event shall the provisions of any shrink-wrap or any click-through agreement (or other form of agreement) that may be provided in conjunction with the services or products (including software) provided hereunder or otherwise exchanged between the Parties, constitute a binding agreement or serve to modify the provisions of this Agreement or a Work Order, even if a user or authorized officer of Citi or a Citi Affiliate purports to have affirmatively accepted such provisions.

28.3 Severability. If a court of competent jurisdiction declares any provision of this Agreement to be invalid, unlawful or unenforceable as drafted, the Parties intend that such provision be amended and construed in a manner designed to effectuate the purposes of the provision to the fullest extent permitted by Applicable Law. If such provision cannot be so amended and construed, it shall be severed, and the remaining provisions shall remain unimpaired and in full force and effect to the fullest extent permitted by Applicable Law.

28.4 Survival. The provisions of this Agreement that, by their nature and content, must survive the completion, rescission, termination or expiration of this Agreement in order to achieve the fundamental purposes of this Agreement (including any licenses granted to Citi under this Agreement), shall so survive and continue to bind the Parties. Without limiting the generality of the foregoing, the Parties specifically acknowledge that the following provisions shall survive and continue to bind the Parties: Sections 2.3 (Orderly Transfer), 2.4 (Retention of Archival Copy), 9 (Proprietary Rights), 12.1 (Authority and Non-Infringement), 12.3 (Anti-Bribery, Personal Dealings and Non-Subornation), 12.7 (Disabling Devices), 13 (Confidential Information), 15 (Publicity), 16 (Indemnity), 18 (Limitation of Liability), 19.2 (Subcontractors) (as relates to Supplier’s obligation to be responsible for the acts and omissions of its Subcontractors), 20 (Assignment), 21 (Notices), 22.5 (Cooperation with Governmental or Regulatory Agencies), 23 (Choice of Law and Dispute Resolution), 24 (Remedies) and 30 (Complete Understanding).

28.5 Counterparts. This Agreement may be executed in counterparts, each of which shall be deemed to be an original.

29. AUDITED FINANCIAL STATEMENTS

Upon Citi’s request, Supplier shall provide a completed audited statement of the financial condition of Supplier’s organization, including (i) audited year-end results for the three (3) previous years, including revenues, expenses, net income, total assets, liabilities and footnotes, and (ii) the most recent financial interim statement.

30. COMPLETE UNDERSTANDING

This Agreement (together with the appendices, schedules, exhibits, addenda and other documents attached hereto or specifically incorporated herein by reference, including any amendments hereto) constitutes the complete understanding of the Parties, and supersedes all prior or contemporaneous agreements, discussions, negotiations, promises, proposals, representations, and understandings (whether written or oral) between the Parties, with regard to the subject matter hereof, including the Original MPSA, which is hereby terminated in its entirety, provided that, Citi and Citigroup North America, Inc. (on behalf of itself and its Affiliates that are party to any Existing Work Orders entered into under the Original MPSA) and Supplier each acknowledge that no Existing Work Order is terminated as a result of such termination, and all Existing Work Orders shall be governed by this Master Agreement from and after the Effective Date, and provided, further that any reference in any Existing Work Order to a section in the Original MPSA shall be deemed to be a reference to the corresponding section of this Master Agreement or, if no such corresponding section exists, then the provision referencing the section of the Original MPSA shall be of no further force or effect as of the Effective Date. Supplier specifically acknowledges and agrees that it did not enter into this Agreement in reliance upon any agreement, promise, representation, or understanding made by or on behalf of Citi that is not contained herein.

END OF DOCUMENT

[Signature page follows]

IN WITNESS WHEREOF, the Parties hereto, each acting with proper authority, have executed this Agreement as of the Effective Date designated above.

By Manual Signature:

SUPPLIER:		CITI:

By:	/s/ Vaidyanathan Mahadevan	By:	/s/ John G. Taylor

Name:	Vaidyanathan Mahadevan	Name:	John G. Taylor

Title:	Chief Financial Officer	Title:	Director — Citi Procurement Services

Date:		Date:	7/17/2015

For purposes of Section 30 only:

CITICORP NORTH AMERICA, INC.:

By:	/s/ John G. Taylor

Name:	John G. Taylor

Title:	Director — Citi Procurement Services

Date:	7/17/2015

By Electronic Signature Binding:

For Supplier: By selecting the “I Accept” button below, I am representing that I am an authorized representative of Supplier and am the individual identified in the signature block immediately following this paragraph under the reference to Supplier and that I am entitled and authorized to legally bind Supplier to this Work Order. Supplier agrees that use of a key pad, mouse or other device by its authorized representative to select the “I Accept” button below will be deemed to be a valid and due execution of this Work Order by Supplier with the same force and effect as if Supplier had manually signed this Work Order. If Supplier does not agree that its electronic selection of the “I Accept” button below will bind Supplier to the terms and conditions of this Work Order as it exists on the date hereof, then do not select the “I Accept” button below.		For Citi: By selecting the “I Accept” button below, I am representing that I am an authorized representative of Citi and am the individual identified in the signature block immediately following this paragraph under the reference to Citi and that I am entitled and authorized to legally bind Citi to this Work Order. Citi agrees that use of a key pad, mouse or other device by its authorized representative to select the “I Accept” button below will be deemed to be a valid and due execution of this Work Order by Citi with the same force and effect as if Citi had manually signed this Work Order. If Citi does not agree that its electronic selection of the “I Accept” button below will bind Citi to the terms and conditions of this Work Order as it exists on the date hereof, then do not select the “I Accept” button below.

*I Accept : {{[]_es_:signer1}}**		*I Accept: {{[]_es_:signer2}}**
Supplier:		Citi:
eSign: {{_es_:signer1:signature }}		eSign: {{_es_:signer2:signature }}
Name: {{_es_:signer1:fullname }}		Name: {{_es_:signer2:fullname }}
Email: {{_es_:signer1:email }}		Email: {{_es_:signer2:email }}
Date: {{_es_:signer1:date }}		Date: {{_es_:signer2:date }}

Appendix 1.1 — Existing Work Orders

The Parties shall use good faith efforts to compile a list of Existing Work Orders and incorporate such list into this Agreement by amendment to this Appendix 1.1 as soon as reasonably practicable.

Appendix 3.2 — Form of Work Order

FOR INTERNAL CITI REFERENCE ONLY

CITI-CONTRACT ID:	14084-2015	Zycus Code:	Choose an item
CITI-SUBCONTRACT ID:	N/A	Renault ID#:	CITI TO INSERT
Payment Terms:	CITI TO INSERT	If Renewal, NEMS WO#	SUPPLIER TO INSERT EXPIRING NEMS WO#
		If Renewal, Work Order#	SUPPLIER TO INSERT (e.g., RP-12345-2013, etc.)

Work Order

(Use for ADM and Infrastructure Services Only)

	Work Order:	CITI TO INSERT
	Effective Date:	INSERT

This Work Order is entered as of the Effective Date designated above, by and between Supplier and Citi (each as designated below). The Parties hereto acknowledge that they are entering into this Work Order pursuant to the provisions of the Master Professional Services Agreement dated as of July 1, 2015 by and between Polaris Consulting & Services Ltd and Citigroup Technology, Inc., (the “Agreement”). The Parties further acknowledge and agree that the provisions of the Agreement are hereby incorporated by reference and shall apply to this Work Order as though such provisions were set forth herein in their entirety. Capitalized terms used herein shall have the meanings ascribed to them in the Agreement unless expressly defined herein. For the avoidance of doubt, unless explicitly stated otherwise, this Work Order does not incorporate the terms or conditions of any other Work Order under the Agreement.

Party:	SUPPLIER	CITI
Name:	SUPPLIER TO INSERT	CITI TO INSERT
Address:
Incorporation:

1. Project Name: CITI TO INSERT

2. Citi Business Unit: CITI TO INSERT COMPLETE ORG PATH OF GOC

3. Term:

The Term (“Term”) of this Work Order shall be from the Commencement Date to the Completion Date as follows:

Commencement Date: INSERT Completion Date: INSERT

The inclusion of a Completion Date or any term length in this Work Order will in no way impact a Party’s rights to terminate this Work Order pursuant to Section 2.2 (Work Order) of the Agreement.

Notwithstanding anything to the contrary as set forth in this Work Order or in the Agreement, it is agreed that the Parties may extend the above specified Completion Date (“CD”) via an email transmission sent by one Party to this Work Order to the other and then acknowledged and agreed to by the other Party via an email reply provided that (1) all other terms of this Work Order, including the pricing or fees set forth herein, will remain in full force and effect, (2) the emails are sent by the then current Project Managers, and (3) no other terms are added or amended by the CD extension. Should the Party receiving the requested CD extension fail to

acknowledge and agree to such extension in a reply then the request shall be void and unenforceable.

4. Project Manager(s) and Relationship Manager(s):

5. Description of Services and Deliverables:

[INSERT CLEAR DESCRIPTION OF THE SERVICES, INCLUDING THE SCOPE OF SERVICES, DELIVERABES (IF ANY) AND WORK PRODUCT (IF ANY) TO BE PROVIDED BY THE SUPPLIER]

6. Applications In Scope: [INCLUDE/REMOVE AS APPLICABLE]

Subject to any restrictions and/or limitation concerning third party use, Citi will provide access to the applications set forth in the table below for the limited purpose of allowing Supplier to perform the Services and provide the Deliverables set forth herein.

Application Name	Technologies	CSI Numbers

7. Deliverable Milestones::

Deliverable		Date

8. Service Location(s):

INSERT THE COMPLETE ADDRESS OF ALL LOCATIONS (SUPPLIER AND CITI LOCATIONS) FROM WHICH SERVICES SHALL BE PROVIDED

Supplier Location(s):		Citi Location(s):

9. Staffing Plan: [INCLUDE/REMOVE AS APPLICABLE]

Supplier will commit and deploy in sufficient number the Personnel required to perform the Services and provide the Deliverables set forth herein. Regardless of the staffing plan, Supplier shall be responsible to perform the Services and provide the Deliverables set forth herein. Supplier shall notify Citi PM and Relationship Manager at least two (2) weeks in advance of any material change to this plan. In no event shall Supplier’s entitlement to assign particular Personnel entitle it to change any Service Location specified herein.

In addition, Supplier will provide ( ) resources for ( ) weeks of planning at the start of the engagement in Citi’s facilities in INSERT CITI LOCATIONS at no charge to Citi. Such resources will be experienced project managers who will be focused on defining the engagement and delivery processes, documenting the Citi environment and requirements, coordinating initial staff interviews and staffing decisions, and creating a forward plan of resource requirements.

10. Key Personnel: [IDENTIFY KEY PERSONNEL IF APPLICABLE]

Role		Location

11. Acceptance Criteria:

[INSERT CLEAR DESCRIPTION OF THE ACCEPTANCE CRITERIA OR INCLUDE PARAGRAPH IMMEDIATELY BELOW] NOTE: THESE CHANGES WERE REQUESTED BY

Citi’s acceptance of any Service or Deliverable shall be based upon its determination, made in its sole discretion, that such Service or Deliverable meets i) the express requirements of this Work Order or any referenced or mutually agreed upon functional, technical design or performance documents, or (ii) if no such document is referenced or mutually agreed upon, then Citi’s technical, business, functional and/or strategic requirements (collectively, hereinafter, the Acceptance Criteria). Should Citi determine that a Service or a Deliverable does not meet any of such requirements, Citi may reject such Service or Deliverable and Citi shall have no obligation to pay the partial payment associated with such Service or Deliverable detailed in the Payment Schedule.

12. Project Fee:

12.1. Supplier will complete all Deliverables and Services contemplated in this Work Order for a maximum, aggregate fee not to exceed $ (“Project Fee Cap”). The Project Fee Cap is inclusive of all expenses incurred by Supplier in conjunction with its performance of the Services and provision of the Deliverables. Supplier will not invoice, and Citi shall not be responsible for payment of, any Project Fees in excess of the Project Fee Cap. Should Citi require additional Services or Deliverables, the Parties will enter into a separate Work Order or amend this Work Order. Citi is under no obligation to spend any minimum amount under this Work Order.

12.2. [INCLUDE THE BELOW ONLY IF SERVICES ARE BEING PROVIDED ON A TIME AND MATERIALS BASIS OR AS APPLICABLE.] Basis for Determining Fees:

Supplier will provide the Services on a time and material basis in accordance with the rates set forth below.

*Supplier’s rates select one: do / do not include travel and living expenses incurred by Supplier in conjunction with its performance of the Services.

[INCLUDE THE BELOW ONLY IF SERVICES ARE BEING PROVIDED FOR A FIXED PRICE OR DELIVERABLE BASED] Payment Schedule:

After Citi has accepted the Services and Deliverables, Supplier shall submit milestone progress logs in Citi’s non employee management system (“NEMS”) in accordance with the following milestone schedule. [MODIFY PROVISION AS NECESSARY IF SUPPLIER WILL NOT BE PAID VIA NEMS]

INSERT PAYMENT SCHEDULE WITH AMOUNT AND APPLICABLE MILESTONES FOR EACH PAYMENT

[INCLUDE THE BELOW ONLY IF SERVICES ARE BEING PROVIDED ON A VOLUME/OUTCOME BASED BASIS.]Basis for Determining Fees:

Supplier will provide the Services on a volume based or outcome based basis in accordance with the unit rates set forth below.

Billing Unit Description (e.g., Ticket, Server Instance)	Billing Unit Rate	Base Volume	Estimated Service Fee	ARC / RRC Rate


Estimated Aggregated Total Fees

“Additional Resource Charge” (or “ARC”) shall mean Supplier’s unit charge for Billable Units consumed in providing the Services that are in excess of the Base Volume at the thresholds indicated in this SOW.

“Reduced Resource Charge” (or “RRC”) shall mean Supplier’s unit charge for Billable Units consumed in providing the Services that are below the Base Volume at the thresholds indicated in this SOW.

ARC and RRC rates for each Billing Unit shall come into effect only when the Base Volume increases or decreases by at least %.

Productivity: The unit rates above will be discounted by % on a yearly basis.

13. Invoicing:

13.1. [INCLUDE THIS PROVISION ONLY IF SERVICES ARE BEING PROVIDED ON A TIME AND MATERIALS BASIS] Supplier Personnel shall enter timesheets weekly into Citi’s time reporting system (e.g., Project Tracking System (“PTS”), Planview, etc.). Invoices are created twice a week in Citi’s non employee management system (“NEMS”) after timesheets are approved by Citi. [MODIFY PROVISION AS NECESSARY IF SUPPLIER WILL NOT BE PAID VIA NEMS]

[INCLUDE THIS PROVISION ONLY IF SERVICES ARE BEING PROVIDED FOR A FIXED PRICE OR DELIVERABLE BASED] Invoices for payment of Services and Deliverables are created in NEMS after milestone progress logs for Deliverable milestones are submitted by Supplier and approved by Citi. [MODIFY PROVISION AS NECESSARY IF SUPPLIER WILL NOT BE PAID VIA NEMS]

13.2. [INCLUDE THIS PROVISION ONLY IF CITI HAS AGREED TO REIMBURSE EXPENSES FOR CANADA, ENSURE ADDRESS IS FOR LOCAL INVOICE PROCESSING] Invoices for reimbursable expenses, if any, must be sent separately to Citi Invoice Processing Center, PO Box 6032, Sioux Falls, SD 57117. A corresponding Purchase Order number for reimbursable expenses under this Work Order will be generated by Citi’s Accounts Payable and must be referenced on each invoice submitted.

14. Rights to Development:

All Deliverables and work product provided in accordance with this Work Order produced by Supplier as a result of performing the Services for Citi shall be the property of, and exclusively owned by, Citi. Citi acknowledges that in developing or providing the Services, Supplier may utilize proprietary methodologies, tools, models, software, procedures, documentation, know-how, and processes that have been owned, licensed, or developed before or during the term of this Work Order by Supplier without access to or use of Citi Confidential Information (“Supplier Materials”). If any Supplier Materials are incorporated into any Work Product or otherwise provided in conjunction with the Services, Supplier will so notify Citi, and Supplier is conclusively deemed to have (at no additional cost) granted to Citi and its Affiliates a perpetual, worldwide, irrevocable, royalty-free, non-exclusive license to: (i) use, execute, reproduce, display, perform, distribute, and prepare derivative works of Supplier Materials in conjunction with the use of the Services (including use of any Deliverable or Work Product), and (ii) authorize or sublicense others from time to time to do any or all of the foregoing. If the performance of any Work Product can be impaired or the Services compromised as a result of a defect or malfunction in Supplier Materials, then Supplier will correct the defect or malfunction at no additional cost to Citi.

15. Service Levels:

[INSERT ALL SERVICE LEVELS, AND SERVICE LEVEL CREDITS (IF ANY) APPLICABLE TO THE SERVICES CONTEMPLATED UNDER THIS WORK ORDER. IF NO SLAS ARE APPLICABLE, PLEASE INDICATE “NONE”]

16. Subcontracting: Will Supplier be using any Subcontractor (defined as a contractor, agent, Supplier, third party or consultant retained by Supplier pursuant to a written agreement, or otherwise used by Supplier) to perform any obligations of Supplier? (check one)

Yes o No o

If Yes, in addition to obtaining the express written approval of the Director of the Resource and Location Strategy Staffing Office, Supplier will be required to sign Citi’s Consent to and Acknowledgement of Supplier’s Use of Designated Subcontractors form prior to using any Subcontractor.

Note to team: How can we incorporate the Contractor Consent Form?

17. List the countries where Citi or any Citi Affiliate is to receive the Services or Deliverables (see Sec. 3.3.1 of the Agreement), or specify “Global,” if applicable:

18. Foreign National Contractor.

To the extent that any of Supplier’s Personnel are providing Services at any Citi location and are not citizens or permanent residents of the country where Services are rendered, then Supplier will ensure that its Personnel complete the Foreign National Contractor Letter of Assurance attached hereto as Exhibit 1. When applicable, the Foreign National Contractor Letter of Assurance should be signed and either (1) attached to this Work Order and made a part hereof as Appendix 1, or (2) shall be signed as part of the Citi onboarding process if not signed at the time the Work Order is executed.

19. Additional Terms and Conditions: [INSERT ANY OTHER REQUIRED TERMS AND CONDITIONS]

19.1. [IF SERVICES ARE BEING PERFORMED / LOCATED IN CANADA OR ARE FOR A CANADIAN LEGAL ENTITY, CITI SHOULD REFER TO “CANADIAN REQUIREMENTS” SET OUT IN THE “ADM EXEMPTION FROM LEGAL REVIEW” GUIDELINES TO DETERMINE IF ANY ADDITIONAL PROVISIONS REQUIRED]

Notwithstanding anything to the contrary contained in the Agreement, to the extent that there is any conflict between the terms of this Work Order and the Agreement, the terms of the Agreement shall govern. Any other term or condition contained in this Work Order that purports to modify, amend or negate a term or condition of the Agreement to Citi’s detriment (in Citi’s reasonable judgment) shall be deemed to be null and void and shall be of no force and effect.

IN WITNESS WHEREOF, the Parties hereto, through their duly authorized officers, have executed this Work Order to the Agreement as of the Effective Date.

By Manual Signature:

Supplier:			Citi:

By:			By:
Name:			Name:
Title:			Title:
Date:			Date:

By Electronic Signature Binding:

For Supplier: By selecting the “I Accept” button below, I am representing that I am an authorized representative of Supplier and am the individual identified in the signature block immediately following this paragraph under the reference to Supplier and that I am entitled and authorized to legally bind Supplier to this Work Order. Supplier agrees that use of a key pad, mouse or other device by its authorized representative to select the “I Accept” button below will be deemed to be a valid and due execution of this Work Order by Supplier with the same force and effect as if Supplier had manually signed this Work Order. If Supplier does not agree that its electronic selection of the “I Accept” button below will bind Supplier to the terms and conditions of this Work Order as it exists on the date hereof, then do not select the “I Accept” button below.		For Citi: By selecting the “I Accept” button below, I am representing that I am an authorized representative of Citi and am the individual identified in the signature block immediately following this paragraph under the reference to Citi and that I am entitled and authorized to legally bind Citi to this Work Order. Citi agrees that use of a key pad, mouse or other device by its authorized representative to select the “I Accept” button below will be deemed to be a valid and due execution of this Work Order by Citi with the same force and effect as if Citi had manually signed this Work Order. If Citi does not agree that its electronic selection of the “I Accept” button below will bind Citi to the terms and conditions of this Work Order as it exists on the date hereof, then do not select the “I Accept” button below.

*I Accept : {{[]_es_:signer1}}**		*I Accept: {{[]_es_:signer2}}**
Supplier:		Citi:
eSign: {{_es_:signer1:signature }}		eSign: {{_es_:signer2:signature }}
Name: {{_es_:signer1:fullname }}		Name: {{_es_:signer2:fullname }}
Email: {{_es_:signer1:email }}		Email: {{_es_:signer2:email }}
Date: {{_es_:signer1:date }}		Date: {{_es_:signer2:date }}

Exhibit 1 to Appendix 3.2 — Foreign National Contractor Letter of Assurance (LOA E5)

(Export Control Laws)

To be completed by Individual Contractors and Consultants, mandatory for Foreign Nationals, same form can be used for all contractors/consultants if desired.

I hereby acknowledge that as a condition for me being engaged by Citigroup, Inc. or one of its subsidiaries (collectively “Citi”), I must agree, and I do hereby agree, to comply with the laws and regulations of all of countries in which Citi conducts operations, and with the corporate policies and procedures promulgated by Citi that are designed to adhere to all such laws and regulations. Without limiting the generality of the foregoing, I specifically agree to comply with all laws and regulations that regulate the importation or exportation of goods and technologies, and in particular, to comply with the Export Administration Regulations of the United States as they pertain to any technical data, computer software, or any product (or any part thereof), process, or service that is the direct product of any such technical data or computer software (hereinafter referred to collectively or individually without distinction as “Export Controlled Products”) to which I have access while engaged by Citi. In order to ensure my compliance, I shall not disclose, export, re-export or otherwise transfer (directly or indirectly) any Export Controlled Products without having first verified that Citi has received such prior written authorization from the U.S. Department of Commerce or other appropriate agencies as may be required by applicable law or regulations. In addition, if I have any questions about any restrictions established by any applicable export control laws of any country, I will contact a Citi Export License Coordinator.

I acknowledge that the Export Administration Regulations of the United States prohibit the disclosure, exportation or re-exportation (directly or indirectly) of any Export Controlled Products: (i) to any country, or to any citizens or residents of any country, that is included within Country Group E on Supplement No.1 to 15 CFR chapter VII, subchapter C, part 740, as such Supplement No. 1 currently exists or may hereafter be amended from time to time (hereinafter, Supplement No.1”), or (ii) to any country, or to any citizens or residents of any country, that is included within Country Group D:1 on Supplement No.1, if the Export Controlled Product is destined to a military end user or intended for any military use. I have been advised that a current version of Supplement 1 may be viewed by: (i) accessing the web site located at http://www.access.gpo.gov/bis/ear/ear_data.html, (ii) scrolling down to “Part 740Spir - Supplement No. 1 to Part 740, Country Groups”, and (iii) clicking on the Download Format preferred.

I also acknowledge that certain computer software to which I may have access while engaged by Citi may contain encryption functionality controlled for “EI” purposes by the U.S. Department of Commerce, and that such computer software is subject to additional export control restrictions. Accordingly, in addition to the other obligations assumed above with regard to the disclosure, exportation or re-exportation of Export Controlled Products, I specifically agree (i) not to use any computer software containing encryption functionality for any purpose other than for Citi’s internal use (which may include the development of new computer software products), and (ii) not to disclose, export, re-export or otherwise transfer any computer software containing encryption functionality outside Citi or to any other destination or end user outside the United States or Canada without first verifying that such an export is legally authorized by regulation or by license.

I further acknowledge and agree that the obligations assumed under this Assurance of Compliance shall be binding upon me during my term of engagement with Citi and shall continue to bind me thereafter, and that my failure to comply with the requirements and restrictions set forth herein may expose me and Citi to severe criminal and administrative penalties and sanctions. In addition, subject to applicable laws, I understand that any such failure by me shall constitute grounds for disciplinary action by Citi, including immediate termination of my Citi engagement.

I understand that the personal information requested below is being collected only to assist Citi in complying with U.S. export control laws. Depending on the information provided, there may be further steps that Citi will take to ensure compliance with such laws. I understand that I may be required to work on matters that do not involve Export Controlled Products or the computer software described above until Citi confirms compliance with all such laws, but that the disclosure of the information below will have no other effect on my engagement with Citi.

I consent to the disclosure of the information provided below by Citi to U.S. government officials for the purposes of complying with U.S. export control laws.

Nationality and/or Residency Status:

a) Country of Citizenship: Date:

b) Type of Visa (as appl) : Date:

Permanent Resident of: Date:

Important Note: Please ensure you submit a revised form when any details change.

Signature:

Print Name:

Date:

GEID/SAID :

CONFIDENTIAL

Appendix 3.3.1 — Local Country Addenda

Legal and Regulatory Requirements - Asia Pacific; Canada; EMEA Region

(LCA Master for APAC — Version Date: 8 May 2013)

INDEX

Schedule	Country	Version	Effective Date
A.	AUSTRALIA	2	9 December 2011
B.	BANGLADESH	1	Revalidated: 21 March 2013
C.	BRUNEI	—	January 2009
D.	CHINA	1	Revalidated: 22 March 2013
E.	GUAM	1	Revalidated: 12 April 2013
F.	HONG KONG	2	23 January 2013
G.	INDIA	2	22 April 2013
H.	INDONESIA	1	13 November 2011
I.	JAPAN	1	6 June 2011
J.	KOREA	1	6 October 2011
K.	MACAU	1	16 January 2012
L.	MALAYSIA	3	20 December 2012
M.	NEW ZEALAND	1	Revalidated: 15 April 2013
N.	PHILIPPINES	1	9 May 2011
O.	SINGAPORE	3	30 April 2012
P.	SRI LANKA	1	Revalidated: 6 May 2013
Q.	TAIWAN	3	25 April 2013
R.	THAILAND	1	Revalidated: 20 March 2013
S.	VIETNAM	1	Revalidated: 17 January 2013
T.	CANADA
U.	EMEA

SCHEDULE A — AUSTRALIA LAW REQUIREMENTS

(Version 2 — 9 December 2011)

A. CONTINGENCY PLAN/CONTINUITY OF BUSINESS

Supplier must maintain a Continuity of Business Plan. The Continuity of Business Plan must enable Supplier to provide the Services and comply with the terms of the Agreement, notwithstanding an event that disrupts, impairs or prevents Supplier from otherwise providing the Services or complying with its obligations thereunder.

The Business Continuity Plan must include procedures to ensure that Supplier is able to provide the Services and otherwise comply with its obligations under the Agreement, notwithstanding that an agent, consultant or contractor of Supplier is incapable of providing the Services to Supplier. The Continuity of Business Plan must be: (a) based upon a formal assessment of the applicable risks; (b) reviewed and updated on a regular basis and at least annually; (c) tested at least annually; and (d) subject to quality assurance review at least annually.

B. APRA

Where Citi is supervised by the Australian Prudential Regulation Authority (“APRA”), APRA may require information from Citi or Supplier about the Services, Supplier or the Agreement.

Supplier will give APRA any information relating to the Agreement as soon as possible after Citi or APRA asks Supplier to do so. Supplier will promptly inform Citi as soon as practicable after APRA asks Supplier to provide information under this Section.

Supplier will permit APRA to conduct any on-site visit of Supplier’s premises that is necessary to APRA’s role as prudential supervisor of Citi. If APRA notifies Citi of its intention to conduct an on-site visit of Supplier’s premises, Citi will promptly notify Supplier. Where APRA conducts an on-site visit of Supplier’s premises, Supplier must not disclose or advertise that APRA has conducted such a visit without the prior written consent of Citi.

Supplier will use its best endeavours to satisfy APRA about any questions or concerns it may raise about the Services.

Supplier agrees that the existence of, and any information relating to, any investigation, question or concern raised by APRA about the services provided by Supplier to Citi or in relation to Citi, is Confidential Information.

C. DO NOT CALL REGISTER ACT AND TELECOMMUNICATIONS ACT OBLIGATIONS

Where telemarketing call services make up any part of the Services provided by Supplier to Citi under the Agreement, Supplier must comply with the: (i) Do Not Call Register Act 2006 (Cth); and Part 6 of the Telecommunications Act 1997 (Cth), and take all reasonable steps to ensure that its employees, agents and Subcontractors comply with these Acts.

Where fax marketing services make up any part of the Services provided by you to Citi under the Agreement, you must comply with Part 6 of the Telecommunications Act 1997 (Cth), and take all reasonable steps to ensure that your Personnel comply with that Act.

D. TAXES

Other than as specified below, Supplier will be responsible for all taxes of any kind in connection with the provision of Services under the Agreement. For the purposes of this clause, “Consideration”, “Creditable

Acquisition”, “GST”, “Input Tax Credit”, “Recipient”, “Supply”, “Tax Invoice” and “Taxable Supply” have the same meaning as in the GST Act.

1. This clause applies if one party (the supplier) makes a Taxable Supply to another party (the Recipient) and the Consideration for that Supply (apart from any payable under this clause) is not expressed to be inclusive of GST.

2. If this clause applies, the Recipient must pay the supplier an additional amount on account of GST.

3. The additional amount payable on account of GST is, generally, equal to the Consideration for that Supply (apart from any payable under this clause) multiplied by the prevailing GST rate.

4. To the extent that the Consideration for the Supply (other than that payable under this clause) is payable as a reimbursement for an expense incurred by the supplier as a result of a Creditable Acquisition it makes, the additional amount will be calculated by:

(i) first reducing the Consideration for that Creditable Acquisition by any Input Tax Credit to which the supplier is entitled on making the Creditable Acquisition; and

(ii) then applying the prevailing GST rate to that reduced amount.

5. The additional amount is to be paid when the Recipient pays or provides any of the Consideration for the Supply, provided always that such amount will only be payable if a Tax Invoice for the Supply is provided to the Recipient.

E. LEGALLY REQUIRED DISCLOSURES

Where Supplier is required to disclose Citi Confidential Information under any applicable law, regulation or an order from a court, regulatory agency or other governmental authority having competent jurisdiction, and is further required to notify Citi of the order, Supplier must promptly send a copy of the order and accompanying documentation by facsimile transmission to the General Counsel, Citigroup Pty Limited, +612 8225 5238.

F. ADDITIONAL TERMINATION RIGHTS

In addition to any right available to Citi under the Agreement, Citi may terminate the Work Order immediately upon the occurrence of an “Event of Default” by Supplier. Any right of termination will not limit Citi from exercising any other rights or remedies it may have at law or in equity.

For the purposes of this clause F, “Event of Default” means the occurrence of any one of the following:

(i) a representation or warranty of Supplier is false or misleading in any material respect when it was made;

(ii) Supplier:

a. suspends payment of its debts generally;

b. becomes insolvent within the meaning of the Corporations Act 2001;

c. enters into or resolve to enter into any arrangement, composition or compromise with, or assignment for the benefit of, its creditors or any class of them;

d. has a receiver, receiver and manager, controller, managing controller, administrator, official manager, trustee of provisional or official liquidator appointed over its assets and/or undertakings; or

e. is the subject of an application that is filed or an order that is made or a resolution that is passed for its winding up or dissolution other than for the purposes of reconstruction or amalgamation.

G. SCOPE OF SERVICES

Unless expressly stated in the Work Order, Supplier agrees that:

(i) the Agreement and/or Work Order is not an exclusive arrangement between Citi and Supplier;

(ii) Citi may purchase services similar to the Services from other suppliers; and

(iii) Citi does not commit to purchase any volume or dollar amount of Services.

H. GOVERNING LAW AND JURISDICTION

Notwithstanding any term to the contrary in the Agreement and/or Addendum, the governing law and jurisdiction clause as it applies to Work Orders entered into by Affiliates and branches of Citibank, NA located in Australia, is varied as follows: “The validity of this Agreement as it applies to the Work Order, the construction and enforcement of its terms, and the interpretation of the rights and duties of the parties to the Work Order shall be governed by the laws of New South Wales, Australia. The Parties to the Work Order submit to the non-exclusive jurisdiction of the courts of New South Wales and of the Commonwealth of Australia.”

vL20111209(M.Forde)

SCHEDULE B — BANGLADESH LAW REQUIREMENTS

(Version 1 — revalidated 21 Mar 2013)

1. Audit and Inspection.

a. Supplier agrees that the Services it performs for Citi are subject to examination and regulation of the OCC, Bangladesh Bank, Securities and Exchange Commission of Bangladesh, or any competent court of law, or other judicial, quasi-judicial, statutory, regulatory or supervisory authority or any agent appointed by any of them.

b. Notwithstanding any of the provisions stated in this Agreement, Supplier shall under no circumstances be required to comply with any request for access and/or to grant access to any party, to any information other than the information of Citi and/or Citi’s customers / employees transferred to, stored at or processed by Supplier pursuant to this Agreement. Supplier is also not required to comply with any advice or request for any information or for inspection or audit where such request or advice would entail access to any other information in the custody of Supplier.

2. Restriction on type of Services to be provided by Supplier.

a. The Services to be provided by Supplier is subject to the approval from Bangladesh regulators and the Compliance and Legal Counsel of Citi. The approval by the Compliance and Legal Counsel shall give clearance for services to be provided by Supplier based on the necessary approval obtained from the relevant regulators and will take necessary diligence of laws and regulations as mentioned herein.

b. Pursuant to Section 12 of the Bank Companies Act (1991), Citi shall not remove and/or transfer any records and/or documents (including any information retained by electronic means) relating to Citi’s business to a place outside Bangladesh, without the prior permission in writing of the Bangladesh Bank. Similar approvals may be required from other applicable regulatory authorities of Citi. For example: Section 19 of The Securities and Exchange Ordinance, 1969, Section 35 (e) (f) of The Merchant Banking Rules, Section 11 of The Custody Rules 2003 restrict sharing customers’ information without Securities and Exchange Commission approval.

c. Citi should also obtain consent from relevant parties such as its own customers, employees or vendors whose data or information would be required to be transferred outside its local branch.

3. Restriction on the removal/transfer of Citi’s records/documents by Supplier and its Subcontractors.

a. Supplier and its Affiliates shall not transfer and/or allow access to Citi’s records and/or documents (including any memory dump), to any other party, outside the premises of Supplier and its Affiliates, without ensuring Citi standard information security measures being in place. Supplier shall inform Citi’s Branch Information Security Officer (BISO) of such actions giving details of security measures taken.

4. Restriction on the remittance of fees by Citi to any person resident outside Bangladesh.

a. Pursuant to Section 5 of the Foreign Exchange Regulation Act 1947, Citi shall not remit any fees or any other payment to Supplier even if any such payment is required by this Agreement. Citi shall only make such payment if there is a specific prior approval of the Bangladesh Bank.

V20111005(Shamiun)/reval20130521(Shamiun)

SCHEDULE C — BRUNEI DARUSSALAM LAW REQUIREMENTS

(Version as of January 2009)

For the purposes of each Work Order made between Supplier and Citi or any Citi Affiliate in Brunei Darussalam (“Citi Brunei”) the following wording shall be added to the Master Agreement and the Work Order, as applicable:

1. Continuity of Business Plan

1.1 Citi and Supplier acknowledge and agree that the Continuity of Business Plan agreed by the Parties under the Master Agreement addresses the following requirements as applicable to the Services provided to Citi Brunei:

1.1.1 recovery time objectives; and

1.1.2 resumption operating capacities.

1.2 Supplier shall test the Continuity of Business Plans in relation to the Services and all identified Service Locations used by it in connection with the Continuity of Business Plans for servicing Citi Affiliates and Citi Brunei on a regular basis and notify Citi Brunei of any test finding that may affect Supplier’s provision of the Services and/or the performance of its obligations as set out in the Master Agreement and/or Work Order.

1.3 In the event that such test(s) on the Continuity of Business Plan in relation to the Services are reasonably required by Citi Brunei in connection with the testing of its own business continuity plan, Supplier shall co-operate fully with Citi Brunei to ensure that such test(s) are carried out as soon as reasonably practicable and accurately in accordance with Citi Brunei’s reasonable requirements. This is subject to Citi Brunei providing to Supplier the relevant information pertaining to such requirements, in advance of the tests to be conducted.

1.4 If Supplier makes any significant change(s) to the Continuity of Business Plan or there are any adverse developments that may significantly impact the Services, it shall notify Citi Brunei in writing and provide a full description of such significant change(s) and/or adverse developments promptly and if such information is not immediately available, within a reasonable time frame agreeable to Citi Brunei.

1.5 Supplier shall at all times be capable of segregating and clearly identifying all of Citi Brunei’s information, documents, records and assets such that in adverse conditions, all documents, records of transactions and information given to Supplier, and assets of Citi Brunei, can be either removed from the possession of Supplier in order to continue its business operations, or deleted, destroyed or rendered unusable.

1.6 Supplier agrees to comply with identified and mutually agreed business continuity requirements of Citi Brunei, subject to the Change Control Procedures.

2. Termination

2.1 Pursuant and subject to the cure provisions of Section 2.2.2(a)(i) of the Master Agreement, Citi Brunei shall have the right to terminate a Work Order without penalty by giving written notice in the event that there has been a breach of security, confidentiality or a demonstrable deterioration in the ability of Supplier to safeguard the confidentiality of Citi Brunei’s Citi Information as defined below.

2.2 Upon the occurrence of the events specified in Sections 2.1.2(c) and 2.1.2(d) of the Master Agreement, Citi Brunei shall have the right to terminate a Work Order immediately without the payment of any penalty, cost or termination fees.

2.3 In the event of the expiration, cancellation, completion, or termination of a Work Order, Supplier shall return to Citi Brunei all property, materials, Citi Confidential Information and copies thereof belonging to Citi Brunei then in the possession, power and control of Supplier, its Affiliates or any Supplier Personnel and, subject to Supplier’s obligations under Section 2.3 of the Master Agreement, Citi Brunei shall return to Supplier all property, Supplier Materials and Supplier Confidential Information and copies thereof belonging to Supplier then in possession of Citi Brunei, subject to Section 2.4 of the Master Agreement.

2.4 Termination of the Master Agreement or a Work Order, as applicable, pursuant to its terms, in whole or in part, for any reason, shall not affect any liabilities or obligations of either Party arising before such termination or out of the events causing such termination, or any damages or other remedies to which a Party may be entitled under the Master Agreement or such Work Order, at law or in equity, arising from any breaches of such liabilities or obligations.

3. Confidentiality and Security

3.1 Notwithstanding Article 13 of the Master Agreement, Supplier shall not, without Citi Brunei’s prior written consent, disclose Citi Confidential Information relating to Citi Brunei (“Citi Brunei Confidential Information”) provided pursuant to any Work Order in any manner except as expressly authorized by the Work Order. For the purposes of this Local Country Addendum, Citi Brunei Confidential Information shall include all tangible or intangible information and materials, in any form or medium (and without regard to whether the information is owned by Citi Brunei or by a third party), that is furnished or disclosed to Supplier by Citi Brunei (including Citi Information) where “Citi Information” shall be as defined in Appendix II to this Local Country Addendum. Except for “Citi Information”, the exceptions to confidentiality set forth in Section 13.8 of the Master Agreement apply to Citi Brunei Confidential Information.

3.2 As between Supplier and Citi Brunei, all Citi Brunei Confidential Information disclosed to Supplier shall remain the property of Citi Brunei.

3.3 Supplier shall at all times be capable of segregating and clearly identifying all of Citi Brunei Confidential Information. Supplier shall take technical, Personnel and organizational measures in order to maintain the confidentiality of Citi Brunei Confidential Information between its various customers.

3.4 In addition to the provisions of Section 13.2.1 of the Master Agreement, Supplier shall notify Citi Brunei if any overseas regulator or authority were to seek access to Citi Brunei Confidential Information or if a situation were to arise where Supplier becomes aware that the rights of access of Citi Brunei, Citi Brunei’s Regulator or any other Regulatory Bodies have been restricted or denied.

3.5 Where Supplier provides Services to a Citi Brunei entity that is subject to the Banking Order 2006 of Brunei Darussalam, (a summary of the laws and regulations of Brunei Darussalam is set out in Appendix I to this Local Country Addendum) the following provisions shall apply:-

3.5.1 Supplier hereby acknowledges receipt of a written notice from Citi Brunei highlighting Citi Brunei’s obligations of confidentiality under the Banking Order 2006 of Brunei Darussalam and under common law. The written notice is attached hereto as Appendix II to this Local Country Addendum.

3.5.2 Supplier agrees to execute the Confidentiality and Secrecy Undertaking in the form specified in Appendix III to this Local Country Addendum and Supplier hereby acknowledges that it is made aware and understands the effect of, and agrees and undertakes to, and to procure all its Personnel to observe all precautionary measures and prevent disclosure of Citi Brunei Confidential Information other than as expressly authorized by Citi Brunei pursuant to the applicable Work Order.

3.5.3 Supplier further agrees and undertakes that it will comply with the confidentiality obligations imposed by this Master Agreement and this Local Country Addendum and will ensure that its Personnel will comply therewith and with any provision of Section 58 of the Banking Order 2006 of Brunei Darussalam as applicable to the Services provided by Supplier, subject to the other provisions of this Master Agreement, this Local Country Addendum and the applicable Work Order.

3.5.4 Supplier shall procure the execution of the Confidentiality and Secrecy Undertaking in the form specified in Appendix IV to this Local Country Addendum by each of Supplier’s Personnel (and their Personnel) appointed or to be appointed in connection with the Work Order and/or to perform the Services or part thereof for and on behalf of Supplier.

3.5.5 Supplier and its Personnel shall not without Citi Brunei’s prior written consent or express authorization pursuant to the applicable Work Order, further disclose Citi Information (as defined in Appendix II) to any third parties unless required to do so by law. For the avoidance of doubt, Supplier’s Affiliate shall be considered a third party for the purposes of this Clause.

4. Assignment and Sub-Contracting

4.1 Notwithstanding anything to the contrary in Section 19.1 or Section 19.2 of the Master Agreement, Supplier shall not assign, outsource or subcontract any or all of its obligations set forth in the Work Order to any third parties without the prior written consent of Citi Brunei. For the avoidance of doubt, Supplier’s Affiliate shall be considered a third party for the purposes of this Clause.

5. Extension of Citi’s rights and benefits under the Master Agreement to Citi Brunei

5.1 Without limiting Citi’s or Citi Brunei’s rights under the Master Agreement or any Work Order, the Parties agree that all rights and benefits granted to Citi pursuant to Articles 6, 14 (except Section 14.4), 18 (except the second paragraph) and 26, and pursuant to Sections 4.3; 4.10.6; 4.18; 4.19 and 5.4 of the Master Agreement shall apply to Citi Brunei. The references to Citi in the Articles and Sections mentioned in this paragraph shall be read and construed as references to Citi Brunei and Citi Brunei may independently exercise the rights (without reference to Citi) and is entitled to the benefits as conferred by the respective sections.

6. Identification of Personnel

6.1 Supplier shall ensure that when entering or within a Citi Brunei location, all Supplier Personnel must establish their identity to the satisfaction of security personnel and comply with all directions given by them, including directions to display any identification cards provided by Citi Brunei or to vacate the premises of Citi Brunei.

APPENDIX I — LAWS AND REGULATIONS OF BRUNEI DARUSSALAM

Banking Secrecy under the Banking Order 2006 of Brunei Darussalam (the “Order”)

Sections 58(1), (2), (5), (6) and (7) of the Order are set out below:

(1) Customer information shall not, in any way, be disclosed by a bank in Brunei Darussalam or any of its officers to any other person except as expressly provided in this Order.

(2) A bank in Brunei Darussalam or any of its officers may, for such purpose as may be specified in the first column of the Third Schedule disclose customer information to such persons or class of persons as may be specified in the second column of that Schedule, and in compliance with such conditions as may be specified in the third column of that Schedule.

(5) Any person (including, where the person is a body corporate, an officer of the body corporate) who receives customer information referred to in Part II of the Third Schedule shall not, at any time, disclose the customer information or any part thereof to any other person, except as authorized under that Schedule or if required to do so by an order of court.

(6) Any person who contravenes subsection (1) or (5) is guilty of an offence and liable on conviction to a fine not exceeding $150,000, imprisonment for a term not exceeding 3 years or to both.

(7) In this section and in the Third Schedule, unless the context otherwise requires —

(a) where disclosure of customer information is authorized under the Third Schedule to be made to any person which is a body corporate, customer information may be disclosed to such officers of the body corporate as may be necessary for the purpose for which the disclosure is authorized under that Schedule; and

(b) the obligation of any officer or other person who receives customer information referred to in Part II of the Third Schedule shall continue after the termination or cessation of his appointment, employment, engagement or other capacity or office in which he had received customer information.

Under the Third Schedule, Part II, paragraph (3) of the Order, where the operational functions of the bank have been outsourced, the bank may make disclosure of customer information to any person engaged by the bank to perform the outsourced functions, solely in connection with the performance of the outsourced functions. Where any outsourced function is to be performed outside Brunei Darussalam, the disclosure is further subject to the conditions in any Notice issued by the Regulator of Citi Brunei and notified to Supplier or otherwise imposed by the Regulator.

Pursuant to Section 7 of the Letter dated 2nd July 2008 addressed by the Regulator to the Brunei Association of Banks, whenever a foreign bank wishes to outsource its branch functions to its head office/regional office, and incur head office expenses of a material nature, it is necessary, inter alia, for reasons of ensuring confidentiality of Customer Information, to obtain the prior approval of the Regulator.

Pursuant to the outsourcing guidelines attached to the letter from the Regulator to Citi Brunei dated 22 December 2008, Citi Brunei is required to obtain prior approval of the Regulator if it is planning or has entered into a material outsourcing or plan to vary such outsourcing. Citi Brunei is also required to comply with any regulations, conditions and guidelines issued from time to time by Citi Brunei’s Regulators.

APPENDIX II — BANKING SECRECY UNDER THE BANKING ORDER 2006 OF BRUNEI DARUSSALAM AND BANK’S DUTY OF CONFIDENTIALITY UNDER COMMON LAW

This notice is given to you pursuant to Section 58 read with Third Schedule, Part II, paragraph (3), of the Banking Order 2006 of Brunei Darussalam (the “Order”)

Banking Secrecy under the Banking Order

Under the Order, and in particular Sections 58(1), (2), (5), (6) and (7) which are set out below:

(1) Customer information shall not, in any way, be disclosed by a bank in Brunei Darussalam or any of its officers to any other person except as expressly provided in this Order.

(2) A bank in Brunei Darussalam or any of its officers may, for such purpose as may be specified in the first column of the Third Schedule, disclose customer information to such persons or class of persons as may be specified in the second column of that Schedule, and in compliance with such conditions as may be specified in the third column of that Schedule.

(6) Any person who contravenes subsection (1) or (5) is guilty of an offence and liable on conviction to a fine not exceeding $150,000, imprisonment for a term not exceeding 3 years or to both.

(7) In this section and in the Third Schedule, unless the context otherwise requires —

(b) the obligation of any officer or other person who receives customer information referred to in Part II of the Third Schedule shall continue after the termination or

cessation of his appointment, employment, engagement or other capacity or office in which he had received customer information.

Under the Third Schedule, Part II, paragraph (3) of the Order, where the operational functions of the bank have been outsourced, the bank may make disclosure of customer information to any person engaged by the bank to perform the outsourced functions, solely in connection with the performance of the outsourced functions. Where any outsourced function is to be performed outside Brunei Darussalam, the disclosure is further subject to the conditions in the Notice or otherwise imposed by the Regulator of Citi Brunei.

Please note that under Section 58(5), neither you nor any of your officers who receive customer information in connection with the performance of the outsourced functions shall disclose the customer information or any part thereof to any other person, unless required to do so by an order of court.

Bank’s Duty of Confidentiality under Common Law

Under common law, there is a duty on the part of a bank to keep information relating to the affairs of the customer confidential. This duty of confidentiality arises by virtue of the banker and Citi Brunei relationship and is implied by law. Subject to certain general exceptions, the bank’s duty to keep such information confidential continues even after the termination of the banker and customer relationship.

“Citi Information” shall be as referred to in the Banking Order, 2006 of Brunei Darussalam and shall include (but is not limited to):-

(a) any information relating to, or any particulars of, an account of a customer of Citi Brunei, whether the account is in respect of a loan, investment or any other type of transaction; or

(b) any information relating to (i) any deposit of a customer of Citi Brunei; (ii) any funds or assets of a customer (whether of Citi Brunei or any financial institution) placed with Citi Brunei for the purpose of management or investment by Citi Brunei; or (iii) any safe deposit box maintained by, or any safe custody arrangements made by, a customer with Citi Brunei.

APPENDIX III - LAWS AND REGULATIONS OF BRUNEI DARUSSALAM

CONFIDENTIALITY AND SECRECY UNDERTAKING (FOR SUPPLIER)

I, , (“Supplier”) and (“Citi Brunei”) have entered into the Work Order dated [ ] (the “Work Order”) pursuant to the Amended and Restated Master Professional Services Agreement between [insert Supplier name], an corporation, and Citigroup Technology, Inc. dated (the “Master Agreement”). By the execution of this Confidentiality and Secrecy Undertaking, Supplier confirms that Supplier has been notified and that Supplier understands the effect of:

a. Citi Brunei’s common law duty to its customers to keep affairs of the customers of the bank confidential; and

b. Citi Brunei’s statutory duty pursuant to Section 58 of the Banking Order, 2006 not to disclose any “Citi Information” as defined below to any person except as expressly provided therein;

and undertakes to, and to procure all the Personnel to observe and prevent disclosure of Citi Brunei’s Confidential Information (as defined below) other than as expressly authorised by Citi Brunei pursuant to the applicable Work Order.

Supplier agrees to treat information and materials received or otherwise obtained from Citi Brunei as confidential, and to exercise at least the same degree of care with respect to Citi Brunei Confidential Information that Supplier would exercise to protect its own confidential information from unauthorized disclosure or use. As a condition to my performing any services for Citi Brunei, Supplier agrees to abide by the obligations of confidentiality, which include the following:

1. not to disclose Citi Brunei Confidential Information, except to other employees of and to contractors or third parties engaged by Supplier on a “need to know” basis if expressly authorised by Citi Brunei pursuant to the applicable Work Order and only to the extent necessary to fulfill its obligations under the Agreement and/or Work Order;

2. not to reproduce Citi Brunei’s Confidential Information in any media without the express written approval of Citi Brunei or unless expressly authorised by Citi Brunei pursuant to the applicable Work Order;

3. not to remove or transmit Citi Brunei Confidential Information from Citi Brunei’s premises without Citi Brunei’s express prior written consent or unless expressly authorised by Citi Brunei pursuant to the applicable Work Order;

4. not to remove any copyright or other proprietary notice or indication of confidentiality contained on or included in any item of Citi Brunei Confidential Information; and

5. to reproduce any copyright or other proprietary notice or indication of confidentiality on any reproduction, modification or translation of such Citi Brunei Confidential Information.

Supplier agrees that for purposes of this Confidentiality and Secrecy Undertaking, “Citi Brunei Confidential Information” shall mean and include all tangible or intangible information and materials, in any form or medium (including “Citi Information” as defined below and without regard to whether the information is owned by Citi Brunei or by a third party), that is furnished or disclosed to Supplier or any of its Personnel by Citi Brunei, or otherwise obtained by Supplier or any of its Personnel from Citi Brunei. Except for “Citi Information” the exceptions to confidentiality set forth in Section 13.8 of the Master Agreement applies to Citi Brunei Confidential Information.

“Customer Information” shall be as referred to in the Banking Order, 2006 of Brunei Darussalam and shall include (but is not limited to):-

(a) any information relating to, or any particulars of, an account of a customer of Citi Brunei, whether the account is in respect of a loan, investment or any other type of transaction; or

Supplier confirms that Supplier is made aware of and agrees to observe the provisions contained in Section 58 of the Banking Order of Brunei Darussalam as they may apply to the Services provided by Supplier to Citi Brunei.

By signing this Confidentiality and Secrecy Undertaking, Supplier intends for Citi Brunei to rely upon Supplier’s adherence to the obligation of confidentiality set forth above in permitting Supplier to work on the project contemplated by the Master Agreement and the Work Order.

Signed For and on behalf of Supplier
by:			In the presence of:



Name:			Name:

Date:			Date:

APPENDIX IV - LAWS AND REGULATIONS OF BRUNEI DARUSSALAM

CONFIDENTIALITY AND SECRECY UNDERTAKING

(for Supplier’s employees/agents/servants/Personnel)

I, , acknowledge that (“Supplier”) and (“Citi Brunei”) have entered into the Work Order dated [ ] (the “Work Order”) pursuant to the Master Services Agreement between [insert Supplier name], an corporation, and Citigroup Technology, Inc. dated (the “Master Agreement”).

I have been advised by Supplier that under the Master Agreement, Supplier has agreed to treat information and materials received or otherwise obtained from Citi Brunei as confidential, and to exercise at least the same degree of care with respect to Citi Brunei Confidential Information (as defined below) that Supplier exercises to protect its own confidential information from unauthorized disclosure or use.

I have been further advised by Supplier that as a condition to my performing any services for Citi Brunei, I must agree, and I do hereby agree, to abide by the obligations of confidentiality assumed by Supplier, which include the following:

1. not to disclose Citi Brunei’s Confidential Information, except to other employees of Supplier on a “need to know” basis or to third parties if expressly authorised by Citi Brunei pursuant to the applicable Work Order and only to the extent necessary to fulfill Supplier’s obligations under the Master Agreement and the Work Order;

2. not to reproduce Citi Brunei Confidential Information in any media without the express written approval of Citi or unless expressly authorised by Citi Brunei pursuant to the applicable Work Order;

4. not to remove any copyright or other proprietary notice or indication of confidentiality contained on or included in any item of Citi Brunei’s Confidential Information; and

5. to reproduce any copyright or other proprietary notice or indication of confidentiality on any reproduction, modification or translation of such Citi Brunei’s.

I agree that for purposes of this Confidentiality and Secrecy Undertaking, “Citi Brunei’s Confidential Information” shall mean and include all tangible or intangible information and materials, in any form or medium (including “Citi Information” as defined below without regard to whether the information is owned by Citi Brunei or by a third party), that is furnished or disclosed to Supplier or any of its Personnel by Citi Brunei, or otherwise obtained by Supplier or any of its Personnel from Citi Brunei.

“Citi Information” shall be as referred to in the Banking Order, 2006 of Brunei Darussalam and shall include (but is not limited to):-

(a) any information relating to, or any particulars of, an account of a customer of Citi Brunei, whether the account is in respect of a loan, investment or any other type of transaction; or

I am aware that the Master Agreement provides for the exclusion of certain types of information and materials from the definition of “Confidential Information”; however, I shall treat all Citi Brunei’s Confidential Information as “Confidential Information”.

I confirm that I am aware of and agree to observe the provisions contained in Section 58 of the Banking Order of Brunei Darussalam.

By signing this Confidentiality and Secrecy Undertaking, I intend for both Supplier and Citi Brunei to rely upon my adherence to the obligation of confidentiality set forth above in permitting me to work on the project contemplated by the Master Agreement and the Work Order.

Signed by:						In the presence of:



Name:						Name:

NRIC or Passport No:						NRIC or Passport No:

Nationality:						Nationality:

Date:						Date:

100

SCHEDULE D — CHINA LAW REQUIREMENTS

(Version 1 — revalidated 22 Mar 2013)

1. Cooperation for Outsourcing Due Diligence

Prior to the outsourcing of any Services by Citi to Supplier, Supplier shall reasonably cooperate with Citi to fulfill all legal and regulatory requirements in respect of the Services for the purpose of Citi’s due diligence of Supplier.

2. Audit and Inspection Right

2.1 Citi, its auditors, or its authorized regulator shall have the right to audit Supplier to ensure compliance with the Master Agreement and/or the relevant Work Order in relation to the Services. Supplier shall cooperate with Citi’s internal and external auditors and regulators. Supplier shall keep complete and accurate records of all of its work and expenses in providing the Services to Citi for a period not less than two (2) years from the date which the record was created or such other longer period as requested by Citi in writing.

2.2 Supplier shall require any Subcontractor appointed (if applicable) to also maintain complete and accurate records of all of its work and expenses in relation to the Service subcontracted to it. Supplier shall ensure and procure that these requirements are set forth in its arrangements with any Subcontractor.

2.3 Supplier shall allow Citi, its auditors and/or its regulators to (i) to obtain records and documents of transactions and information of Citi given to, stored at or processed by Supplier, (ii) access any report and findings made on Supplier in conjunction with the Services performed for Citi, (iii) access to the business premises of Supplier in the exercise of its rights herein; and (iv) inspect, examine and audit Supplier’s operations and records insofar as they are relevant to the Services.

3. Cross-border Outsourcing(1)

3.1. For any cross-border outsourcing, Supplier shall be, and shall ensure its sub-contractor(s) be in one of the countries or jurisdictions set forth in the attached Appendix A, representing those countries or jurisdictions where the regulator(s) have signed a memorandum of understanding or other agreement (the “MOU”) with PRC banking regulators. No cross-border outsourcing shall take place in any country or jurisdiction not listed in the attached Appendix A without the prior written consent of Citi.

(1) This provision is only applicable when Service Provider is incorporated outside of mainland China.

101

4. Controls

4.1 Supplier shall regularly report Service related matters to Citi in accordance with Citi’s reasonable requirements.

4.2 Supplier shall promptly notify Citi of any issue which may affect the provisions of the Services or of any problems, accidents or disruptions which may have a material impact on the Services.

4.3 Except for the Services provided in the Master Agreement and/or the relevant Work Order, Supplier shall not conduct any other activity in the name of Citi.

5. Continuity of Business

5.1 Supplier and Citi shall each use reasonable efforts to develop, maintain and adhere to a plan providing measures to be taken by Supplier in the event of various contingencies, in order to ensure Supplier’s ability to continue providing the Services.

6. Termination

6.1 Where Supplier is found to be unable to protect Citi’s customer information or Citi’s customer rights are jeopardized due to Supplier’s failure to protect Citi’s customer information, Citi shall have the right, in addition to others rights or remedies that are available to Citi under the Master Agreement and/or the Work Order and/or applicable law, to terminate the Master Agreement and/or the relevant Work Order with immediate effect upon notice.

7. Transition Services

7.1 Upon the termination of the Master Agreement and/or the relevant Work Order for any reason whatsoever (including a default by either party), each party shall provide such information, cooperation and assistance to the other party, as such other party may reasonably request, to assure an orderly return or transfer to the requesting party or its designee of all proprietary data (and related records and files) and materials of the requesting party.

7.2 If the Master Agreement and/or the relevant Work Order is terminated for any reason other than a circumstance which could expose Supplier to ongoing damages or liability, Supplier shall provide such assistance to Citi as Citi reasonably requests to transition to another Supplier of Citi’s choice, subject to Citi’s agreement to pay Supplier’s reasonable costs and expense for such transition assistance.

8. Assignment and Subcontracting

8.1 Supplier is prohibited from (i) completely assigning or outsourcing all of the Services to a third party and/or, (ii) sub-contracting any key part of the Services to a third party. Additionally, Supplier shall ensure that its sub-contractor(s) does not further transfer/assign the sub-outsourced business to any third party.

102

8.2 All provisions of the Master Agreement and/or the relevant Work Order shall be binding upon and shall inure for the benefit of Supplier and Citi and their legal successors and permitted assigns.

9. Protection of Personal Information

9.1 Personal information relating to Citi’s customer shall include personal financial information, which means the personal information obtained, processed or stored by Citi through business operations or through access to credit report systems, payment system and other systems, including the following:

(1) Personal identification information, including name, gender, nationality, form of ID, ID number, expiration date of ID, occupation, contact, marriage status, family information, residential address, work address, photo, etc.

(2) Personal property information, including income, real estate ownership, vehicle ownership, tax amount, housing fund payment, etc.

(3) Personal account information, including account number, account opening time, account opening bank, account balance, account transaction information, etc.

(4) Personal credit information, including credit card repayment information, loan repayment information and other information formed in personal economic activities which can reflect such person’s credit condition.

(5) Personal financial transaction information, including personal information obtained, preserved or stored by Citi in its payment and settlement, wealth management, security box businesses and the personal information disclosed when Citi’s customer does business with insurance company, security company, fund company and other third party institution through Citi.

(6) Derivative information, including personal consumption habit, investment willingness, and other information derived from processing and analyzing the original information which can reveal a person’s particular features.

(7) Other personal information obtained or stored through establishment of business relationship with a person.

(hereinafter called “Personal Information”)

9.2 Supplier agrees to take effective measure to protect the Personal Information obtained through the provision of the Service, ensure information security, confidentiality and avoid unauthorized disclosure or misuse during the collection, transmission, processing, storage and usage of such Personal Information.

9.3 Supplier agrees not to send Personal Information (which was obtained in China) outside of China, and ensure the storage, processing and analysis of Personal Information is conducted within China.

103

9.4 Upon the termination of the Master Agreement and/or the relevant Work Order, Supplier shall destroy or return to Citi, subject to Citi’s instruction, all personal financial information of Citi’s customer obtained through providing the Services to Citi.

10. Governing Law and Jurisdiction

10.1 Where both Citi and Supplier are entities incorporated in China, the governing law shall be the PRC law, and all claims or disputes arising out of or in connection with Master Agreement and/or the relevant Work Order shall be submitted to the PRC court where Citi is located.

Appendix A — Memorandum of Understanding List (As of July 2011)

V20120109(Shirley)/reval20130322(Shirley)

104

SCHEDULE E — GUAM LAW REQUIREMENTS

(Version 1 — revalidated 12 April 2013)

Access to Records:

1.1 Except as otherwise provided in this Agreement, during Supplier’s regular business hours and upon receipt of reasonable notice from Citi, any officer, employee or internal auditor of Citi, any independent public accountant(s) selected by Citi and any person designated by any regulatory authority having jurisdiction over Citi shall be entitled to examine/inspect/audit on Supplier’s premises Supplier’s records pertaining to any Service described in the Agreement, but only upon Citi furnishing Supplier with Instructions to that effect.

1.2 Any such examination/inspection/audit shall be subject to the approval of the applicable regulatory authorities of Supplier and consistent with Supplier’s obligations of confidentiality to other parties. Supplier shall under no circumstances be required to comply with any request for access and/or to grant access to any party, to any information other than the information of Citi and/or Citi’s customers/employees transferred to, stored at or processed by Supplier pursuant to this Agreement. Supplier is also not required to comply with any advice or request for any information or for inspection or audit where such request or advice would entail access to any other information in the custody of Supplier.

V20110717(Pia)/reval20130412(Pia)

105

SCHEDULE F — HONG KONG LAW REQUIREMENTS

(Version 2 — 23 January 2013)

1. Provision of Services and/or Deliverables.

(a) During the term of the Agreement, each Party shall designate their respective representatives who will be the key contacts for coordinating management meetings/visits and addressing issues relating to the Services and/or Deliverables and such other arrangements or transactions as contemplated under the Agreement.

(b) Supplier agrees to participate in and report to Citi on performance reviews to be conducted on a regular basis as reasonably required by Citi.

(c) Supplier shall render Services and/or furnish Deliverables with due care according to its security and operation control process, which are designed to ensure accuracy and timeliness on all its service delivery.

(d) Supplier shall ensure that any records and reports (including but not limited to the invoices) in whatever form prepared by Supplier in accordance with the Agreement and any Citi Confidential Information shall be subject to Citi’s document retention policy (a copy of which shall be provided by Citi to Supplier). Such records, reports and information shall be made available for Citi’s inspection at any time provided that sufficient prior written notice shall be given to Supplier.

(e) The Agreement shall be reviewed and revised as needed by the parties on an annual basis. However, if the Agreement is not reviewed and/or revised in a year, the then current Agreement shall continue to apply.

2. Fees and Expenses. The fees charged by Supplier to Citi in respect of the provision of the Services and/or Deliverables shall be reviewed and agreed by Supplier and Citi on an annual basis. However, if such fees are not revised in a year, then the previously agreed fees shall continue to apply.

3. Confidential Information.

(a) Without prejudice to the confidentiality provisions under the Agreement, the Receiving Party will also disclose the Disclosing Party’s Confidential Information to any relevant Affiliate which is bound to comply with the obligations of confidentiality at least as stringent as those set forth in the Agreement.

(b) If the Receiving Party shall be under a legal, regulatory, administrative or judicial obligation to disclose any Confidential Information, such party shall, where it is practical and legally able to do so, give the Disclosing Party prompt notice thereof.

(c) Supplier shall ensure that Citi Confidential Information shall be segregated or compartmentalized from Supplier’s own or its other customers’ Personal Information.

106

(d) The Receiving Party acknowledges and agrees that the unauthorized disclosure or use of any Confidential Information of the Disclosing Party may cause irreparable damage to such other Party which could not be adequately compensated by monetary damages. The Receiving Party, to the extent possible, therefore authorizes the Disclosing Party to seek any temporary or permanent injunctive relief necessary to prevent such disclosure or use, or threat of disclosure or use, without proof of actual damages. The provisions of this sub-section shall survive the termination of the Agreement.

(e) Without prejudice to the confidentiality provisions of the Agreement and Section 3 hereunder, Supplier acknowledges and agrees that Citi may maintain computer systems in data centers and in various countries throughout the world and that Citi and its Personnel may collect, store, process, disseminate or use the Personal Information in manner that causes it to be transferred or accessed from computer systems owned or operated by or on behalf of Citi or its Personnel throughout its global computer network.

(f) To the extent that Supplier receives, obtains or generates Citi Confidential Information as a result of the performance of its obligations under this Agreement, and notwithstanding anything to the contrary contained in this Agreement, Supplier agrees that it will, and will ensure that each of its Personnel will, comply with the following requirements:

(i) not disclose, transfer or use any Citi Confidential Information except to the extent necessary to carry out its obligations under this Agreement and for no other purpose;

(ii) not disclose or transfer any Citi Confidential Information to any third party, including, without limitation, its third party Suppliers without the prior written consent of Citi and subject to the further requirements of this section;

(iii) host and use Citi Confidential Information only in Hong Kong and not export or transmit Citi Confidential Information to any other jurisdiction without the prior written consent of Citi;

(iv) employ appropriate administrative, technical and physical safeguards to prevent unauthorized or accidental access, disclosure, transfer, processing, erasure, loss or use of Citi Confidential Information received by it;

(v) comply with all the obligations of confidentiality at least as stringent as those applicable to Supplier and all applicable rules and regulations concerning data privacy and confidentiality (including without limitation the Personal Data (Privacy) Ordinance (Chapter 486 of the Laws of Hong Kong) and the relevant principles thereunder) to ensure that Citi Confidential Information is protected against unauthorized or accidental access, disclosure, transfer, processing, erasure, loss or use;

(vi) promptly provide such information regarding its privacy and information security systems, policies and procedures as Citi may request from time to time; and

107

(vii) not keep any of Citi Confidential Information for longer than is necessary for processing of such data. Upon the request by Citi or the cessation of the provision of certain Services and/or Deliverables to Citi, or at any time after any of such information has been processed by Supplier, Supplier will, at Citi’s option, as soon as reasonably practicable return or securely destroy any such Information in its possession or under its control. Supplier will certify in writing that it has fully complied with its obligations under this subsection (and that no copies of such information have been retained) within seven (7) calendar days following the date it receives a request from Citi for such a certification.

If Supplier engages any third party, whether within or outside Hong Kong, to process personal data on behalf of Supplier, Supplier shall adopt contractual or other means (i) to prevent any personal data transferred to such third party from being kept longer than is necessary for processing of the data; and (ii) to prevent unauthorized or accidental access, processing, erasure, loss or use of the data transferred to such third party for processing.

(g) At all times during the duration of this Agreement, Supplier will have in place, and will regularly and thoroughly test, security arrangements which are sufficient to:

(i) protect the integrity and security of any of Citi Confidential Information which has been disclosed to, processed by, generated by or otherwise handled by Supplier or any of its Personnel in the course of the performance of Supplier’s obligations under this Agreement and any other agreement; and

(ii) ensure that any of Citi Confidential Information is not lost, destroyed, accessed, transferred, processed, used or disclosed without appropriate authorization or by accident while it is in the possession or under the control of Supplier or any of its Personnel.

On request from Citi, Supplier will use all commercially reasonable efforts to demonstrate to Citi its compliance with this subsection, and will ensure that each of its relevant Personnel does so.

(h) Supplier will, as part of the Services and/or Deliverables provided, conduct an audit reviewable by Citi of the security arrangements in place in the format and frequency set forth in the applicable Work Order, to ensure that the security arrangements comply with the relevant policies in place to safeguard Citi Confidential Information.

(i) If Supplier becomes aware that the security of any Citi Confidential Information has been (or may be) compromised, then it will immediately:

(i) inform Citi;

(ii) take whatever action is necessary to minimize the impact of the security breach, correct the causes of the breach to the fullest extent possible and advise Citi of the status of its remedial actions; and

108

(iii) promptly investigate the underlying causes of the breach and prepare and deliver to Citi a written report which details the causes, and sets out the measures Supplier proposes to implement to prevent reoccurrence of the breach.

(j) If Supplier is required under any relevant laws or regulations to supply any of Citi’s Confidential Information to any government authority outside Hong Kong for examination, Supplier shall inform Citi of such examination and shall seek written consent from Citi before releasing/disclosing such data and information to such governmental authority, as the case may be. Citi shall not unreasonably withhold or delay to provide to Supplier such written consent if it is required, subject to obtaining the necessary consent from the Hong Kong Monetary Authority (“HKMA”) or other relevant government authorities, if applicable.

(k) Notwithstanding anything herein to the contrary, this Section 3 shall survive termination of this Agreement.

4. Compliance with Applicable Laws.

(a) Supplier agrees to cooperate with Citi’s internal and external auditors and the relevant regulatory authorities including, but without limitation, the HKMA, the Hong Kong Securities and Futures Commission, and the Hong Kong Privacy Commissioner for Personal Data for their (or any person appointed by them) review, supervision, audit, or inspection of materials or the status of operation by Supplier in connection with the Services and/or Deliverables provided by Supplier pursuant to the Agreement. Supplier shall notify Citi of any overseas regulatory authorities which seek access to any of Citi Confidential Information.

(b) Supplier shall report to Citi if there is any material change in the Services and/or Deliverables or any material problems, incidents, accidents or disruption which has/have a material impact on the Services and/or Deliverables.

5. Inspection and Right to Audit.

(a) Supplier agrees that the Services it performs and/or the Deliverables it furnishes for a branch of U.S. bank in The Hong Kong Special Administrative Region of the People’s Republic of China (“Hong Kong”) are subject to examination of the HKMA and the Office of the Comptroller of the Currency (“OCC”). Supplier shall, upon reasonable notice, allow Citi, its management, its auditors and/or its regulators, the opportunity of obtaining, inspecting, examining and auditing Supplier’s operations, contingency plans and the business records (including but not limited to copies of the independent audit and financial review report) which are relevant to the Services and/or Deliverables provided hereunder by Supplier including but not limited to Supplier’s critical processes to confirm that Supplier’s processes meet or exceed industry standards in such area of contingency planning, continuity of business plans, software engineering and test processes, change control procedures, critical staff succession planning and compliance with applicable laws and regulations. Supplier shall cooperate fully with Citi’s internal or external auditors to ensure a prompt and accurate audit. If Citi provides recommendations for enhancing Supplier’s critical processes, Supplier shall use its best effort to implement the recommended and/or

109

corrective measures and/or correct any practices which are found to be deficient as a result of any such audit within a reasonable time after receipt of Citi’s audit. Supplier shall notify Citi, within reasonable time, any changes to any of the aforesaid plans.

(b) If an audit leads Citi to conclude that Supplier has breached the provisions of this Agreement or that any of Supplier’s business or professional practices related to its performance of Services and/or its furnishing of Deliverables presents a risk of unauthorized disclosure of Citi Confidential Information, Supplier and Citi shall use their best efforts to reach a mutually satisfactory resolution. Supplier shall also use its best efforts to correct any practices which are found to be deficient as a result of any such audit within a reasonable time after receipt of Citi’s audit report.

(c) Citi shall be entitled to enter all or any of Supplier’s premises from time to time to inspect and examine Supplier’s operations and to check that Supplier is complying with its obligations under this Agreement. Citi shall endeavour to give reasonable notice of its exercise of its rights hereunder but in circumstances where Citi is of the view that it would prejudice Citi’s interests to give such notice, no prior notice shall be required to be given by Citi. Citi’s rights under this Section may be exercisable by Citi from time to time without Supplier’s consent and Citi is empowered to take all necessary or reasonable steps in order to exercise its rights under this Section fully.

(d) Supplier will submit a yearly financial report audited by a certified accountant to Citi for the assessment of Supplier’s financial health in supporting the Services and/or Deliverables.

(e) Under no circumstances shall Supplier have any lien over any or all of the properties that are proprietary to Citi herein stipulated; Supplier shall at all times hold the documents available for Citi to use, take, or move at Citi’s sole discretion.

6. Continuity of Business.

(a) If any of the disaster or disruption events occurs, shall have occurred, happened or come into effect; namely the circumstances are beyond the reasonable control of Supplier, which affects the provision or receipt of the whole or any of the Services and/or Deliverables, Supplier must:

(i) immediately notify and consult Citi; and

(ii) provide recovery services and otherwise do everything reasonably necessary to re-establish the provision of the Services and/or the Deliverables.

(b) If a Party receives advance warning or notice of the possibility of the occurrence of any disaster or disruption, that Party shall notify the other Party and the Parties shall use their best endeavours to make such alternative or emergency arrangements as may be necessary or desirable in order to ensure that the Services and/or the Deliverables are continuously provided in accordance with this Agreement.

110

7. Subcontracting

(a) Supplier may not subcontract the performance of any of its obligations in the Agreement without the prior written consent of Citi. To the extent that Supplier subcontracts to third parties any of its obligations set forth in the Agreement with the consent of Citi, Supplier shall remain fully responsible for such obligations and for all acts or omissions of its Subcontractors or agents. Nothing in the Agreement shall be construed to create any contractual relationship between Citi and the Subcontractors or agents aforementioned, except as may be otherwise required by law.

(b) For purposes of this Section 7, the use by Supplier of individual independent contractors who are designated or assigned to perform the Services and/or to furnish the Deliverables under the direct management and supervision of Supplier and subject to Citi’s policies and standards of confidentiality undertaking shall not constitute an assignment, transfer or subcontracting, and shall not require Citi’s prior approval.

8. Amendment.

Notwithstanding any terms under the Agreement to the contrary, to the extent that any term in the Agreement is in conflict with any applicable Hong Kong laws and regulations, the HKMA’s Outsourcing Guidelines or Citi’s Outsourcing Policy, Citi shall notify Supplier with a suggested amendment to the Agreement to the extent necessary to comply with such laws and regulations, Guidelines and Policy, and Supplier shall have the option either to accept such amendments (which shall become effective upon notification) or to terminate the Agreement by giving 30 days’ notice in writing to Citi.

9. Termination.

Citi shall have the right to terminate the Agreement or Work Order (or the provision of any part of the relevant Services and/or Deliverables) with immediate effect and without penalty by giving three (3) days prior written notice to the other party in the event that the HKMA or any other competent authority requires Citi to terminate the Agreement or Work Order (or the provision of any part of the relevant Services and/or Deliverables) or make alternative arrangements in relation thereto (it being agreed that a certificate from the relevant party that this has occurred shall be conclusive of that fact). The right of termination in this paragraph is in addition and independent to those in the Agreement.

10. Governing law.

This Schedule shall be governed by, and construed in accordance with, the laws of Hong Kong, and the Parties hereby agree to submit to the non-exclusive jurisdiction of the Hong Kong courts.

V20130123(ClaraW)

111

SCHEDULE G — INDIA LAW REQUIREMENTS

(Version 2 — 22 April 2013)

1. SUPPLIER REPRESENTATIONS

Supplier represents, warrants and covenants to Citi that: the Services shall be executed, and provided to Citi, taking due and proper note of Citi’s requirements; Supplier complies with all applicable law (including but not limited to all information technology and data privacy laws in India), has, and shall at all relevant times, have the requisite and valid licenses and permissions from all regulatory and statutory authorities, for provision of the Services; there is no litigation or proceeding or dispute pending or threatened against it or any of its Affiliates which may affect its ability to provide the Services in accordance with the terms of the Agreement and/or have an adverse impact on the Services or the quality and integrity thereof, in any manner; it shall promptly inform Citi of any event or situation which may affect its ability to provide Services effectively, including but not limited to situations of financial distress faced by Supplier or events resulting in material change in strategic goals or significant changes in Supplier Personnel.

2. INDEPENDENT SUPPLIER

Supplier shall provide the Services as an independent Supplier on a non-exclusive basis. Nothing contained in the Agreement or otherwise shall be deemed to create any partnership, joint venture, employment, or relationship of principal and agent, or master and servant between the Parties hereto or any of their respective employees, Affiliates, subsidiaries, related business entities, agents, contractors or Subcontractors or to provide either Party with any right, power or authority, whether express or implied, to create any duty or obligation on behalf of the other Party.

Supplier acknowledges that the Services provided are solely within its control, and confirms that neither Supplier nor any Supplier Personnel, including contractors or Subcontractors of Supplier (if any), will hold out as anything but that (i) Supplier is an independent and non-exclusive Supplier to Citi, and (ii) that the employees of Supplier are employees solely of Supplier and that other representatives, agents, contractors or subcontractors of Supplier are those of Supplier.

Supplier shall cooperate with, and extend support to, the foregoing position, in the event of any finding related to an employment, partnership or joint venture relationship between Supplier or any of its employees, representatives, agents, contractors or Subcontractors on the one hand and Citi on the other hand. Supplier asserts that upon employing/engaging with any persons, Supplier shall, at that time, clearly communicate to such persons that Supplier is the sole employer of such persons.

Supplier declares and agrees (i) that it has the inalienable and exclusive right, and at all times retains that right, to exercise full control of and supervision over the performance of Supplier’s obligations hereunder and full control over the employment, direction, compensation and discharge of all its employees and other Supplier Personnel; (ii) that it will be solely responsible for all matters relating to payment of salaries and wages of all its employees and other Supplier Personnel, and for due and proper compliance with

112

compensation and benefits requirements for all its employees and other Supplier Personnel under applicable laws, insurance, fidelity insurance and such other insurance, social security withholding, and all other laws, rules and regulations governing such matters and for the redressal of grievances of its employees and other Supplier Personnel; (iii) that it shall be responsible for its own acts and those of its employees and other Supplier Personnel including contractors (if any) and Subcontractors (if any) during the performance of Supplier’s obligations to Citi under this Agreement. Supplier and Supplier Personnel are not entitled to unemployment insurance benefits from Citi as a result of the Services or this Agreement.

Supplier and Citi agree that the Agreement shall not be construed as an agreement for establishing a joint venture or partnership between Citi and Supplier.

Supplier further warrants that it will not do or purport to do any act, deed, thing or matter which will prejudice the interests of Citi, in any manner whatsoever.

3. CONTINUITY OF BUSINESS

Supplier agrees and confirms that it has in place a robust contingency and business resumption plan, including adequate resources, systems and all other infrastructure requirements, in place, to ensure that Services would not be adversely affected in any manner on account of any factors including but not limited to systems break-downs and/or natural and/or man-made disasters, which may cause disruption in the normal functioning of Supplier. Additionally, Supplier shall conduct periodic testing to check the effectiveness, satisfactory state and readiness of the aforesaid continuity of business plan. Supplier shall, if so requested by Citi, permit Citi to conduct joint testing of the aforesaid continuity of business plan along with Supplier.

4. POST-TERMINATION OBLIGATIONS

Commencing upon notice by either Party of expiration or termination of this Agreement and continuing through the effective date of expiration or termination, Supplier confirms that Supplier shall not deny Citi reasonable termination assistance as requested by Citi to allow the use of Services without interruption or adverse effect and to facilitate the orderly transfer of the subject matter of the Agreement as desired by Citi. If requested by Citi in this regard, Supplier undertakes that Supplier will also reasonably co-operate with a third party Supplier in connection with the preparation and implementation of a transition plan by such third party and/or Citi upon the termination or expiration of this Agreement. It is hereby clarified that such termination assistance shall be provided to Citi by Supplier at no additional costs except to the extent of fee for Services as may be calculated on any pro-rata basis that is applicable.

5. INSPECTION AND RIGHT TO AUDIT

5.1 Supplier shall keep complete and accurate records of all operations and expenses in connection with the Services. All the said records shall be kept on file by Supplier for a period of 10 (Ten) years from the date the record is made or as otherwise set forth by applicable law, and in any event, shall not be excised without first having duly and

113

adequately and timely informed Citi in writing and also providing Citi with the option of having such records transferred into the custody of Citi.

5.2 Supplier shall, at reasonable hours, allow Citi, its management, its auditors and/or regulators (including Indian and United States regulators and Citi auditors), the opportunity of inspecting, examining and auditing Supplier’s operations, including its security practices and control processes, including practices and procedures in relation to data security, and business records directly relevant to the Services, and financial agreements, its balance-sheet and profit and loss account and audit reports, and all other documents which Supplier may be called upon to produce for the purposes of ascertaining the financial viability of Supplier as a Supplier.

Supplier shall, as and when requested by Citi, provide access to and make available to any of Citi’s officers/employees/management or internal/external auditors, regulators and their representatives, the necessary records for inspection/examination /audit, and co-operate to the fullest extent so as to clarify on any activities and to assure a prompt and accurate audit related to the Services.

5.3 Supplier shall co-operate with Citi’s internal or external auditors, and regulators to assure a prompt and accurate audit/inspection.

Supplier shall also co-operate in good faith with Citi to correct any practices, which are found to be deficient as a result of any such audit, within a reasonable time after receipt of reports.

Such audits or reviews will be at the expense of Citi. However, if the audit discovers discrepancies or overcharges, then upon completion of such audit or review, Supplier shall be bound and liable to promptly reimburse to Citi for such discrepancies or overcharges, and for the cost of the audit.

5.4 In addition to what is provided hereinabove, Supplier shall on an year-on-year basis provide to its independent auditors (“Auditors”) access at reasonable hours to Supplier Personnel and to Supplier’s records and other pertinent information, all to the extent relevant to the performance of Supplier’s financial, regulatory and Service obligations under the Agreement. Such access shall be provided for the purpose of performing audits and inspections by the Auditors. Supplier shall without delay submit the audit report to Citi. Citi and Supplier shall develop and agree upon an action plan to promptly address and resolve any deficiencies, concerns and/or recommendations in such audit report in relation to the Services, and Supplier, at its own expense, shall undertake remedial action in accordance with such action plan. The audit fees incurred under this clause shall be to Supplier’s sole account.

6. MONITORING RESPONSIBILITY

Except as otherwise directed by Citi, Supplier agrees to meet with Citi, on a monthly basis, for the purpose of reviewing the Services provided by Supplier pursuant to the requirements of the Agreement. Supplier shall submit a monthly report to Citi which shall

114

include, but not be limited to, the following information, (i) a status report on Services provided during the month, identifying, in particular, any performance standards not met; and (ii) any other information requested by Citi.

Supplier agrees to meet with Citi on a quarterly basis to review all aspects of the Services provided and/or any other matters of mutual interest to Supplier and Citi. Further, Supplier agrees to meet with Citi at any time at the request of Citi to review the Services provided by Supplier.

Supplier agrees to provide Citi with any and all information requested by Citi for the purpose of documenting and/or analyzing the Services provided. Citi will select, at its sole discretion, the information reports necessary for its management information needs.

V20130422(Neha)

115

SCHEDULE H — INDONESIA LAW REQUIREMENTS

(Version 1 — 13 November 2011)

1. PROVISIONS REQUIRED BY LOCAL LAWS OR REGULATIONS

For the purposes of this Agreement the following wording shall be added in its entirety:

2. GENERAL REQUIREMENTS FOR ALL SERVICES WHERE AN INDONESIAN CITI ENTITY IS THE CUSTOMER

The following provisions shall apply to all Services provided by Supplier to Citi:

2.1 Examinations by Regulators of Supplier

Supplier shall provide prior notification to Citi of any examination by regulators of Supplier which impacts the Services of Citi or the confidential information of Citi.

2.2 Critical Event

Supplier agrees to also, as soon as possible, notify Citi of the occurrence of any critical event in regard to Citi, i.e. an event which may result in a financial loss to Citi and/or impede the smooth running of Citi’s operations.

2.3 Assignment and Subcontracting

Supplier shall provide prior notification to Citi in the form of Appendix I hereof, for any assignment or subcontracting by Supplier of any of its rights, obligations or responsibilities. If agreed by Citi, the notification can be made through e-mail to the designated person of Citi.

2.4 Classification of Services where the customer is Citibank, NA, Indonesia

In the case where the customer is Citibank, NA, Indonesia, depending on whether or not a specific Service is classified by Citibank, NA, Indonesia as an Information Technology Service pursuant to the regulation of Bank Indonesia as the Central Bank of the Republic of Indonesia, different requirements may apply to the Service. Supplier shall obtain confirmation from Citibank, NA, Indonesia on the classification of Services provided under the Agreement.

3. SPECIFIC REQUIREMENTS FOR INFORMATION TECHNOLOGY SERVICES WHERE AN INDONESIAN ENTITY IS THE CUSTOMER

In addition to the requirements as set forth in Section 2 above, the provisions under Section 3 of this Schedule shall apply to the Services where it is identified as Information Technology Services.

3.1 Definitions

a. Information Technology is a technology related to computer, telecommunication and other electronics means used to operate financial data and/or provide banking services;

116

b. Data Centre is a main facility for data processing for Citi by Supplier, consisting of hardware and software to support the operational activities of Citi continuously;

c. Disaster Recovery Centre is a substitute facility, in the event the Data Centre experiences a disturbance or dysfunction, among others due to: no electricity to the computer room, fire, explosion or computer damage, temporarily used during the recovery of Supplier’s Data Centre, to ensure business continuity;

d. Technology-based-Transaction Processing is an activity in the form of addition, amendment, deletion of data and/or data authorization to be performed on the application system(s) used to process Citi transactions.

3.2 Information Technology Services

For all Services that are identified as Information Technology Services, the following requirements shall apply:

a. Supplier must apply reasonable information technology control principles (the application of both physical and logical security measures) which shall be evidenced by an independent audit report commissioned by Supplier.

b. Supplier shall provide technical document(s) to Citi in relation to the Information Technology Services being provided, which include among others the Information Technology processes and data base structure.

c. Supplier shall provide qualified and competent personnel in accordance with the Information Technology Services being provided. Supplier must do transfer of knowledge to Citi, so that there will be a personnel in Citi that understands the Information Technology processes and applications provided by Supplier, which may be done among others by way of providing trainings to Citi.

d. Supplier must report to Citi of any request for access or disclosure of the confidential information, to the extent that such confidential information must be disclosed under applicable laws.

e. Supplier must report to Citi in the event of any change of situation which may limit or hinder the rights of Citi or Bank Indonesia to access information in regard to the Information Technology Services.

For Information Technology Services that are specifically identified as maintenance of a Data Centre, Disaster Recovery Services and/or Technology-based Transaction Processing Services, additional requirements as set forth in Subsection 3.3 of this Schedule shall apply.

3.3 Data Centre, Disaster Recovery Services and Technology-based Transaction Processing Services

For Information Technology Services that are specifically identified as maintenance of Data Centre or Disaster Recovery Services and/or Technology-based Transaction Processing Services,

117

in addition to the requirement of Subsection 3.2 of this Schedule, the following requirements shall apply:

a. Submission of Documents Prior to Initiation of Services

As part of the requirement for Citi to apply to Bank Indonesia for approval of the outsourcing of Data Centre, Disaster Recovery Services and/or Technology-based Transaction Processing Services to Supplier, Supplier shall submit to Bank Indonesia via Citi a written confirmation from the regulatory or statutory authority having local jurisdiction over Supplier that:

(i) Supplier is within its supervisory jurisdiction;

(ii) the authority shall allow Bank Indonesia, at a reasonable time, to examine Supplier’s provision of services to Citi;

In the event there is no authority having jurisdiction over Supplier, Supplier shall advise Citi of the circumstance. Citi shall seek advice from Bank Indonesia of a confirmation acceptable to Bank Indonesia in lieu of the above written confirmation.

b. Risk Management Controls:

Supplier shall provide Citi , on an annual basis, an appraisal on the risk management controls in effect at Supplier. The foregoing report must be submitted no later than a month after the completion of such review. For the purpose of this clause, Appendix II hereto is a summary of the least coverage to be observed in a technology risk management pursuant to the prevailing regulation.

c. Submission of Independent Audit Report

Supplier shall submit an independent audit report on Data Centre, Disaster Recovery Services and/or Technology-based Transaction Processing Services to Bank Indonesia via Citi on an annual basis. The report must be submitted to Bank Indonesia within 2 (two) months after the completion of the audit.

4. WITHHOLDING TAXES AND TAX RECEIPTS

Supplier shall upon Citi’s request furnish Citi with a Certificate of Residence issued by the competent tax authority of Supplier on an annual basis.

Appendix I

118

Appendix II

V20091113(Irma)

119

SCHEDULE I — JAPAN LAW REQUIREMENTS

(Version 1 — 6 June 2011)

I. General

1.1 Unless otherwise a separate Work Order or any additional ancillary agreement is directly made and entered into by and between Supplier or its local Affiliate and any Affiliate of Citi in Japan, Supplier shall be subject to Section II of this Schedule in connection with providing the Services to such Affiliate of Citi in Japan.

1.2 Where necessary or appropriate, in Citi’s determination, for Citi to receive the Services in Japan, Supplier or its local Affiliate and Affiliate of Citi in Japan will enter into a separate Work Order or any additional ancillary agreement setting forth such additional terms and conditions applicable in Japan. The Japanese local agreements may address as necessary any specific legal, regulatory, human resource or procedural requirements necessary for compliance with applicable Japanese laws, due to variations in practices or as otherwise agreed to by the Parties. If a separate Japanese local agreement is made and entered into by and between Supplier or its local Affiliate and any Affiliate of Citi in Japan, such Japanese local agreement shall supersede this Addendum including this Schedule.

II. Provisions required by JAPANESE laws or regulations

If a Japanese Affiliate of Citi (“Japanese Affiliate”) receives the Services from Supplier, the following additional terms and conditions shall be applied to provision of the Services in Japan by Supplier.

1. Personal Information

1.1 If Japanese Affiliate furnished, supplied or disclosed to Supplier the Japanese Affiliate’s Personal Information, within the meaning of the Act on the Protection of Personal Information of Japan (Law No. 57 of 2003, as amended from time to time (hereinafter referred to as the “PIPL”) (the “Personal Information”), in connection with the Services or otherwise Supplier otherwise obtained or accessed such Personal Information, Supplier shall take necessary and appropriate measures to prevent divulgence, loss, or destruction of the Personal Information in accordance with Section 20 of the PIPL and regulations thereunder.

1.2 Pursuant to Section 22 of the PIPL and regulations thereunder, in connection with receiving, using, and maintaining the Personal Information, Supplier shall exercise, adequate security measures, including but not limited to, the following adequate security measures to safeguard the Personal Information from unauthorized disclosure, access, use and misappropriation:

(1) The organizational security measures to ensure that Supplier will disclose the Personal Information only to those of Supplier’s personnel who have a need to know such Personal Information (only to the extent necessary) in order to fulfill the purposes contemplated by the Agreement and the applicable Work Order, and

120

set forth internal rules for use of and access to the Personal Information, which is subject to Supplier’s periodical review;

(2) The individual security measures to ensure that Supplier will instruct and supervise its personnel who uses or has an access to the Personal Information to prohibit the personnel from committing unauthorized disclosure, access, use and misappropriation of the Personal Information; and

(3) The technological security measures to ensure that Supplier will implement systems to limit access to the Personal Information and monitor such access;

1.3 Supplier acknowledges and agrees that:

(1) Japanese Affiliate reserves the rights to supervise and audit Supplier in connection with the provisions of the Services and the Personal Information disclosed to Supplier;

(2) Supplier, upon Japanese Affiliate’s request, shall provide information related to the provisions of the Services and the Personal Information disclosed by Japanese Affiliate;

(3) Supplier shall use the Japanese Affiliate’s Personal Information only for the purpose of providing the Services and shall not destroy, alter, misappropriate, reproduce, or store the Personal Information nor divulge or disclose the Personal Information, in any form or manner, to a third party without the prior written consent of Japanese Affiliate; and

(4) Supplier shall be responsible for damages arising out of, or relating to divulgence, loss, alteration, misappropriation, and/or unauthorized disclosure of the Personal Information caused by Supplier.

1.4 Supplier shall not furnish, supply, or otherwise disclose the Japanese Affiliate’s Personal Information to Supplier’s Subcontractor UNLESS Supplier satisfies all of the following requirements in addition to Section 2 of this Schedule:

(1) Supplier shall obtain the prior written consent of Japanese Affiliate;

(2) Supplier shall take the following necessary and appropriate measures;

(a) Supplier shall set forth standard criteria taking into account a Subcontractor’s organizations and policies for information security (as reviewed and updated from time to time) and select a Subcontractor based on the standard criteria;

(b) A subcontracting agreement to be entered into by and between Supplier and its Subcontractor shall stipulate the following safety management measures: (i) Supplier’s rights to supervise and monitor the Subcontractor, and collect information from the Subcontractor; (ii) prohibitions of divulgence, misappropriation, or alteration of the Personal Information as well as use of the Personal Information other than for the purpose of the Services; (iii)

121

conditions of subcontracting; and (iv) the Subcontractor’s liability for damages arising out of, or relating to incidents, such as divulgence and inappropriate disclosure of the Personal Information; and

(c) Supplier shall, periodically or any time if necessary, confirm the Subcontractor’s compliance with the safety management measures and review appropriateness of the safety management measures.

(3) Supplier shall cause its Subcontractor to adopt the adequate security measures set forth in Section 1.2 of this Schedule.

1.5 Except otherwise expressly provided by the Agreement and the applicable Work Order, upon the request of Japanese Affiliate at any time during the term of the applicable Agreement and the applicable Work Order or after the termination thereof, Supplier shall promptly return or destroy the Personal Information or its duplicates supplied to, or otherwise obtained by, Supplier in connection with the Services, in the form or manner specifically instructed by Japanese Affiliate. If the Personal Information was stored or saved in Supplier’s computers, servers, or any other electromagnetic medium, Supplier also shall delete or purge such stored or saved Personal Information in the form or manner specifically instructed by Japanese Affiliate.

2. SUBCONTRACTING

2.1 Supplier shall not subcontract any part of the Services to a third party, including its affiliates, without the prior written consent of Japanese Affiliate.

2.2 If Supplier subcontracts any part of the Services to a third party, Supplier shall select a Subcontractor which meets satisfactory criteria, including but not limited to, all of the following three (3) criteria:

(1) A Subcontractor who, in light of Japanese Affiliate’s coherent business operations, is able to provide Japanese Affiliate and Supplier with the Services at the reasonably sufficient level in the industry;

(2) A Subcontractor whose financial and management conditions are sufficient enough to provide Japanese Affiliate and Supplier with the Services in accordance with the Agreement and applicable Work Order and subcontract agreement and to indemnify Japanese Affiliate for damages arising out of, or relating to the Services; and

(3) A Subcontractor will not risk the reputation of Japanese Affiliate.

2.3 A subcontracting agreement to be entered into by and between Supplier and a Subcontractor shall contain satisfactory stipulations, including but not limited to, all of the following four (4) terms and conditions:

(1) Description of the services to be subcontracted, the service level standard for providing the services, and procedures for terminating the subcontracting agreement;

122

(2) Subcontractor’s liability for damages arising out of Subcontractor’s failure to perform the services in accordance with the subcontracting agreement or Subcontractor’s breach of the subcontracting agreement (placing a security deposit, collateral, or lien if necessary);

(3) Items to be reported by the Subcontractor to Supplier in connection with the provision of the services and Subcontractor’s management conditions; and

(4) Cooperation with internal and external auditors and regulators of Japanese Affiliate and/or Supplier.

2.4 A subcontracting agreement to be entered into by and between Supplier and a Subcontractor shall not violate the applicable Japanese laws and regulations, including the Banking Act of Japan and the Financial Instruments and Exchange Act of Japan.

2.5 Supplier shall adopt sufficient internal control measures, including but not limited to, designating a project manager who is responsible for the subcontracted services, monitoring a Subcontractor and its performance, and establishing audit functions.

2.6 A Subcontractor shall provide Supplier with a periodical report on the status of subcontracted services and the Subcontractor, upon request of Japanese Affiliate and/or Supplier, must provide Japanese Affiliate and/or Supplier with necessary information in a prompt manner.

2.7 Supplier shall audit a Subcontractor periodically to ensure that such Subcontractor comply with applicable Japanese Laws and regulations and all terms and conditions set forth in the Agreement, applicable Work Order and this Schedule.

2.8 Supplier shall prepare a continuity of business plan in order to provide Japanese Affiliate with continuous Services in case of emergency or Subcontractor’s failure to perform the Services in accordance with the subcontracting agreement.

2.9 Supplier, upon the request of Japanese Affiliate, shall provide Japanese Affiliate with information of a Subcontractor, including but not limited to, name of the Subcontractor and its project manager, contact information of the Subcontractor, description of the services subcontracted, and a subcontracting agreement.

V20110606L(H.Masanori)

123

SCHEDULE J — KOREA LAW REQUIREMENTS

(Version 1 — 6 October 2011)

In addition to the provisions under the Agreement, Supplier shall comply with the requirements set forth below in accordance with applicable laws of Korea. To the extent that the terms and conditions of the Agreement are inconsistent with the terms and conditions herein, the terms and conditions herein will prevail.

1. Additional Requirements Based on the (i) Personal Information Protection Act and (ii) Use and Protection of Credit Information Act:

The following provisions shall apply to Supplier to the extent that Supplier receives the Personal Information. For the avoidance of doubt, the Personal Information shall include any credit information that relates to determination of credit rating or credit transactions capacities of a person as such term is defined under the Use and Protection of Credit Information Act.

1.1 Supplier shall take measures, including establishment and operation of facilities and systems, to achieve the following in connection with processing any Personal Information:

· prevent any distortion of access records to the Personal Information;

· encrypt the Personal Information for transmission purposes; and

· examine the Personal Information access records on a regular basis.

In addition, Supplier shall take such other measures necessary to protect the Personal Information as required by Citi.

1.2 Personal Information Protection Officer

(a) Supplier shall designate a suitably qualified Personal Information Protection Officer who will be responsible for processing all Personal Information pertaining to a natural person and ensure that the following duties are performed by such person:

· adopt internal policies and procedures to protect the Personal Information (the “Personal Information Protection Procedures);

· oversee and manage the Personal Information processing practice and make any improvement on such practice if necessary;

· address any complaint Supplier receives in connection with the Personal Information processing;

· establish an internal control system to prevent any theft, misuse or abuse of the Personal Information;

· establish a program and educate the Supplier Personnel regarding protection of the Personal Information;

· manage and supervise maintenance and protection of documents that include the Personal Information; and

· perform any other duties that may be necessary to process and protect the Personal Information.

(b) Supplier shall ensure that the Personal Information Protection Officer (i) has the authority to make inquiries or require any person who deals with the Personal

124

Information to report to him/her regarding processing status or processing system of the Personal Information and (ii) does not suffer from any disadvantage in performing his/her duties set forth in Section 1.2(a) above.

1.3 Upon occurrence of any breach of the Personal Information Protection Procedures or theft of the Personal Information (the “Occurrence”), Supplier shall, without delay, take necessary measures to minimize the damage or loss and immediately notify Citi and Citi’s Project Manager of the Occurrence and the following information as applicable:

· the items of the Personal Information that are disclosed or stolen;

· the time and details of the Occurrence;

· measures that victims of the Occurrence may take to minimize their damage or loss;

· measures adopted by and reliefs to be provided by Supplier to remedy the Occurrence; and

· contact information to which the victims may report their damage or loss.

1.4 The Personal Information pertaining to an individual must be made available for review, correction, or deletion, or must be subject to suspension of being processed upon such individual’s request. In the event that such individual to which the Personal Information pertains raises any objection to the manners in which his/her request concerning the foregoing matters are addressed by Citi, Supplier shall endeavor to assist Citi in dealing with such objection.

2. Delegation Matters under the Regulations on Business Delegation by Financial Institutions

2.1 Supplier shall maintain a Continuity of Business Plan designed to deal with a major destruction or incapacity of its facilities and/or systems. Pursuant to the Continuity of Business Plan, Supplier shall maintain resources, guidelines, general action steps and backup sites, facilities and systems to resume business in case of disruption due to natural disaster, accidents or system failure. The Continuity of Business Plan shall include procedures including, but not limited to, for business site relocation, restoration of business functions and telecommunications resumption. Redundant servers shall be in place for several key systems and daily tape backups shall capture all key data and be stored offsite. Supplier’s Continuity of Business Plan shall be updated and tested on an ongoing basis.

2.2 Supplier agrees that it shall accept and accommodate examinations conducted by the relevant Korean regulatory authorities in accordance with applicable law in connection with the work delegated by Citi.

V20111006L(Jay Son)

125

SCHEDULE K — MACAU LAW REQUIREMENTS

(Version 1 - 16 January 2012)

1. Compliance with the law of Macau Special Administrative Region of the People’s Republic of China

Prior to the provision of any Services by Supplier to Citi, both Parties shall comply with all legal and regulatory requirements in respect of the Services.

2. Audit and Inspection Right

2.1 Supplier agrees that the services it performs for Citi are subject to examination of relevant authorities in Macau. Citi shall keep complete and accurate records of all of its work and expenses in receiving the Services from Supplier for a period of at least ten (10) years from the date which the record was created. Supplier shall, upon reasonable notice, allow Citi, its management, its auditors and/or its regulators, the opportunity of inspecting, examining and auditing Supplier’s operations and the business records which are relevant to the Services provided hereunder by Supplier including but not limited to Supplier’s critical processes to confirm that Supplier’s processes meet or exceed industry standards in such area of contingency planning, continuity of business plans, software engineering and test processes, change control procedures, critical staff succession planning and compliance with applicable laws and regulations. Supplier shall cooperate fully with Citi’s internal or external auditors to ensure a prompt and accurate audit. If Citi provides recommendations for enhancing Supplier’s critical processes, then Supplier shall give due consideration to implementing such recommendations.

2.2 If an audit leads Citi to conclude that Supplier breached the provisions of this Agreement or that any of Supplier’s business or professional practices related to its performance of Services presents a risk of unauthorized disclosure of Information, Supplier and Citi shall use their best efforts to reach a mutually satisfactory resolution. Supplier shall also use its best efforts to correct any practices which are found to be deficient as a result of any such audit within a reasonable time after receipt of Citi’s audit report.

2.3 Citi shall be entitled to enter all or any of Supplier’s premises from time to time to inspect and examine Supplier’s operations and to check that Supplier is complying with its obligations under this Agreement. Citi shall endeavor to give reasonable notice of its exercise of its rights hereunder but in circumstances where Citi is of the view that it would prejudice Citi’s interests to give such notice, no prior notice shall be required to be given by Citi. Citi’s rights under this clause may be exercisable by Citi from time to time without Supplier’s consent and Citi is empowered to take all necessary or reasonable steps in order to exercise its rights under this clause fully.

3. Data processing

When Supplier is acting as data processor, and is collecting, holding, processing, using or transferring personal data of individuals, the Macau Data Protection Act (the “Act”) shall be applicable. Under the terms of the Act Supplier (i) has to ensure the security and safety of the personal data and must use appropriate technology and organizational measures to protect the personal data collected and/or stored with it and (ii) its employees and other persons who work for Supplier (on a permanent or temporary basis) are bound by the duty of secrecy and cannot

126

reveal or take advantage of inside information obtained through the Services. The duty to maintain secrecy shall survive the termination of their employment or any other relationship with Supplier.

V20120116(JohnChoi-Ext)

127

SCHEDULE L — MALAYSIA LAW REQUIREMENTS

(Version 3 — 20 December 2012)

PART 1

TERMS AND CONDITIONS APPLICABLE WHERE THE CITI CUSTOMER IS AN AFFILIATE IN MALAYSIA

1 Confidentiality and Security

1.1 Supplier hereby acknowledges receipt of section 97 of the Banking and Financial Institutions Act, 1989 of Malaysia (“BAFIA”), section 178 of the Labuan Financial Services and Securities Act, 2010 of Malaysia (“LFSSA”) and section 43 of the Securities Industry (Central Depositories) Act, 1991 of Malaysia (“SICDA”) (see Appendix A attached hereto). Supplier hereby acknowledges that it is aware of and understands the effect of, and agrees and undertakes to, and to procure all Supplier Personnel and Supplier Affiliates to observe all precautionary measures to prevent disclosure of information that will cause Citi or its Affiliate to violate section 97 of the BAFIA, section 178 of the LFSSA, section 43 of the SICDA or otherwise be guilty of an offence there under.

Supplier further agrees and undertakes that it will not, and will covenant all Supplier Personnel and Supplier Affiliates not to do anything which will cause Citi or its Affiliate to violate section 97 of the BAFIA, section 178 of the LFSSA, section 43 of the SICDA or otherwise be guilty of an offence thereunder.

1.2 Supplier shall not disclose Citi’s or its Affiliate’s customer information to any person (save for disclosure to Supplier’s employees (and only to the extent necessary in order to fulfill the purposes contemplated by the relevant Work Order)).

1.3 In connection with the Services provided by Supplier to Citi, Citi may disclose Confidential Information of an Affiliate to Supplier. Supplier shall comply with such additional obligations as may be required by that Affiliate as notified in writing to Supplier.

1.4 Supplier shall at all times take technical, personnel, organizational and other measures to ensure:-

1.4.1 the confidentiality of customer information between its various customers; and

1.4.2 that all Citi’s and its Affiliate’s information, materials and assets can be clearly identified and segregated so that such information, materials and assets can either be removed from the possession of Supplier in order to continue Citi’s or its Affiliate’s business operations, or deleted, destroyed or rendered unusable.

128

1.5 Supplier shall retain all documents in connection with the provision of the Services in accordance with Citi’s record retention policies or for such longer periods as may be reasonably instructed in writing by Citi from time to time.

1.6 This Clause 1 (Confidentiality and Security) of Part 1 of this Malaysia Law Requirements Schedule shall survive termination or expiration of the relevant Work Order between Supplier and Citi.

2 Business Continuity Management

2.1 Supplier represents, warrants and covenants that it has in place a satisfactory and a fully documented and adequately resourced Business Continuity Management (“BCM”) plan comprising (i) a Business Continuity Plan (“BCP”) evidencing how Supplier shall, under exceptional circumstances, be in a position to perform its obligations under the relevant Work Order, including but not limited to continuity of service and (ii) a Disaster Recovery Plan (“DRP”) evidencing how Supplier shall, in the event of a disaster, be in a position to perform its obligations under the relevant Work Order, including but not limited to disaster (whether natural or man-made) recovery plans that minimize the probability and impact of interruption to Citi’s business, back up processing, protecting program and data files and equipment for the orderly and expeditious provision of the Services.

2.2 Supplier further represents and warrants that in respect of each Work Order, the BCP and the DRP shall be in place for the entire term of the relevant Work Order and for such period where transition services are provided by Supplier to Citi. Supplier is required to declare its state of business continuity readiness to Citi on an annual basis. Supplier shall provide Citi and comply with Recovery Time Objectives (“RTO”) stipulating the timeframe required for any of Supplier’s information technology systems and applications to be recovered and to be operationally ready to support the Services after an outage in accordance with such specifications as may be acceptable to Citi.

2.3 Supplier shall test the BCP in relation to the Services and all facilities used by it in connection with the BCP on a regular basis and at least annually and notify Citi of any test finding that may affect Supplier’s performance, the test results and action to be undertaken to address any gap in the BCP.

2.4 Supplier shall test the DRP in relation to the Services and all facilities used by it in connection with the DRP on a regular basis and at least twice a year and notify Citi of any test finding that may affect Supplier’s performance, the test results and action to be undertaken to address any gap in the DRP.

2.5 If Supplier makes any significant change(s) to the BCM or there are any adverse developments that may significantly impact the Services, it shall notify Citi in writing and provide a full description of such significant change(s) and/or adverse developments immediately.

129

2.6 In the event that such test(s) on the BCM in relation to the Services are reasonably required by Citi in connection with the testing of its own business continuity plan, Supplier shall co-operate fully with Citi to ensure that such test(s) are carried out as soon as reasonably practicable and accurately in accordance with Citi’s reasonable requirements.

2.7 Supplier shall allow Citi’s internal auditors or other independent party appointed by Citi to review the BCM of Supplier.

2.8 The BCP and DRP should include, at least: -

2.8.1 Procedures to be followed in response to a major disruption to business operations. The procedures should enable the institution to respond swiftly to a crisis situation, recover and resume the critical business functions, resources and infrastructure outlined in the BCP within the stipulated timeframe.

2.8.2 Escalation, declaration and notification procedures including a call tree and contact list.

2.8.3 The conditions for BCP activation and the individual who has the authority to declare a disaster and grant permission to execute the recovery processes.

2.8.4 A list of all resources required to recover the critical business functions in the face of a major disruption including but not limited to key recovery personnel, computer hardware and software, office equipment and relevant documentation.

2.8.5 Relevant information about the alternate and recovery sites.

2.8.6 Procedures for restoring normal business operations, which should include the orderly entry of all business transactions and records into the relevant information technology systems and the completion of all verification and reconciliation procedures.

2.9 “Business Continuity Management” or “BCM” means a whole-of-business approach that includes policies, standards and procedures for ensuring that specified operations can be maintained or recovered in a timely fashion in the event of a disruption. Its purpose is to minimize the operational, financial, legal, reputational and other material consequences arising from a disruption. BCP and DRP are the key components of BCM.

2.10 “Business Continuity Plan” or “BCP” means a comprehensive documented action plan that outlines procedures, processes and systems necessary to resume or restore the business operation of an institution in the event of a disruption.

2.11 “Disaster Recovery Plan” or “DRP” means a comprehensive written plan of action that sets out the procedures and establishes the processes for information

130

technology systems and requirements that are necessary to support and restore the business operation of an institution in the event of a disruption.

3. Monitoring and Control

Supplier agrees to (i) meet with Citi at any time and from time to time upon prior written notice being given to Supplier at the reasonable request of Citi to review all aspects of the Services provided by Supplier pursuant to the relevant Work Order and/or other matters of mutual interest to Supplier and Citi, and (ii) adopt any recommendations and/or measures reasonably proposed by Citi to ensure, inter alia, compliance with legal and regulatory obligations.

4. Assignment and Sub-Contracting

4.1 Supplier shall not assign, outsource or subcontract any or all of its obligations set forth in the relevant Work Order to any third parties without the prior written consent of Citi, and for the avoidance of doubt, the term “third parties” includes Supplier’s Affiliates, agents, consultants, contract non-employee workers, contractors, sub-contractors and third party hires.

4.2 To the extent that Supplier is so permitted to assign, outsource or subcontract any of its obligations, Supplier shall procure the compliance by all assignees/outsourcees/sub-contractors with the provisions of the Work Order and this Malaysian Law Requirements Schedule relating to the performance of such obligations (including, without limitation, provisions relating to security and confidentiality, audit and inspection and business continuity management).

4.3 Where Citi has consented to Supplier assigning, outsourcing or sub-contracting any or all of its obligations set forth in the relevant Work Order to a third party, Citi may require Supplier to, and Supplier shall (if so required by Citi), provide to Citi written notification of any variation or termination of the agreement between Supplier and that third party. The written notification shall be provided to Citi within three (3) days of the variation or termination.

5 Right of Audit

5.1 Subject to Clause 6 (Examinations, Review and Audits) of Part 1 of this Malaysia Law Requirements Schedule, Supplier will allow Citi and its Affiliate’s internal or external auditors (i) to inspect, examine and audit Supplier’s operations and records insofar as they are relevant to the Services provided by Supplier, and (ii) to obtain copies of any report and finding made on Supplier in conjunction with the Services performed for Citi or its Affiliates. Supplier shall cooperate with Citi and its Affiliate’s internal and external auditors to ensure a prompt and accurate audit.

5.2 Subject to Clause 6 (Examinations, Review and Audits) of Part 1 of this Malaysia Law Requirements Schedule, Supplier will allow (with reasonable prior notice from Citi) the Office of the Comptroller of the Currency (“OCC”), the Federal Reserve Board (“FED”), the Labuan Financial Services Authority (“LFSA”), Bank Negara Malaysia (“BNM”), the Securities Commission of Malaysia (“SC”)

131

and any other authority having jurisdiction over Citi or its Affiliate (the OCC, FED, LFSA, BNM, SC and any other authority having jurisdiction over Citi or its Affiliate shall hereinafter be referred to as “Regulator”) or any agent appointed by any Regulator, to inspect, examine and audit Supplier’s operations and records insofar as they are relevant to the Services including but not limited to (i) records and documents relating to transactions, (ii) reports and findings made on Supplier in conjunction with the Services, and (iii) the internal controls adopted by Supplier with respect to preservation of the confidentiality of data generally and Citi’s or its Affiliate’s Confidential Information specifically (where applicable). Supplier will ensure that these requirements are made part of its arrangements with any party that Supplier may engage in the outsourcing (if applicable), including any disaster recovery and backup Suppliers.

5.3 Supplier confirms that, other than as provided in Clause 6 of Part 1 of this Malaysia Law Requirements Schedule, no governmental, regulatory, statutory or other approvals are required by it in respect of the inspection, examination and audit referred to in paragraphs 5.1 and 5.2 above.

5.4 Supplier will give due consideration to the findings and recommendations of any Regulator and those of the internal or external auditors of Citi or its Affiliate. The parties shall discuss, in good faith, the feasibility of implementing said findings and recommendations, as well as the assignment of costs in connection therewith. If Supplier elects not to comply with the findings and recommendations, Citi shall be entitled to terminate the relevant Work Order without penalty by giving Supplier sixty (60) days (or such other period as may be decided by Citi) prior written notice. During the notice period, Supplier shall not be compelled to comply with the findings and recommendations.

5.5 Supplier shall notify Citi if any Regulator or other person seeks access to Citi’s Confidential Information or if a situation arises where the rights of access of Citi, Citi’s or Citi Affiliate’s internal or external auditors or any Regulator is restricted or denied.

6 Examinations, Review and Audits

As an examination, review or audit of the books, accounts or transactions of Citi or its Affiliate may require the approval of Citi’s or its Affiliate’s Regulator, any such examination, review or audit must be first approved by Citi.

7 Malaysia’s Export Control laws

Supplier shall execute the Letter of Assurance attached hereto as Appendix B if requested by Citi.

8 Definitions

In this Malaysia Law Requirements Schedule:-

8.1 “Supplier Personnel” means and includes:-

132

8.1.1.1 Supplier or Supplier Affiliate’s directors, officers, employees, agents, auditors, consultants, contractors or sub-contractors;

8.1.1.2 the directors, officers, employees, agents, auditors or consultants of any Supplier Affiliate, contractor or sub-contractor utilized by Supplier to provide any Services pursuant to any Work Order.

8.2 “Supplier Affiliate” means and includes any entity that directly or indirectly controls, is controlled by, or is under common control with Supplier, where “control” means the ownership of, or the power to vote, at least twenty (20%) percent of the voting stock, shares or interests of such entity. An entity that otherwise qualifies under this definition will be included within the meaning of “Supplier Affiliate” even though it qualifies after the execution of any Work Order between Citi and Supplier.

9 Inconsistency

In connection with any Services provided by Supplier to Citi, these terms and conditions are in addition to, and not in substitution for any other provision agreed between Citi and Supplier. In the event of any inconsistency between the provisions of this Malaysia Law Requirements, Work Order and the relevant master agreement relating to the Services, this Malaysia Law Requirements Schedule shall prevail to the extent of such inconsistency.

PART 2

WHERE THE AFFILIATE REFERRED TO IN PART 1 (THE ‘MALAYSIA AFFILIATE’) HAS ENGAGED ANOTHER CITI AFFILIATE TO PROVIDE SERVICES AND THAT OTHER CITI AFFILIATE USES THE SUPPLIER TO PERFORM THAT OTHER CITI AFFILIATE’S OBLIGATIONS TO THE MALAYSIA AFFILIATE

1 Confidentiality and Security

1.1 Supplier hereby acknowledges receipt of section 97 of the Banking and Financial Institutions Act, 1989 of Malaysia (“BAFIA”), section 178 of the Labuan Financial Services and Securities Act, 2010 of Malaysia (“LFSSA”) and section 43 of Securities Industry (Central Depositories) Act (“SICDA”), 1991 of Malaysia (see Appendix A attached hereto). Supplier hereby acknowledges that it is aware of and understands the effect of, and agrees and undertakes to, and to procure all Supplier Personnel and Supplier Affiliates to observe all precautionary measures to prevent disclosure of information that will cause the Malaysia Affiliate or any other Citi Affiliate to violate section 97 of the BAFIA, section 178 of the LFSSA, section 43 of the SICDA or otherwise be guilty of an offence there under.

Supplier further agrees and undertakes that it will not, and will covenant all Supplier Personnel and Supplier Affiliates not to do anything which will cause the Malaysia Affiliate or any other Citi Affiliate to violate section 97 of the BAFIA, section 178 of the LFSSA, section 43 of the SICDA or otherwise be guilty of an offence there under.

133

1.2 Supplier shall not disclose any Malaysia Affiliate’s customer information to any person (save for disclosure to Supplier’s employees (and only to the extent necessary in order to fulfill the purposes contemplated by the relevant Work Order)).

1.3 Supplier shall at all times take technical, personnel, organizational and other measures to ensure:-

1.3.1 the confidentiality of customer information between its various customers; and

1.3.2 that all the Malaysia Affiliate’s information, materials and assets can be clearly identified and segregated so that such information, materials and assets can either be removed from the possession of Supplier in order for the Malaysia Affiliate to continue its business operations, or deleted, destroyed or rendered unusable.

1.4 Supplier shall retain all documents in connection with the provision of the Services in accordance with Citi’s record retention policies or for such longer periods as may be reasonably instructed in writing by the Malaysia Affiliate from time to time.

1.5 This Clause 1 (Confidentiality and Security) of Part 2 of this Malaysia Law Requirements Schedule shall survive termination or expiration of the relevant Work Order between Supplier and Citi.

2 Monitoring and Control

Supplier agrees to (i) meet with Citi and/or the Malaysia Affiliate at any time and from time to time upon prior written notice being given to Supplier at the reasonable request of Citi or the Malaysia Affiliate to review the Services provided by Supplier to Citi (but only to the extent that it is relevant to the Services provided by Citi to the Malaysian Affiliate) and/or other matters of mutual interest to Supplier, Citi and the Malaysia Affiliate, and (ii) adopt any recommendations and/or measures reasonably proposed by Citi or the Malaysia Affiliate to ensure, inter alia, compliance with legal and regulatory obligations.

3. Assignment and Sub-contracting

3.1 In respect of the Services provided by Supplier to Citi to enable Citi to perform the services provided by Citi to the Malaysia Affiliate or to support the services provided by Citi to the Malaysia Affiliate, Supplier shall not assign, outsource or subcontract any or all of those Services to any third parties without the prior written consent of Citi and the Malaysia Affiliate, and for the avoidance of doubt, the term “third parties” includes Supplier Affiliates, agents, consultants, contract non-employee workers, contractors, sub-contractors and third party hires.

134

3.2 To the extent that Supplier is so permitted to assign, outsource or subcontract any of its obligations, Supplier shall procure the compliance by all assignees/outsourcees/sub-contractors with the provisions of the Work Order and this Malaysian Law Requirements relating to the performance of such obligations (including, without limitation, provisions relating to security and confidentiality, audit and inspection and business continuity management).

3.3. Where Citi and the Malaysia Affiliate has consented to Supplier assigning, outsourcing or sub-contracting any or all of its obligations set forth in the relevant Work Order to a third party, Citi and/or the Malaysia Affiliate may require Supplier to, and Supplier shall (if so required by Citi and/or the Malaysia Affiliate), provide to Citi and/or the Malaysia Affiliate written notification of any variation or termination of the agreement between Supplier and that third party. The written notification shall be provided to Citi and/or Malaysia Affiliate within three (3) days of the variation or termination.

4 Right of Audit

4.1 Subject to Clause 5 (Examinations, Review and Audits) of Part 2 of this Malaysia Law Requirements Schedule, Supplier will allow Citi’s and the Malaysia Affiliate’s internal or external auditors (i) to inspect, examine and audit Supplier’s operations and records insofar as they are relevant to the Services provided by Supplier, and (ii) to obtain copies of any report and finding made on Supplier in conjunction with the Services performed for Citi. Supplier shall cooperate with Citi’s and/or the Malaysia Affiliate’s internal and external auditors to ensure a prompt and accurate audit.

4.2 Subject to Clause 5 (Examinations, Review and Audits) of Part 2 of this Malaysia Law Requirements Schedule, Supplier will allow (with reasonable prior notice from Citi or the Malaysia Affiliate) the Office of the Comptroller of the Currency (“OCC”), the Federal Reserve Board (“FED”), the Labuan Financial Services Authority (“LFSA”), Bank Negara Malaysia (“BNM”), the Securities Commission of Malaysia (“SC”) and any other authority having jurisdiction over Citi or the Malaysia Affiliate (the OCC, FED, LFSA, BNM, SC and any other authority having jurisdiction over Citi or the Malaysia Affiliate shall hereinafter be referred to as “Regulator”) or any agent appointed by any Regulator, to inspect, examine and audit Supplier’s operations and records insofar as they are relevant to the Services including but not limited to (i) records and documents relating to transactions, (ii) reports and findings made on Supplier in conjunction with the Services, and (iii) the internal controls adopted by Supplier with respect to preservation of the confidentiality of data generally, and Citi’s and the Malaysia Affiliate’s Confidential Information specifically (where applicable). Supplier will ensure that these requirements are made part of its arrangements with any party that Supplier may engage in the outsourcing (if applicable), including any disaster recovery and backup Suppliers.

4.3 Supplier confirms that other than as provided in Clause 5 (Examinations, Reviews and Audits) of Part 2 of this Malaysia Law Requirements Schedule, no governmental, regulatory, statutory or other approvals are required by it in

135

respect of the inspection, examination and audit referred to in paragraphs 4.1 and 4.2 above.

4.4 Supplier will give due consideration to the findings and recommendations of any Regulator and those of the internal or external auditors of Citi and/or Malaysia Affiliate. The parties shall discuss, in good faith, the feasibility of implementing said findings and recommendations, as well as the assignment of costs in connection therewith. If Supplier elects not to comply with the findings and recommendations, Citi shall be entitled to terminate the relevant Work Order without penalty by giving Supplier sixty (60) days (or such other period as may be decided by Citi in consultation with the Malaysia Affiliate) prior written notice. During the notice period, Supplier shall not be compelled to comply with the findings and recommendations.

4.5 Supplier shall notify Citi and the Malaysia Affiliate if any Regulator or other person seeks access to the Malaysia Affiliate’s Confidential Information or if a situation arises where the rights of access of Citi, the Malaysia Affiliate, their respective internal or external auditors or any Regulator is restricted or denied.

5 Examinations, Review and Audits

As an examination, review or audit of the books, accounts or transactions of the Malaysia Affiliate may require the approval of the Malaysia Affiliate’s Regulator, any such examination, review or audit must be first approved by Citi and the Malaysia Affiliate.

6 Malaysia’s Export Control laws

Supplier shall execute the Letter of Assurance attached hereto as Appendix B if requested by Citi or the Malaysia Affiliate.

7 Definitions

In this Malaysia Law Requirements Schedule:-

7.1 “Supplier Personnel” means and includes:-

7.1.1.1 Supplier’s or Supplier Affiliate’s directors, officers, employees, agents, auditors, consultants, contractors or sub-contractors;

7.1.1.2 the directors, officers, employees, agents, auditors or consultants of any Supplier Affiliate, contractor or sub-contractor utilized by Supplier to provide any Services pursuant to any Work Order.

7.2 “Supplier Affiliate” means and includes any entity that directly or indirectly controls, is controlled by, or is under common control with Supplier, where “control” means the ownership of, or the power to vote, at least twenty (20%) percent of the voting stock, shares or interests of such entity. An entity that otherwise qualifies under this definition will be included within the meaning of “Supplier Affiliate” even though it qualifies after the execution of any Work Order between Citi and Supplier.

136

8 Inconsistency

In respect of the Services provided by Supplier to Citi to enable Citi to perform the services provided by Citi to the Malaysia Affiliate or to support the services provided by Citi to the Malaysia Affiliate, these terms and conditions are in addition to, and not in substitution for any other provision agreed between Citi and Supplier. In the event of any inconsistency between the provisions of this Malaysia Law Requirements, the relevant Work Order and the relevant master agreement relating to those Services, this Malaysia Law Requirements Schedule shall prevail to the extent of such inconsistency.

Appendix A

· Section 97 of the Banking and Financial Institutions Act, 1989 of Malaysia

· Section 178 of the Labuan Financial Services and Securities Act 2010 of Malaysia

· Section 43 of the Securities Industry (Central Depositories) Act 1991 of Malaysia

Appendix B

Customer/Vendor Letter of Assurance / End User Certification for the purposes of the Strategic Trade Act 2010

v20121220(CheeMing)

137

SCHEDULE M — NEW ZEALAND LAW REQUIREMENTS

(Version 1 — revalidated 15 April 2013)

A. PRIVACY

The Privacy Act (1993) applies to the handling of all personal information collected or held by government agencies and most businesses. Coverage of the private sector includes sole traders, major New Zealand-owned businesses and the local arms of overseas-owned businesses. The legislation identifies ‘personal information’ as information about an identifiable living person, irrespective of whether it is on a computer or a paper file. Supplier must take all reasonable steps to ensure that its employees, agents and Subcontractors comply with that Act.

B. UNSOLICITED ELECTRONIC MESSAGES ACT (2007)

The Unsolicited Electronic Messages Act (2007) applies to prohibit unsolicited commercial electronic messages with a New Zealand link from being sent. It requires the recipient to have consented (actual or implied) to receiving the electronic message and the electronic messages to include accurate information about the person who authorised the sending of the message and a functional unsubscribe facility in order to enable the recipient to instruct the sender that no further messages are to be sent to the recipient. Supplier must take all reasonable steps to ensure that its employees, agents and Subcontractors comply with that Act.

V20100205(MForde)/reval20130415(LauraCoffey)

138

SCHEDULE N — PHILIPPINES LAW REQUIREMENTS

(Version 1 — 9 May 2011)

Philippine Legal Vehicles (“the PHIL LVS”) shall include:-

(1) CITIBANK, N.A., PHILIPPINE BRANCH

(2) CITIFINANCIAL CORPORATION

(3) CITICORP FINANCIAL SERVICES AND INSURANCE BROKERAGE PHILIPPINES, INC.

(4) CITICORP SECURITIES INTERNATIONAL (R.P.), INC.

(5) CITICORP CAPITAL PHILIPPINES, INC.

(6) CITIBANK SAVINGS INC.

(7) CITIGROUP BUSINESS PROCESS SOLUTIONS PTE LTD. FORMERLY KNOWN AS CRESCENT SERVICES (PHILIPPINES) PTE. LTD.

(8) CITIBANK N.A., REGIONAL OPERATING HEADQUARTERS

1.1.1 Supplier hereby acknowledges that it is aware of and understands the effect of, and agrees and undertakes to, observe the Philippine bank secrecy laws as well as such other applicable legal or regulatory restrictions, as described in Appendix I hereto (collectively referred to herein as the “Philippine Laws and Regulations”) in connection with the provision of the Services pursuant to the Agreement, and further agrees and undertakes that it will not do anything which will cause Citi or any of its customers or Affiliates to violate any provision of the Philippine Laws and Regulations or otherwise be guilty of an offense thereunder. Supplier further undertakes to procure that its Personnel shall observe the Bank Laws and Regulations. Supplier undertakes that it, together with its Personnel, shall be liable with Citi should the disclosure of information by Supplier and its Personnel result to a violation by Citi of the Philippine Laws and Regulations.

1.1.2 Subject to clauses 1.1.8 and 1.1.9 below, if Supplier hires another person to assist it in the performance of the Services, or assigns or sub-contracts any portion of its rights or responsibilities or obligations to another person, Supplier shall cause the vendor, assignee, sub-contractor or delegate to be bound to retain the confidentiality of the information and comply with all other provisions of the Agreement. Supplier shall ensure that each and every vendor, assignee, Subcontractor or delegate will execute the Confidentiality and Secrecy Undertaking set out in Appendix II hereto, and submit a copy of the same to Citi upon request.

1.1.3 The parties agree that any unauthorized use or disclosure of information by Supplier may cause immediate and irreparable harm to Citi for which money damages may not constitute an adequate remedy. In such event, the parties agree that Citi may seek injunctive relief as appropriate.

1.1.4 Supplier agrees and undertakes, and shall procure all its Personnel, to segregate Citi’s data from its own data and data of any other entity.

1.1.5 Supplier shall permit the auditors and regulators of Citi, during normal business hours upon reasonable advance notice, to conduct an examination of Supplier’s business and operations in relation to the Services under the Agreement, and shall provide access to information as

139

may be requested by Citi. Supplier shall give due consideration to the implementation of the recommendations of Citi or its auditors or regulations for enhancing Supplier’s critical processes. Supplier shall further procure its Personnel to comply with and satisfy the findings and recommendations of the regulators and those of the internal and/or external auditors of Citi and/or Supplier. The parties shall discuss, in good faith, the manner in which the said findings and recommendations of the regulators and internal and/or external auditors shall be implemented, as well as the assignment of costs in connection therewith. If it is not possible or commercially expedient for Supplier to comply with the findings and recommendations or the parties fail to agree on the implementation of such recommendations, either party shall be entitled to terminate the Agreement by giving the other party sixty (60) days prior written notice. During the notice period, Supplier shall not be compelled to comply with the findings and recommendations.

1.1.6 Citi shall at all times retain the ownership of all master and transaction data files containing Citi Confidential Information.

1.1.7 Supplier shall maintain, at its sole expense, throughout the performance of its obligations, the following insurance coverage satisfactory to Citi:

1.2.1 fidelity insurance coverage for losses incurred as a result of dishonesty, fraud or misconduct on the part of its Personnel;

1.2.2 fire insurance providing coverage against loss or damage of Citi’s data and equipment due to fire; and

1.2.3 such other insurance policies as is customary for similar Suppliers.

None of the requirements contained herein as to types and approval of insurance coverage to be maintained by Supplier are intended to and shall not in any manner limit the liabilities and obligations assumed by Supplier under the Agreement.

1.1.8 Supplier acknowledges that Subcontractors, third party hires, secondees or vendors shall not be given access to Confidential Information until the use of such Subcontractors, secondees and third party hires and vendors have been approved by Citi.

1.1.9 The parties acknowledge that assignment and outsourcing arrangements that require the consent of Citi include the use of secondees, temporary staff and any other third party hire. Upon receipt of a request from Supplier, Citi shall review the proposed assignment and outsourcing arrangement and advise Supplier whether the approval of, or notification to, the BSP is required for such arrangement. Until such approval is obtained or notification is given, Supplier shall not enter into or implement such assignment or outsourcing arrangement for Services to Citi.

1.2.0 Supplier acknowledges that any variation to the Agreement may require the approval of, or notification to, the BSP. Supplier shall promptly advise Citi of any proposed amendment so that Citi may take the appropriate action.

1.2.1 Supplier confirms that it has a Continuity of Business Plan in place which have been properly tested, and shall provide said Continuity of Business Plan to Citi upon request.

140

Appendix I — PHILIPPINE LAWS AND REGULATIONS — PHILIPPINE BANK SECRECY LAWS

Appendix II — CONFIDENTIALITY AND SECRECY UNDERTAKING

V20110509L(Bibsy)

141

SCHEDULE O — SINGAPORE LAW REQUIREMENTS

(Version 3 — 30 April 2012)

1. DEFINITIONS

For the purposes of this Schedule and its Appendices, the following terms shall have the following meanings:-

(1) “Citi S’pore” shall refer to the customer and any Citi Affiliate in Singapore (each “Citi S’pore”);

(2) “Citi S’pore Information” shall include all tangible or intangible information and materials, in any form or medium (and without regard to whether the information is owned by Citi S’pore or by a third party), that is furnished or disclosed to Supplier by Citi S’pore (including Customer Information and Protected Information);

(3) “Customer Information” shall be as defined in Appendix I;

(4) “Protected Information” shall be as defined in Appendix V; and

(5) “third parties” includes affiliates, agents, consultants, contract non-employee workers, contractors, sub-contractors, third party hires of Supplier.

2. CONFIDENTIAL INFORMATION

2.1 Notwithstanding anything to the contrary and subject to the provisions in this Schedule, Supplier (i) shall not, without Citi S’pore’s prior written consent, disclose Citi S’pore Information (including Customer Information and Protected Information) provided pursuant to any Work Order in any manner except as expressly authorized by the Agreement and Work Order, and (ii) shall treat information with at least the same degree of care that it treats its own confidential information, but in no event with less than a reasonable degree of care.

2.2 Notwithstanding anything stated to the contrary, all Citi S’pore Information disclosed to Supplier shall remain the property of Citi S’pore.

2.3 Supplier shall at all times be capable of isolating and clearly identifying all Citi S’pore’s information, documents, records and assets that are processed by and/or stored with Supplier pursuant to the Agreement and Work Order. Supplier shall also ensure that all Customer Information and Protected Information is stored on servers dedicated for Citi S’pore use only. Supplier shall take technical, personnel and organizational measures in order to maintain the confidentiality of Citi S’pore Information between its various customers.

2.4 If Supplier is directed by court order, subpoena or other legal or administrative proceeding, regulatory or supervisory agency’s request or similar process to disclose any

142

Citi S’pore Information, Supplier shall notify Citi S’pore in writing (unless it has a legal obligation to the contrary), with a copy of such document attached, in sufficient detail immediately upon receipt of such court order, subpoena, legal or administrative, regulatory or supervisory agency’s request or similar process, in order to permit application by Citi S’pore for an appropriate protective order.

2.5 Supplier shall:

2.5.1 notify Citi S’pore if any overseas regulator or authority were to seek access to Citi S’pore Information or if a situation were to arise where the rights of access of Citi S’pore or Monetary Authority of Singapore (“MAS”) have been restricted or denied; and

2.5.2 attend to whatever queries MAS may have and cooperate with MAS in supervising the outsourcing risks to Citi S’pore.

2.6 Where Supplier provides Services to or deals with a Citi S’pore entity that is subject to the Banking Act, including without limitation, Citibank N.A. Singapore Branch, Citibank Singapore Limited and Citicorp Bank (Singapore) Limited, (a summary of Singapore laws and regulations is set out in Appendix I) the following provisions shall apply:-

2.6.1 Supplier hereby acknowledges receipt of a written notice from Citi S’pore highlighting Citi S’pore’s obligations of confidentiality under the Singapore Banking Act, (Cap. 19), and under the common law. The written notice is attached hereto as Appendix II.

2.6.2 Supplier agrees to execute the Confidentiality and Secrecy Undertaking in the form specified in Appendix III and Supplier hereby acknowledges that it is aware and understands the effect of, and agrees and undertakes to, and to procure all its employees, servants, agents, representatives and Personnel to observe all precautionary measures and prevent disclosure of information that will cause Citi S’pore or any of its Affiliates to violate:

2.6.2.1 its common law duty to its customers to keep the affairs of the customers of Citi S’pore confidential; and

2.6.2.2 its statutory duty pursuant to Section 47 of the Banking Act (Chapter 19) not to disclose any information relating to, or any particulars of, an account of a customer of Citi S’pore, whether the account is in respect of a loan, investment or any other type of transaction or deposit information to any person except as expressly provided in the Banking Act (Chapter 19).

2.6.3 Supplier further agrees and undertakes that it will not, and will covenant all employees, servants, agents, representatives and Personnel not to do anything

143

which will cause Citi S’pore or its Affiliates to violate any provision of Section 47 or otherwise be guilty of an offence thereunder.

2.6.4 Supplier shall procure the execution of the Confidentiality and Secrecy Undertaking in the form specified in Appendix IV by each of the Supplier Personnel appointed or to be appointed in connection with Work Order and/or to perform the Services or part thereof for and on behalf of Supplier.

2.6.5 Supplier and its employees shall not without Citi S’pore’s prior written consent further disclose Customer Information (as defined in the Singapore Banking Act) to any third parties unless required to do so by law. For the avoidance of doubt, Supplier’s Affiliate (other than one approved by Citi S’pore to provide the Services) shall be considered a third party for the purposes of this clause.

2.7 Where Supplier provides Services to or deals with a Citi S’pore entity that is subject to the Trust Companies Act, including without limitation, Cititrust (Singapore) Limited, the following provisions shall apply:-

2.7.1 Supplier hereby acknowledges Citi S’pore’s obligations of confidentiality under the Singapore Trust Companies Act, (Cap. 336) (the “Act”) (a summary of the Singapore laws and regulations is set out in Appendix V).

2.7.2 Supplier agrees to execute the Confidentiality and Secrecy Undertaking in the form specified in Appendix III. Supplier hereby acknowledges that it is aware of and understands the effect of, and agrees and undertakes to, and to procure all its employees, servants, agents, representatives and Personnel to observe all precautionary measures and prevent disclosure of information that will cause Citi S’pore or any of its Affiliates to violate its statutory duty pursuant to Section 49 of the Act not to disclose any “protected information” (as defined in Appendix V) except as expressly provided in the Act.

2.7.3 Supplier shall procure the execution of the Confidentiality and Secrecy Undertaking in the form specified in Appendix IV by each of the Supplier Personnel appointed or to be appointed in connection with Work Order and/or to perform the Services or part thereof for and on behalf of Supplier.

2.7.4 Supplier and its employees shall not, without Citi S’pore’s prior written consent, further disclose Protected Information (as defined in Appendix V) to any third parties unless required to do so by law. Supplier further agrees and undertakes that it will not, and will covenant all employees, servants, agents and representatives not to do anything which will cause Citi S’pore or any of its Affiliates to violate any provision of Section 49 or otherwise be guilty of an offence thereunder. For the avoidance of doubt, Supplier’s Affiliate (other than one approved by Citi S’pore to provide the Services) shall be considered a third party for the purposes of this clause.

144

3. BUSINESS CONTINUITY MANAGEMENT

3.1 Supplier represents, warrants and covenants that it has in place satisfactory business continuity plans (“BCP”), evidencing how Supplier shall, under exceptional circumstances, be in a position to perform its obligations under the Agreement, including but not limited to continuity of service, disaster (whether natural or man-made) recovery plans that minimize the probability and impact of interruption to Citi S’pore’s business including recovery time objectives and resumption operating capacities, back up processing, protecting program and data files and equipment for the orderly and expeditious provision of the Services. Supplier further represents and warrants that the BCP shall be in place for the entire term of the Agreement.

3.2 Supplier shall test the BCP in relation to the Services and all facilities used by it in connection with the BCP on a regular basis and notify Citi S’pore of any test finding that may affect Supplier’s performance. If Supplier makes any significant change(s) to the BCP or there are any adverse developments that may significantly impact the Services, it shall notify Citi S’pore in writing and provide a full description of such significant change(s) and/or adverse developments immediately.

3.3 In the event that such test(s) on the BCP in relation to the Services are reasonably required by Citi S’pore in connection with the testing of its own business continuity plan, Supplier shall co-operate fully with Citi S’pore to ensure that such test(s) are carried out as soon as reasonably practicable and accurately in accordance with Citi S’pore’s reasonable requirements.

3.4 Supplier shall at all times be capable of isolating and clearly identifying all of Citi S’pore’s information, documents, records and assets such that in adverse conditions, all documents, records of transactions and information given to Supplier, and assets of Citi S’pore, can be either removed from the possession of Supplier in order to continue its business operations, or deleted, destroyed or rendered unusable. Supplier shall also ensure that all Customer Information and Protected Information is stored on servers dedicated for Citi S’pore use only.

4. INSPECTION AND RIGHT TO AUDIT

4.1 Supplier agrees that the services it performs for a branch of a U.S. bank in Singapore are subject to examination of the Office of the Comptroller of the Currency (“OCC”) and MAS. Supplier shall:

4.1.1 allow Citi S’pore to obtain copies of any report and finding made on Supplier in conjunction with the Services under the Work Order;

4.1.2 allow the OCC, the MAS, or any agent appointed by OCC or MAS, to access Supplier to obtain records and documents, of transactions, and information of Citi S’pore given to, stored at or processed by Supplier, and the right to access any report and finding made on Supplier;

145

4.1.3 adopt supervisory actions and additional measures which MAS may require to be taken by Citi S’pore, depending on the potential impact of the outsourcing on Citi S’pore and the financial system, or as circumstances warrant; and

4.1.4 adopt appropriate corrective measures, including enforcement actions, imposed by OCC to address violations of law and regulations or unsafe or unsound banking practices by Citi S’pore or Supplier.

4.2 Supplier shall remove from its possession, delete, destroy or render unusable Citi S’pore’s information, documents, records and assets as directed by Citi S’pore, subject always to the legal requirements for the retention of records in Singapore. Supplier shall keep complete and accurate records of all of its work and expenses in providing the Services to Citi S’pore for a period of seven (7) years from the date from which the record was created.

4.3 Supplier shall, upon reasonable notice, allow Citi S’pore, its auditors and/or its regulators, the opportunity of inspecting, examining and auditing Supplier’s operations and business records which are relevant to the Services provided, including but not limited to, Supplier’s critical processes, to confirm that Supplier’s processes meet industry standards in such areas of contingency planning, continuity of business plans, software engineering and test processes, change control procedures, critical staff succession planning and compliance with applicable laws and regulations. Supplier shall cooperate fully with Citi S’pore’s internal or external auditors to ensure a prompt and accurate audit. If Citi S’pore provides recommendations for enhancing Supplier’s critical processes, then Supplier shall give due consideration to implementing such recommendations.

4.4 If an audit leads Citi S’pore to conclude that Supplier breached the provisions of the Agreement and/or Work Order or that any of Supplier’s business or professional practices related to the provision of the Services presents a risk of unauthorized disclosure of Confidential Information or Protected Information, Supplier and Citi S’pore shall use their best efforts to reach a mutually satisfactory resolution. Supplier shall also use its best efforts to correct any practices which are found to be deficient as a result of any such audit within a reasonable time after receipt of Citi S’pore’s audit report.

5. MONITORING AND CONTROL

Supplier agrees to meet with Citi S’pore at any time and from time to time upon prior written notice being given to Supplier at the reasonable request of Citi S’pore to review all aspects of the Services provided by Supplier pursuant to a Work Order and/or other matters of mutual interest to Supplier and Citi S’pore and adopt any recommendations and/or measures reasonably proposed by Citi S’pore to ensure, inter alia, compliance with legal and regulatory obligations.

146

6. TERMINATION

6.1 Notwithstanding anything to contrary in the Agreement and/or Work Order, Citi S’pore shall have the right to terminate a Work Order with immediate effect and without penalty by giving written notice in the event that:

6.1.1 in Citi S’pore’s reasonable opinion, there has been, a breach of security, confidentiality or a demonstrable deterioration in the ability of Supplier to fulfill its obligations in a Work Order or to safeguard the confidentiality of Citi S’pore Information (including Customer Information and Protected Information);

6.1.2 Supplier undergoes a change in ownership;

6.1.3 Supplier shall (i) commence a voluntary case or other proceeding seeking liquidation, reorganization or other relief with respect to itself or its debts under any bankruptcy, insolvency, corporation or other similar law now or hereafter in effect that authorizes the reorganization or liquidation of Supplier or its debt or the appointment of a trustee, receiver, liquidator, custodian or other similar official of it or any substantial part of its property, or (ii) consent to any such relief or to the appointment of or taking possession by any such official in an involuntary case or other proceeding commenced against it, or (iii) make a general assignment for the benefit of creditors, or (iv) fail generally to pay its debts as they become due, or (v) take any corporate action to authorize any of the foregoing; or

6.1.4 an involuntary case or other proceeding shall be commenced by persons (that are not bound or affected by the Agreement and/or Work Order) against Supplier seeking liquidation, reorganization or other relief with respect to it or its debts under any bankruptcy, insolvency or other similar law now or hereafter in effect seeking the appointment of a trustee, receiver, liquidator, custodian or other similar official of it or any substantial part of its property, and such involuntary case or other proceeding shall remain undismissed and unstayed for a period of 60 days; or an order is entered by a court of competent jurisdiction affecting substantially all of the property or affairs of Supplier against which proceedings have been commenced under bankruptcy, insolvency or other similar laws as now or hereafter in effect and such order shall remain undismissed and unstayed for a period of 60 days.

6.2 Commencing upon notice to Supplier of termination of the Work Order and continuing through the effective date of termination, Supplier will provide to Citi S’pore reasonable termination assistance requested by Citi S’pore to allow the use of the Services without interruption or adverse effect and to facilitate the orderly transfer of the subject matter of the Work Order as desired by Citi S’pore. If requested by Citi S’pore, Supplier will reasonably cooperate with a third party supplier in connection with the preparation and implementation of a transition plan by such third party.

6.3 Upon termination of the Agreement and/or Work Order, Supplier shall allow Citi S’pore to remove from Supplier all Citi S’pore Information previously provided to Supplier (including without limitation, information incorporated in computer software or held in electronic storage media, together with any analyses, compilations, studies, reports or

147

other documents or materials containing any such data, customer information or protected information, as are in the possession or control of Supplier), and Citi S’pore shall be allowed to delete, destroy or render unusable by Supplier all such data, customer information or protected information previously given. Supplier shall certify in writing to Citi S’pore within seven (7) days of the termination of the Agreement and/or Work Order that it has not retained any such data, Customer Information or Protected Information in any form whatsoever.

7. ASSIGNMENT AND SUB-CONTRACTING

7.1 Notwithstanding anything to the contrary in the Agreement and/or Work Order, Supplier shall not assign, outsource or subcontract any or all of its obligations set forth in the Agreement and/or Work Order to any third parties without the prior written consent of Citi S’pore.

7.2 To the extent that Supplier is so permitted by Citi S’pore to assign, outsource or subcontract any of its obligations set forth in the Agreement and/or Work Order pursuant to the sub-clause above, Supplier shall procure the compliance by all assignees/outsourcees/sub-contractors (and their respective Personnel) with the provisions of the Agreement, Work Order and this Singapore Schedule relating to the performance of such obligations (including, without limitation, provisions relating to security and confidentiality, audit and inspection and business continuity management).

148

APPENDIX I - SINGAPORE LAWS AND REGULATIONS — Banking Secrecy under the Banking Act, Cap.19 (the “Act”)

APPENDIX II — BANKING SECRECY UNDER THE SINGAPORE BANKING ACT, (CAP. 19) AND BANK’S DUTY OF CONFIDENTIALITY UNDER COMMON LAW

APPENDIX III - SINGAPORE LAWS AND REGULATION — CONFIDENTIALITY AND SECRECY UNDERTAKING (FOR THE SUPPLIER)

APPENDIX IV - SINGAPORE LAWS AND REGULATIONS - CONFIDENTIALITY AND SECRECY UNDERTAKING (for Supplier’s employees/agents/servants/Personnel)

APPENDIX V - SINGAPORE LAWS AND REGULATIONS — Confidentiality under the Trust Companies Act, Cap. 336 of Singapore (the “Act”)

V20120430L

149

SCHEDULE P — SRI LANKA LAW REQUIREMENTS

(Version 1 — revalidated 6 May 2013)

The Bank has an obligation under the Common Law to keep the affairs of its customers confidential.

ADDITIONAL CLAUSES REQUIRED TO COMPLY WITH THE LAWS AND REGULATIONS APPLICABLE IN SRI LANKA.

In order to ensure compliance with the laws and regulations applicable in and specific to Sri Lanka, Supplier shall comply with the additional clauses set out in this Schedule:-

1. Audit and Inspection

1.1 Supplier shall:

1.1.1 maintain such records as may be agreed between Citi and Supplier relating to the Services provided by Supplier under this Agreement. Supplier shall procure that any sub-contractor appointed (if applicable and including any disaster recovery and back-up suppliers) shall also maintain complete and accurate records of all its work in relation to the Services sub-contracted to it;

1.1.2 subject to the approval of the applicable regulatory authorities of Supplier, allow Citi to conduct audits on Supplier, whether by its internal or external auditors, or by agents appointed by Citi; and to obtain copies of any report and finding made on Supplier in conjunction with the Services performed for Citi. Supplier shall co-operate with Citi’s internal and external auditors to ensure a prompt and accurate audit;

1.1.3 subject to the approval of the applicable regulatory authorities of Supplier, allow any duly authorised officer or representative of the Central Bank of Sri Lanka, any competent court of law, or other judicial, quasi-judicial, statutory, regulatory or supervisory authority or any agent appointed by any of them, to access Supplier to obtain records and documents, of transactions, and information of Citi given to, stored at or processed by Supplier, the right to access any report and finding made on Supplier and to inspect, examine and audit Supplier’s operations and records insofar as they are relevant to the Services provided by Supplier under this Agreement, including but not limited to the internal controls adopted by Supplier with respect to preservation of the confidentiality of data generally and Citi’s information specifically (where applicable). Supplier should ensure and procure that these requirements are met in its arrangements with any sub-contractor that Supplier may engage in the outsourcing (if applicable), including any disaster recovery and backup suppliers;

1.1.4 adopt whatever supervisory actions and additional measures which the Central Bank of Sri Lanka, any competent court of law, or other judicial, quasi-judicial, statutory, regulatory or supervisory authority or any agent appointed by any of them may require to be taken by Citi, depending on the potential impact of the

150

outsourcing on Citi and the financial system, or as circumstances warrant, as communicated by Citi to Supplier;

1.1.5 adopt whatever appropriate corrective measures, including enforcement actions, imposed by the Central Bank of Sri Lanka, any competent court of law, or other judicial, quasi-judicial, statutory, regulatory or supervisory authority or any agent appointed by any of them, to address violations of law and regulations or unsafe or unsound banking practices by Citi or Supplier. Citi will communicate such measures to Supplier if the request made by the Central Bank of Sri Lanka or such other party is not addressed to Supplier; and

1.1.6 provide such information as may be required by Citi in a timely manner in order that Citi may comply with any requirements imposed on Citi by law, the Central Bank of Sri Lanka, any competent court of law, or other judicial, quasi-judicial, statutory, regulatory or supervisory authority.

1.2 Supplier agrees that the Services it performs for Citi are subject to examination and regulation of the Central Bank of Sri Lanka, any competent court of law, or other judicial, quasi-judicial, statutory, regulatory or supervisory authority or any agent appointed by any of them.

2. Declarations of Secrecy

2.1 Supplier shall procure its employees, servants, agents, representatives and contractors to execute a confidentiality undertaking, in form and substance acceptable to Citi and Supplier.

3. Special clause/condition in software maintenance agreements or service agreements with software companies

3.1 Supplier shall ensure that any software maintenance agreements or service agreements entered into between Supplier and software companies (appointed with Citi’s prior written consent) includes a confidentiality clause substantially similar to the clause set out below.

“The parties agree that all information provided pursuant to this Agreement by each party to the other party is confidential and proprietary to the party providing the information and no party shall use any information provided by the other party for any purpose other than as permitted or required for performance under this Agreement. Each party agrees not to disclose or provide any information provided by the other party to any third party (with the exception of (i) any affiliate or subsidiary, which is bound to retain the confidentiality of the information; (ii) employees who have a need to know in the course of receiving or performing the Services pursuant to this Agreement, as the case may be, and such disclosure shall be to the extent required, provided that such employees are bound to retain the confidentiality of the information; (iii) third party vendors as necessary for Supplier to provide Services to Citi under this Agreement, provided that such vendors are bound to retain the confidentiality of the information; and (iv) Citi’s disclosure of data to its internal and external auditors) without the

151

express written consent of the other party, and each party agrees to take all reasonable measures, including, without limitation, measures taken by each party to safeguard its own confidential information to prevent any such disclosure by employees, agents, or contractors. In no event shall Citi divulge to any third party the contents in any invoices/charge documentation that it receives from Supplier, without the written consent of Supplier unless pursuant to any request made by the Central Bank of Sri Lanka, any competent court of law, or other judicial, quasi-judicial, statutory, regulatory or supervisory authority or any agent appointed by any of them or by the Internal or External Auditors of Citi. Nothing provided herein shall prevent any party from disclosing information to the extent the information (i) is or hereafter becomes part of the public domain through no fault of that party; (ii) is received from and furnished to a third party without similar restriction on disclosure by such third party; (iii) is independently developed by it; (iv) is required to be disclosed under law or any applicable regulation, at the order of a court of law, or at the request or order of any statutory, regulatory or supervisory authority with whom it customarily complies; or (v) is already known to it. If either party hires another person to assist it in the performance of this Agreement, or assigns any portion of its rights or delegates any portion of its responsibilities or obligations under this Agreement to another person, the assigning or delegating party shall cause its assignee or delegate to be bound to retain the confidentiality of the information.”

3.2 Supplier shall obtain confidentiality undertakings, in form and substance acceptable to Citi and Supplier from such software companies and the employees of such software companies who are or will be engaged in the provision of the services contemplated in this Agreement.

4. Form of Undertaking

4.1 Citi confirms that the Undertaking set out in the Appendix I hereto is sufficient for the purposes of complying with clauses 2.1 and 3.2.

5. Compliance with Banking Act Directions No. 7 of 2010

5.1 Supplier shall do all such things necessary to ensure that Citi is in compliance with the Banking Act Directions No. 7 of 2010 “Outsourcing of Business Operations of Licensed Commercial Banks”(2), the following in particular:

5.1.1 Supplier shall have a satisfactory business continuity plan and conduct regular tests thereon.

(2) http://www.cbsl.gov.lk/pics_n_docs/09_lr/_docs/directions/bsd/bsd_2010/bsd7_2010%20on%20Outsourcing%20-%20LCBs.pdf

152

5.1.2 Supplier shall do all such things and provide all such information necessary to enable Citi to make transaction reports and suspicious transactions reports to the Financial Intelligence Unit, as provided under the Financial Transactions Reporting Act No. 6 of 2006(3).

APPENDIX I - UNDERTAKING(4)

V20110523L(Viraj Rajapakse(Ext))/reval20130506(Viraj-ext)

(3) http://www.cbsl.gov.lk/pics_n_docs/09_lr/_docs/acts/financial_transaction_reporting_act.pdf

(4) Note: for Service Provider’s employees, servants, agents, representatives and contractors to execute.

153

SCHEDULE Q — TAIWAN LAW REQUIREMENTS

(Version 3 — 25 April 2013)

A. REGULATOR CONTROL

1. Supplier shall, provided that it is not prohibited by any law, regulation or legal authority in the host country of Supplier:

(i) adopt whatever supervisory actions and additional measures which the Regulators (including but not limited to Office of the Comptroller of the Currency, the Financial Supervisory Commission, the Central Bank of the Republic of China, and any other Taiwan regulators, collectively referred to herein as the “Regulators”) may require to be taken by Citi (which may include obtaining necessary approvals or consents from the regulators of Supplier, if any, and negotiate and amend the Agreement and/or any contracts between Supplier and any sub-contractors to incorporate contract clauses mandated by the Regulators), depending on the potential impact of the outsourcing on Citi and the financial system, or as circumstances warrant; and

(ii) adopt whatever appropriate corrective measures, including enforcement actions, imposed by the Regulators to address violations of law and regulations or unsafe or unsound banking practices by Citi or Supplier.

2. Supplier agrees that the services it performs for branches of a U.S. bank in Taiwan or any Citi Affiliate in Taiwan are subject to examination and regulation of the Regulators.

3. Supplier allows Regulators based in Taiwan (hereinafter referred to as “Taiwan Regulators”) or any agent appointed by Taiwan Regulators/Citi, to obtain from Supplier, in a timely manner, records and documents, of transactions, and information of Citi given to, stored at or processed by Supplier, the right to access any report and finding made on Supplier and to inspect, examine and audit Supplier’s operations and records insofar as they are relevant to the Services provided by Supplier under this Agreement, including but not limited to the internal controls adopted by Supplier with respect to preservation of the confidentiality of data generally and Citi information specifically (where applicable). Supplier should ensure and procure that requirements consistent with the foregoing are met in its arrangements with any sub-contractor that Supplier may engage in the outsourcing (if applicable), including any disaster recovery and backup supplier. For the avoidance of doubt, it is understood that the abovementioned parties will be granted access only to information of Citi and/or Citi’s customers / employees. In addition, Citi shall ensure that any agent(s) appointed by Citi who it uses in connection with this Section to treat any information it receives as Confidential and, without limiting the foregoing, shall be liable to Supplier for any breach by such agent(s).

B. CONFIDENTIALITY AND SECURITY

1. All information, documents and records of transactions provided or generated pursuant to the Agreement, shall belong to Citi absolutely and Supplier shall while the same is in its possession hold the same for and on behalf of Citi and shall deliver the same forthwith upon request. The retention period of each document/record shall follow Citi’s record retention

154

schedule. Supplier’s obligations under this clause shall continue after the termination of the Agreement.

2. Any Confidential Information (including without limitation Confidential Information relating to Citi’s respective customer data), documents and records of transaction disclosed by Citi may only be used for the purpose they were disclosed and shall only be disclosed to the authorized persons of Supplier.

3. Supplier (i) shall not, without Citi’s prior written consent, disclose the information provided pursuant to the Agreement in any manner except as expressly authorized by the Agreement, (ii) shall treat information with at least the same degree of care that it treats its own confidential information, but in no event with less than a reasonable degree of care, (iii) shall prevent disclosure of information to unauthorized parties, and (iv) shall implement and maintain adequate security measures that are designed to safeguard the information of Citi from unauthorized disclosure, access, use and misappropriation. Supplier agrees that the database which is used for the storage and processing of transaction records and customer data of Citi shall effectively be segregated from that of Supplier and that of other institutions (the data of which is) handled by Supplier. The segregation shall be at least logically distinct and the access to the customer information shall be strictly controlled in order to avoid data misuse. Supplier shall notify Citi immediately of any loss or unauthorized disclosure or use of information that comes to its attention. Upon demand, or upon the termination of the Agreement, the parties shall comply with each other’s instructions regarding the disposition or return of the information in its possession or control. For the sake of clarity, in the event that the Service provided by Supplier to Citi involves multiple legal entities (each a “Service Recipient Entity”), Supplier shall ensure that the data of each Service Recipient Entity shall be effectively segregated from that of other Service Recipient Entity, that of Supplier, and/or that of other institutions (the data of which is) handled by Supplier.

4. Supplier shall at all times be capable of clearly identifying all of Citi’s information, documents, records and assets that are processed by and/or stored with Supplier pursuant to the Agreement. Supplier shall take technical, personnel and organizational measures in order to maintain the confidentiality of Citi’s information between its various customers.

5. If Supplier is directed by court order, subpoena or other legal or administrative proceeding, or similar process to disclose any of the information provided pursuant to this Agreement, Supplier shall notify Citi in writing (unless it has a legal obligation to the contrary), with a copy of such document attached, in sufficient detail immediately upon receipt of such court order, subpoena, legal or administrative, or similar process, in order to permit application by Citi for an appropriate protective order.

6. If Supplier receives any request from Supplier’s competent authority or any audits initiated by external regulators or authorized bodies which requires Supplier to provide Citi’s respective customer’s data and/or transaction records, Supplier shall provide prompt notice to Citi for Citi’s further notifying Taiwan Regulators. Without obtaining prior approval from Taiwan Regulators, Supplier shall not provide such customer data and transaction records to its competent authority or auditor.

155

C. MONITORING AND CONTROL

Supplier agrees to meet with Citi at any time and from time to time upon prior written notice being given to Supplier at the reasonable request of Citi to review all aspects of the Services provided by Supplier hereunder and/or other matters of mutual interest to Supplier and Citi and adopt any recommendations and/or measures reasonably proposed by Citi to ensure, inter alia, compliance with legal and regulatory obligations. Supplier further agrees, in accordance with the standard operating procedures set out in Citi corporate policies, to establish a customer protection system, a risk management system, an internal control system, an internal audit system, a mechanism to cooperate with Citi to settle consumers’ disputes and the management of personnel hired by Supplier. Supplier agrees to conduct regular and irregular internal audits and immediately notify Citi if the Services cannot be duly discharged, or there is difficulty, or a threat of encountering difficulty, in performing such Services.

D. COMPLIANCE WITH LAWS

Supplier shall not violate mandatory or prohibitive provisions of the law, public order or good morals, and shall ensure that the banking law, the anti-money laundering law, the personal data protection law, consumer protection law and other applicable laws and regulations in Taiwan (such laws and regulations to be communicated by Citi to Supplier from time to time, and thereafter to be summarized/set out in this Schedule) are complied with.

E. SUBCONTRACTING

Further to clause in the Agreement dealing with subcontracting:-

(i) Subject to the prior written approval of Citi, Supplier may subcontract any or all of its obligations set forth herein. Supplier should ensure the Subcontractor will be subject to and comply with the terms and conditions (where relevant) of the Agreement (including this Schedule Q- Taiwan Law Requirements).

(ii) Supplier shall cause those obligations and duties equivalent to Supplier’s obligations and duties under the Agreement to be adhered to by such Subcontractor. Supplier shall be responsible to Citi for the Subcontractor’s performance of such duties and obligations regardless of whether Supplier is negligent in respect of its selection or supervision of the Subcontractor.

(iii) Without prejudice to the above, and in accordance with the Financial Supervision Committee (“FSC”) Outsourcing Guidelines for Financial Institutions (as amended from time to time), Supplier’s agreements with its sub-contractors shall, at the minimum, specify the following matters, in order to maintain the quality of the outsourced services:-

(1) The specific outsourced items and the scope thereof, as well as the rights and duties of the sub-contractors.

(2) The relevant Taiwan laws and regulations (including the Banking Law, Anti-Money Laundering Law, the Personal Data Protection Law, Consumer Protection Law and other laws and regulations) applicable to Citi with which the sub-contractors must comply (such laws and regulations to be provided/updated by Citi from time to time).

(3) The protection of consumer rights, including confidentiality and security measures regarding Citi’s information.

(4) The consumer protection, risk management, internal control and internal audit

156

systems to be implemented by the sub-contractor in accordance with the standard operating procedures set out in Citigroup corporate policies.

(5) Procedure for settlement of consumer disputes should follow Citigroup corporate policies.

(6) Management of personnel hired by the sub-contractors, including hiring, review and sanctions related to its personnel, should follow Citigroup corporate policies.

(7) Material events which constitute cause for termination of the outsourcing agreement including provisions regarding the termination or recession of the agreement upon notification of the Regulators.

(8) The agreement of the sub-contractors that the Regulators may request relevant information or reports and conduct financial audits, or may order such sub-contractors to provide relevant information or reports within prescribed deadlines.

(9) Agreement that the sub-contractors shall not use the name of Citi when dealing with the public in the course of handling the outsourced matters.

F. IDENTITY OF SUPPLIER

Supplier shall provide Services to Citi and shall not hold itself out to others as Citi. Supplier shall not engage in untrue advertisements or collect fees from consumers when dealing with the public in the course of handling the Services.

V320130425(Jessy)

157

SCHEDULE R — THAILAND LAW REQUIREMENTS

(Version 1 — revalidated 20 Mar 2013)

BOT Notification No. Sor Nor Sor. 8/2553 re: Guideline on Outsourcing in Financial Institution’s Business Operations and BOT Notification No. Sor Nor Sor. 29/2551 re: the Use of Services on Information Technology from Other Suppliers

1. Right to audit and access

1.1 With a reasonable prior written notice to Supplier, Supplier shall allow Citi, its regulators (including but not limited to Bank of Thailand, the Anti-Money Laundering Office of Thailand) or any person appointed by them and/or its internal and external auditors to (i) access any report and finding made on Supplier in connection with the Services performed for Citi; (ii) access to the business premises of Supplier in the exercise of its right herein; (iii) inspect, examine and audit Supplier’s operations and records in relation to the Services provided by Supplier under the Agreement including but not limited to the internal controls and the confidentiality and security system; and (iv) obtain and make copies of reports, documents of transactions and information stored or processed by Supplier in connection with the Services pursuant to the Agreement.

1.2 If an audit leads Citi to conclude that Supplier breached the provisions of the Agreement or that any of Supplier’s business or professional practices related to its performance of Services presents a risk of unauthorized disclosure of information, Supplier and Citi shall use their best efforts to reach a mutually satisfactory resolution. Supplier shall also use its best efforts to correct any practices which are found to be deficient as a result of any such audit within a reasonable time after receipt of Citi’s audit report.

2. Information Security

2.1 Supplier shall maintain the information of Citi and its customers as confidential and shall not, without the prior written consent of Citi, disclose any such information to any third party, either orally or in writing, unless such disclosure is required by law or legal process.

2.2 Supplier acknowledges the proprietary and sensitive nature of the information and the importance of maintaining the secrecy and confidentiality of such information.

2.3 Supplier agrees and undertakes, and shall procure all its personnel, to segregate Citi’s data from its own data and data of any other entity and to stipulate a data access right of Supplier’s Personnel strictly to protect confidentiality of Citi’s and its customer’s information.

2.4 Supplier agrees to indemnify, defend and hold harmless Citi from any costs (including reasonable attorneys’ fees and court costs), penalties, or other losses caused by, or related to, any violation or breach of these provisions by Supplier, or any of its Personnel, agents or Subcontractors.

158

3. Continuity of Business and Transition Services

3.1 Supplier shall have an effective contingency plan or transition plan for recovery of any disruption and/or delay of Services providing under the Agreement. The plan shall control recovery from disaster and other contingencies. Recovery procedures shall be tested and maintained regularly.

3.2 Upon expiration or termination of any of Services, Supplier will provide to Citi reasonable termination assistance requested by Citi to allow the use of Services without interruption or adverse effect and to facilitate the orderly transfer of the subject matter of the Agreement as desired by Citi. If requested by Citi, Supplier will reasonably cooperate with a third party Supplier in connection with the preparation and implementation of a transition plan by such third party or Citi upon the termination or expiration of the Services or Agreement.

3.3 Upon termination of any Service, Supplier shall return, destroy or delete all confidential information and personal information of Citi or its customers previously given (including without limitation, information incorporated in computer software or held in electronic storage media, together with any analyses, compilations, studies, reports or other documents or materials containing any such confidential information or personal information, as are in the possession or control of Supplier) subject to the legal requirements for retention of records. Supplier shall certify in writing to Citi within 30 days of the termination of the Services that it has not retained any such confidential information or personal information in any form whatsoever.

4. Proprietary Rights

Supplier acknowledges that Citi owns and shall continue to own all intellectual property rights in its proprietary documents data and other materials and all of its confidential information (“Proprietary Information”), provided however that Supplier will have a non-exclusive, royalty free license right to use the Proprietary Information to fulfill its obligations under the Agreement solely during the terms of the Agreement.

5. Assignment / Subcontracting

5.1 Supplier may outsource or subcontract the performance of any of its obligations hereunder with a prior written consent of Citi. Nothing in the Agreement shall be construed to create any contractual relationship between Citi and any Subcontractor, nor any obligation on the part of Citi to pay or see to the payment of any money due to any Subcontractor, except as may be otherwise required by law.

5.2 If Supplier is permitted to outsource or subcontract to third parties any of its obligations set forth in the Agreement, Supplier shall procure the compliance by all outsourcees, sub-contractors or agents with the provisions of the Agreement relating to the performance of such obligations (including, without limitation, provisions relating to security and confidentiality, audit and inspection and business continuity management). Nevertheless, Supplier remains fully responsible for such obligations and for all acts or omissions of its Subcontractors or agents.

159

6. Compliance with applicable laws

Supplier shall comply and ensure its Personnel comply with all applicable laws in the performance of its obligations including but not limited to complying with any supervisory actions or additional measures required by the regulators of Citi. If at any time during the term of the Agreement, it is or may be in violation of any applicable law which may have a material adverse affect upon the provisions of the Services (or if it’s so determined by the government body), both parties shall use its good faith efforts to amend the Agreement or change the Services in a manner that does comply, failing which, Citi shall terminate the Agreement.

V20100928L(V.Charkhinee)/reval20130320(Charkhinee)

160

SCHEDULE S — VIETNAM LAW REQUIREMENTS

(Version 1 — revalidated 17 Jan 2013)

For the purposes of each Work Order made between Supplier and Citi, the following terms and conditions shall be added to the Agreement and the Work Order, as applicable, in its entirety:

A. REGULATOR CONTROL OF THE VIETNAM ENTITY

Supplier and Citi, as the case may be, shall be subject to and shall fully comply with and abide by the laws of the Socialist Republic of Vietnam which include, but are not limited to, finance and banking laws and regulations applicable to the execution and implementation in force from time to time and each party warrants that the required approvals (if any) have been obtained and will be maintained for the duration of the Work Order concerned.

With regards to the foreign exchange control, Citi and Supplier shall comply with the requirements of the Civil Code 2005, the Foreign Exchange Control Ordinance No. 28/2005/PL-UBTVQH11, Decree 160/2006/ND-CP dated 28 December 2006 of the Government on foreign exchange control and any implementation guidelines, replacement, supplement or in addition thereof and other laws and regulations as may be applicable from time to time.

B. CONFIDENTIALITY AND DATA PROTECTION

1. Supplier will maintain and enforce safety and physical security procedures with respect to its access and maintenance of Citi’s Confidential Information that are (a) at least equal to industry standards for such types of locations, and (b) which provide reasonably appropriate technical and organizational safeguards against accidental or unlawful destruction, loss, alteration or unauthorized disclosure or access of Citi’s Confidential Information. Without limiting the generality of the foregoing, Supplier will take all reasonable measures to secure and defend its location and equipment against “hackers” and others who may seek, without authorization, to modify or access Supplier’s systems or the information found therein. Supplier will periodically test its systems for potential areas where security could be breached. Supplier will immediately report to Citi any breaches of security or unauthorized access to Citi’s systems that Supplier detects or becomes aware of. Supplier will use diligent efforts to remedy such breach of security or unauthorized access in a timely manner and deliver to Citi a root cause assessment and future incident mitigation plan with regard to any breach of security or unauthorized access affecting Citi’s Confidential Information.

2. Supplier hereby acknowledges receipt of a written notice from Citi highlighting Citi’s obligations of confidentiality and data protection under Law on Credit Institutions (Article 13, 14 and 15) and Decision 35/2006/QD-NHNN Chapter II. The written notice is attached hereto as Appendix I. Supplier hereby undertakes that Supplier shall fully understand and strictly comply with the local laws and regulations applicable to the services provided by Supplier under the Agreement and Work Order, including but not limited to the Law on Credit Institutions of Vietnam (Article 13, 14 and 15) and Chapter II of Decision 35/2006/QD-NHNN.

161

3. Supplier hereby acknowledges that it is aware of and understands the effect of, and agrees and undertakes to, and to procure all its Personnel, third party vendors and Supplier Affiliates to observe all precautionary measures and prevent disclosure of information that will cause Citi to violate Law on Credit Institutions (Article 13, 14 and 15) and Decision 35/2006/QD-NHNN Chapter II.

Supplier further agrees and undertakes that it will not, and will covenant all its Personnel, third party vendors and Supplier Affiliates not to do anything which will cause the Vietnam Entity or any of its customers to violate the laws set out herein.

4. Supplier (i) shall not, without Citi’s prior written consent, disclose the information provided pursuant to the Agreement and the Work Order in any manner (read with this Schedule) and (ii) shall treat information with at least the same degree of care that it treats its own confidential information, but in no event with less than a reasonable degree of care.

5. Supplier and its employees shall not without Citi’s prior written consent further disclose Citi Confidential Information to any person (save for disclosure to Supplier’s employees in compliance with Citi’s policies and procedures). For the avoidance of doubt, the term “person” includes Supplier’s Affiliates.

6. Citi may have Confidential Information of an Affiliate and in connection with the Services provided by Supplier to Citi, Citi may disclose Confidential Information of an Affiliate to Supplier. Citi will inform Supplier whether Confidential Information of an Affiliate is being provided to Supplier in connection with the Services provided by Supplier to Citi. Supplier shall not disclose that Confidential Information to any other party (including, for the avoidance of doubt, any other Affiliate) unless such disclosure is with the written consent of Citi. Supplier shall further comply with the Schedule applicable to that Affiliate.

7. Supplier shall at all times be capable of segregating and clearly identifying all of Citi’s information, documents, records and assets that are processed by and/or stored with Supplier pursuant to the Agreement and the Work Order. Supplier shall take technical, personnel and organizational measures in order to maintain the confidentiality of Citi’s information between its various customers.

APPENDIX I - LAW ON CREDIT INSTITUTIONS dated 16 June 2010 (QUOTED)

V20110516L(Nghia-Quang)/reval20130117(Nghia-Quang)

162

SCHEDULE T - LOCAL COUNTRY ADDENDUM — CANADA

(“Canada Addendum”)

1. General

1.1. This Canada Addendum shall apply to:

1.1.1. any Work Order which refers to this Canada Addendum, or

1.1.2. any Work Order where Services or Deliverables to the extent (and only to the extent) they are to be provided either in Canada, or to, or for the benefit of, Citi or its Affiliates in Canada, or

1.1.3. any Work Order made between Citi and Supplier, whereby Citi is an entity located in Canada or organized under the laws of Canada (or any jurisdiction therein) (a “Canadian Entity”).

1.2. Save as otherwise set out in this Canada Addendum, the Parties shall comply with the Master Agreement and the relevant Work Order in the provision and receipt of Services and Deliverables.

1.3. In the event of any conflict between the provisions of any of the Master Agreement, this Canada Addendum, and the Work Order, the terms of Section 28.1 of the Master Agreement shall apply.

1.4. This Canada Addendum and any amendments, alterations and additions thereto shall be considered as an integral part of the Master Agreement and each relevant Work Order. This Canada Addendum may be amended only by the written agreement that specifically purports to do so.

1.5. If not defined otherwise, the terms used in this Canada Addendum shall have the same meaning as defined in the Master Agreement or Work Order.

2. Provisions required by local laws or regulations

The following amendments, deletions and additions to the Master Agreement shall apply in their entirety:

2.1. Further to Section 1.1 of the Agreement,

2.1.1. “Applicable Laws” shall include but is not limited to, inter alia, (a) the Personal Information Protection and Electronic Documents Act (Canada), and any other applicable provincial / territorial and federal privacy legislation; (b) the Canadian Corruption of Foreign Public Officials Act; (c) Canada’s Anti-Spam Legislation (“CASL”), and (d) the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (Canada) including any regulations, guidelines or orders thereunder, any Canadian laws, regulations or orders governing transactions in controlled goods or technologies to or dealings with countries, entities, organizations or individuals subject to economic sanctions and similar measures, including the Special Economic Measures Act (Canada), the United Nations Act

163

(Canada), the Freezing Assets of Corrupt Foreign Officials Act (Canada), Part II.1 of the Criminal Code (Canada) and the Export and Imports Permits Act (Canada) and any related regulations.

2.1.2. any reference in the Agreement to “Regulator” shall include, but is not limited to the Office of the Superintendent of Financial Institutions (“OSFI”).

2.2. All references to the words “social security” in the Agreement and any of the Appendices shall be deleted and replaced with “social insurance”.

2.3. Further to the obligations contained in Section 3.3.3 of the Agreement, Supplier expressly agrees that it will comply, and will cause its Personnel to comply, with the regulations and amendments thereto issued from time to time by OSFI, to the extent applicable.

2.4. Section 5.6 of the Agreement shall be deleted in its entirety and replaced with “[Intentionally Omitted]”.

2.5. Further to Section 5.7 of the Agreement, Supplier shall adhere to all regulatory and legal requirements: Background checks on all Supplier Personnel performing Services on-shore and off-shore must be completed. The results of the clear/successful checks must be communicated electronically to Citi 3 business days prior to a candidate commencing work on the project both onsite or offsite.

At a minimum, the background checks must consist of:

2.5.1.	Criminal check;
2.5.2.	Credit check; and
2.5.3.	Public Safety.

In addition to the above background checks, the Supplier must provide a detailed background check and submit the clear / successful check within thirty (30) days of the candidate commencing work on the project both onsite or offshore. At a minimum, the detailed background checks must consist of:

(a) Employment verification for prior seven years; and

(b) Education verification.

2.6. Section 5.9 of the Agreement shall be deleted in its entirety and replaced with “[Intentionally Omitted]”.

2.7. Further to Section 11.1 of the Agreement, for greater certainty, the country Price Index for Canada shall the Consumer Price Index (for all items, Ontario) as published by Statistics Canada from time to time, currently found at http://www.statcan.gc.ca/tables-tableaux/sum-som/l01/cst01/cpis01g-eng.htm.

2.8. Further to Section 12.3.1 of the Agreement, any reference in the Agreement to Applicable Laws in this section shall include, but is not limited to, the Canadian Corruption of Foreign Public Officials Act.

164

2.9. The words “, and pre-employment drug testing” shall be deleted from Section 12.6 of the Agreement.

2.10. Further to Section 12.6, with respect to its Personnel assigned to Citi within Canada:

2.10.1. Supplier will provide Citi with a list of all temporary foreign workers it intends to assign to a Project. Supplier shall cause its non-Canadian Foreign Nationals to execute and return to Citi the appropriate Foreign National Contractor Letter of Assurance set forth as Exhibit 1 of Appendix 3.2 to the Agreement three (3) business days prior to the candidate beginning work on a Project. Before commencement of the a Work Order, and upon request by Citi at reasonable intervals thereafter, the Supplier shall deliver to Citi clearance certificates from the applicable workplace safety insurance (workers’ compensation) authority confirming that all required premiums, assessments and contributions have been paid by the Supplier and its Subcontractors, if any. Before final payment is made by Citi, the Supplier shall deliver similar certificates to Citi with its application for final payment with its application for final payment;

2.10.2. Supplier further represents, warrants and covenants that: (i) it is in compliance, and will remain in compliance, with the Immigration and Refugee Protection Act (Canada) , as amended; (ii) it maintains and effectively administers comprehensive policies and procedures to comply with such Applicable Law, for its Personnel within Canada; and (iii) its Personnel providing Services from a location within Canada are providing Services in compliance with the Immigration and Refugee Protection Act (Canada), as amended, all applicable regulations and requirements of any other immigration-related Applicable Law;

2.10.3. Supplier agrees to execute and provide to Citi the Work Authorization Attestation attached as Appendix 12.6.2 prior to any one of its Personnel providing Services at any Citi office located in Canada. Supplier will also provide Citi with any information and documentation Citi deems required to confirm that the temporary foreign workers are permitted to work in Canada and that Supplier has complied with all immigration and employment-related Applicable Law, including but not limited to the Immigration and Refugee Protection Act (Canada), as amended; and

2.10.4. In the event that any of Supplier Personnel providing Services from a location within Canada are in breach of this section, Supplier, at its sole cost and expense, will: (i) immediately remove those Personnel; (ii) promptly provide replacement Personnel with equal or better skills as the Personnel that has been removed; (iii) promptly provide all training to replacement Personnel (at no cost or charge to Citi) to enable the replacement Personnel to provide Services required under the applicable Work Order; and (iv) following completion of all required training, provide one (1) month of replacement Personnel Services under the applicable Work Order at no cost or charge to Citi.

165

2.11. Regulatory Audit. In addition to the rights set out in Section 14.2 of the Agreement, the Supplier acknowledges and agrees that Regulators, specifically, but not limited to OSFI are entitled to regulate, investigate, or influence any matters within this Agreement or any other affairs of Citi, and from time to time require the right, whether by virtue of Applicable Law, regulation, code of conduct, or otherwise, to investigate the affairs of Citi and accordingly the Supplier agrees to provide such access as is referred to in Section 14.2 and all such other access, information, and assistance as OSFI or any such Regulator properly require in order to fulfill such requirements. If the Supplier considers that any requirements relates to information which is confidential to the Supplier, the Supplier will be entitled to disclose the information directly to OSFI or any such Regulator without having to disclose it to Citi. The Supplier shall ensure that all permitted subcontractors will cooperate with the foregoing.

2.11.1. The Supplier, with respect to any files maintained or preserved on behalf of Citi, hereby undertakes to permit examination of such files at any time or from time to time during business hours by representatives or designees of OSFI or any other Regulator and to promptly furnish to OSFI or any other Regulator or its designees true, correct, complete and current hard copies of any or all of any part of such files.

2.11.2. With respect to any internal or external audit reports (and associated working papers and recommendations) prepared by or for the Supplier in respect of any of the Services being performed for Citi, the Supplier shall permit OSFI or any other Regulator to access and make copies of any such reports, papers and recommendations, subject to OSFI or such Regulator agreeing to sign appropriate confidentiality documentation in form and content satisfactory to the Supplier, acting reasonably and without delay.

2.12. Section 19.2(i)(a) shall be deleted in its entirety and replaced with the following:

“(a) Subcontractors are obligated to fully uphold and comply with the same obligations and responsibilities as Supplier under this Agreement, any applicable Work Orders and the Canada Addendum, including those under Sections 5 (Policies and Procedures), 9 (Proprietary Rights), 13 (Confidential Information), 14 (Right to Audit), 15 (Publicity), 22 (Compliance with Law) and 27 (Soliciting for Hire) and”.

2.13. Further to Section 21.1 of the Agreement, for any matter involving the subject matter of this Canada Addendum, each party hereto will, in addition to any notices required under the Agreement, a copy of all notices from Supplier shall be sent to “Citi Procurement Services Canada, 5900 Hurontario Street, Mississauga, Ontario, L5R 0B8, Attn: Head of Canada Procurement”. A copy of any notice from Supplier that alleges the Citi committed a material breach shall be sent by certified or registered mail (return receipt requested) or commercial express courier (with tracking capabilities) to the address set forth in the preceding sentence, to “Citibank Canada, 123 Front Street West, 17th Floor, Toronto, Ontario, c/o General Counsel’s Office, Attn: General Counsel”.

2.14. Further to the obligations contained in Section 22.2 of the Agreement, each Party will, in connection with the activities contemplated by this Agreement, comply with the Canadian Applicable Law, any regulations or orders governing transactions in controlled

166

goods or technologies to or dealings with countries, entities, organizations or individuals subject to economic sanctions and similar measures, including the Special Economic Measures Act (Canada), the United Nations Act (Canada), the Freezing Assets of Corrupt Foreign Officials Act (Canada), Part II.1 of the Criminal Code (Canada) and the Export and Imports Permits Act (Canada) and any related regulations.

2.15. The following language shall be added at the end of Section 22.5 as Section 22.5.1:

“22.5.1 In the event that the OSFI or any other Regulator takes control of Citi for any reason, Supplier may discontinue the Services provided under a Work Order on sixty (60) days’ written notice to OSFI or any other relevant Regulator. Notwithstanding any delivery of written notice by Supplier to OSFI or any other Regulator pursuant to this Section 2.9 with respect to Citi or an Affiliate, the Supplier shall continue to provide the Services to Citi prescribed herein under OSFI’s or any other Regulator’s direction and control until such time as the notice period has expired.”.

2.16. Further to Section 22.7 of the Agreement, any reference in the Agreement to Data Privacy Laws shall include, but is not limited to, the Personal Information Protection and Electronic Documents Act (Canada) and the Privacy Act (Canada) and any other applicable law.

2.17. The first sentence of Section 23.1 shall be deleted and replaced with “This Agreement and the respective rights and obligations of the Parties shall be governed by the laws of the Province of Ontario and the laws of Canada therein.”

2.18. The first paragraph of Section 3 of Appendix 13 shall be deleted and replaced as set forth below. The remaining subsections of Section 3 (3.1 and 3.2) remain unchanged.

“3. Duty of Care and Use Restrictions. The Party receiving Confidential Information (“Receiving Party”) of the other Party (“Disclosing Party”) will exercise at least the same degree of care with respect to the Disclosing Party’s Confidential Information that the Receiving Party exercises to protect its own Confidential Information; and, at a minimum, the Receiving Party will adopt, maintain and follow security practices and procedures that are sufficient to safeguard the Disclosing Party’s Confidential Information from any (i) unauthorized disclosure, access, use or modification; (ii) misappropriation, theft, destruction, or loss; or (iii) inability to account for such Confidential Information. Without limiting the generality of the foregoing, the Receiving Party will only use or reproduce the Disclosing Party’s Confidential Information to the extent necessary to enable the Receiving Party to fulfill its obligations under the Agreement to which this Appendix is attached, or in the case of Citi, to exercise its rights as contemplated by the Agreement to which this Appendix is attached. In addition, the Receiving Party will disclose the Disclosing Party’s Confidential Information only to those of the Receiving Party’s (or in the case of Citi, also to its Affiliates’) Personnel who have a “need to know” such Confidential Information (and only to the extent necessary) in order to fulfill the purposes contemplated by the Agreement. Supplier will ensure that each of its Personnel who will be providing Services for Citi shall be bound to uphold the obligations of confidentiality set forth herein. Supplier further acknowledges that Citi and its Affiliates are subject to internal policies (copies of which shall be made available to Supplier upon request) and

167

Applicable Law which governs and restricts the collection, storage, processing, dissemination and use of Personal Information, including any Personal Information relating to Citi’s and Affiliates’ respective customers, suppliers and Personnel. Supplier agrees not to collect, store, process, disseminate or use any such Personal Information obtained from Canadian Entity except to the extent otherwise expressly directed by Canadian Entity in writing (either within the provisions of this Agreement or otherwise). Supplier acknowledges that it will comply (including cooperating with any requests or instructions concerning data protection laws issued by any privacy or data protection authority/regulatory body) at all times with the Personal Information Protection and Electronic Documents Act (Canada) and other applicable Canadian provincial/territorial and federal privacy legislation. If there is any actual or suspected theft from Supplier or any accidental disclosure or any unauthorized intrusions into Supplier’s facilities or secured systems affecting Canadian Entity’s Personal Information, Supplier shall promptly, but no later than three (3) days after becoming aware thereof, notify Canadian Entity and shall cooperate fully with Canadian Entity to notify Canadian Entity’s customer(s) or Personnel as to the fact of and the circumstance of such disclosure and/or unauthorized intrusions. Supplier shall provide all notices required by this Section to Citigroup Canada’s Privacy Office at 1-888-245-1112 with written reports directed to Citigroup Canada Privacy Officer, Citigroup Canada, 123 Front Street West, 17th floor, Toronto Ontario M5J 2M3.”.

2.19. The following language shall be added at the end of Section 14 as Section 15 of Appendix 13:

“The Supplier represents and warrants that it is in compliance with CASL, and covenants that it shall during the term of the Agreement remain at all times in compliance with CASL. The Supplier shall promptly notify the Canadian Entity in writing of any written notice that the Supplier may receive from any regulatory body with competent authority with respect to CASL, including all correspondence with such regulatory body. The Supplier shall maintain in its books and records evidence of its compliance with CASL. The Canadian Entity shall have the right on reasonable notice to inspect such books and records of the Supplier. The Supplier shall indemnify, defend and hold harmless the Canadian Entity from all claims, losses, damages and liabilities arising from or related to any actions or omissions of the Supplier related to CASL.”.

168

Schedule U - LOCAL COUNTRY ADDENDUM

FOR

EMEA (EUROPE, MIDDLE EAST AND AFRICA) (“EMEA ADDENDUM”)

THIS LOCAL COUNTRY ADDENDUM FOR EMEA (EUROPE, MIDDLE EAST AND AFRICA) (hereinafter referred to as the “EMEA Addendum”) supplements, modifies and amends the Master Professional Services Agreement dated as of , by and between Supplier and Citi (the “Master Agreement”), but solely with respect to the Services, Software, products and/or Deliverables being provided pursuant to this EMEA Addendum (and any such Local Country Addendum as may be relevant) as the result of the execution of any Work Orders (as defined in the Master Agreement) in the EMEA Region (“Country Work Orders”) substantially as set forth in Exhibit CSA-A-1 or CSA-A-2 herein, and the terms of this EMEA Addendum shall also apply as set forth in Section 3.3.1 of the Master Agreement.

The provisions in this EMEA Addendum are intended to supplement, rather than replace, the provisions of the Master Agreement. Except to the extent a provision of the Master Agreement is explicitly referenced as:

(i) being replaced; or

(ii) not being applicable with respect to this EMEA Addendum, the relevant Local Country Addendum and/or any relevant Country Work Order,

such provision shall apply with respect to any Services, Software, products or Deliverables to be provided by Supplier.

1 DEFINITIONS

The following definitions will apply in addition to the definitions set forth in the Master Agreement for purposes of this EMEA Addendum, any relevant Local Country Addendum and/or any relevant Country Work Order, and each capitalized word or phrase defined in this EMEA Addendum shall have the meaning designated herein. All other capitalized words or phrases used herein shall have the meaning designated in the Master Agreement.

“Insolvency Event” means the occurrence of any of the following:

(i) Supplier stops or suspends, or declares any intention to stop or suspend, its business or payment of its debts or any class of its debts generally or is or becomes unable to pay its debts or otherwise becomes insolvent;

(ii) a receiver or administrative receiver is appointed in respect of Supplier or the whole or any material part of its assets or undertaking, or Supplier requests the appointment of such a person or any step is taken to enforce any charge, mortgage or other security interest over all or any material part of its assets or undertaking or any of the same is or becomes enforceable;

(iii) a notice is issued for the purposes of convening a meeting to approve the placing of Supplier in administration or liquidation, or a petition is presented or an order

169

made for the administration or liquidation of Supplier or Supplier otherwise becomes subject to dissolution proceedings;

(iv) a voluntary arrangement pursuant to any relevant insolvency legislation, or any other arrangement, compromise or composition of Supplier’s debts, or any class of its debts, is proposed or made by or with Supplier;

(v) a judgment, order or award made against Supplier is outstanding and not discharged within ten (10) days or if any distress, execution, sequestration or similar process is levied on or commenced against any of the assets of Supplier and not lifted, withdrawn or discharged within ten (10) days; or

(vi) any circumstances arise or events occur in relation to Supplier or any of its material assets in any country or territory in which it carries on business or to the jurisdiction of whose courts it or any of its assets is subject, which corresponds to or has an effect equivalent or similar to any of those stated in sub-paragraphs (i) to (v) (inclusive) of this definition.

“Local Country Addendum” has the meaning given to that term in Section 3.2 of this EMEA Addendum.

2 TERMINATION

In addition to the terms set out in Section 2 (Term and Termination) of the Master Agreement, the following provisions shall apply:

2.1 Termination of EMEA Addendum, Local Country Addendum or Country Work Order(s). In addition to any rights of termination Citi may have pursuant to Section 2.2 (Work Orders) of the Master Agreement, Citi may immediately terminate this EMEA Addendum, any Local Country Addendum and/or any Country Work Orders, with no financial liability of any kind (other than payment of amounts properly due for such Deliverables and/or Services accepted by Citi pursuant to the Master Agreement) in the event that an Insolvency Event occurs or in response to a request from a Regulator.

2.2 In addition to the requirements set out in Section 2.3 (Orderly Transfer) of the Master Agreement, the following provisions will apply if this EMEA Addendum, any Local Country Addendum and/or any Country Work Order is terminated for any reason:

(i) Supplier shall immediately return to Citi all property, information and material (including copies) belonging to Citi then in the possession, power or control of Supplier or any of its agents or subcontractors. Subject to Section 2.4 (Retention of Archival Copy) of the Master Agreement, each Party shall return or destroy (certifying the same) the Confidential Information of the other Party;

(ii) Supplier shall comply with all reasonable instructions from Citi relating to termination and shall take steps to mitigate any costs which Citi may incur as a result of such termination, including providing (in a readily readable form), upon request by Citi, those documents, records and information without which Citi, in its reasonable opinion, would be unable (or unable without incurring significant cost) to continue to carry on in the same manner the activities to which the

170

Services, Software, products and/or Deliverables relate, and shall allow Citi to copy and retain copies of such items in order to satisfy Citi’s regulatory obligations or other obligations under all Applicable Laws; and

(iii) Supplier shall render reasonable assistance to Citi if requested and to the extent necessary to effect an orderly assumption by Citi and/or any replacement service provider of the Services, Software, products and/or Deliverables, as the case may be, which have previously been provided by Supplier and, in particular, Supplier shall promptly furnish Citi and/or the Replacement Supplier (as defined in Exhibit CSA-G) with any documents, records and information in its possession which are required to provide the replacement services and/or deliverables.

3 SCOPE OF EMEA ADDENDUM

In addition to the terms set out in Section 3 (Services Implementation) of the Master Agreement, the following provisions shall apply:

3.1 Local Purchase Procedure. Exhibit CSA-E (Local Purchases Procedure) sets out the terms that will apply if the Services, Software, products and/or Deliverables are to be provided by local affiliates of the entity designated above as Supplier, which affiliates are listed in Exhibit CSA-F (Local Supplier Companies) (as may be varied by the Parties in writing from time to time) and are referred to herein as “Local Supplier Compan(ies)”. The entity designated in the Master Agreement as Supplier will ensure that each Local Supplier Company performs its obligations under the Agreement and will indemnify Citi against any damages or losses incurred by Citi as a result of a Local Supplier Company’s failure to perform such obligations. In the event that a Local Supplier Company refuses to or is otherwise unable to perform its obligations, entity designated above as Supplier will either: (i) perform such obligations itself; or (ii) procure that such obligations are performed by a third party reasonably acceptable to Citi. The foregoing will not prejudice Citi’s right to terminate the relevant Country Work Order(s) in accordance with the Agreement.

3.2 Local Country Addenda. If Citi or any Citi Affiliate determines that modifications to the terms and conditions of this EMEA Addendum are required to address any specific legal, regulatory or policy requirements or due to variations in practices in a specific country, Supplier agrees to amend or update this EMEA Addendum accordingly, and a Local Country Addendum setting forth the additional or modified terms and conditions that apply when providing the Services, Software, products and/or Deliverables in such country shall be executed by the Parties (each a “Local Country Addendum”, a template form of which is attached as Attachment A (Template Local Country Addendum) to Exhibit CSA-D (Local Purchases Procedure)).

4 DELIVERY

In addition to the terms set out in Section 4.1 (Citi and Citi Affiliates) of the Master Agreement, the following provisions shall apply:

4.1 Citi enters into this EMEA Addendum as part of the Master Agreement on its own behalf and as agent on behalf of and for the benefit of its Affiliates. All obligations under the Agreement are the individual responsibility of each Citi Affiliate which is the recipient or beneficiary of the applicable Software, products, Deliverables and/or Services. Under no

171

circumstances shall Citi (as designated above) or any of its Affiliates be responsible for the obligations of any other Citi Affiliate.

4.2 Supplier Representative.

4.2.1 In addition to the requirement to provide Project Manager(s) for each project, the Supplier shall appoint an account manager (the “Supplier Representative”) at no additional charge to Citi for the purpose of overseeing the performance of the Supplier. The Supplier Representative shall, for the purpose of the Agreement, be considered duly authorised and be duly authorised to represent the Supplier for the term of the Agreement.

4.2.2 Citi shall have the right to require the Supplier to appoint another person to replace the person who is at any time the Supplier Representative if, in the opinion of Citi, a replacement is necessary for the management of the Agreement or for the provision of the Services to be made more effectively. The Supplier shall not appoint any person as Supplier Representative without Citi’s prior approval.

4.2.3 Status Reports. Supplier shall provide Project Managers with status reports that contain (as a minimum) the following (collectively, “Status Report”): (i) a summary of the current status of the Project; (ii) a summary of progress made on problems identified in any previous Status Reports; (iii) a summary of any problems identified since the preceding Status Report and any recommended remedial action; and (iv) the amount of any anticipated delay in the completion of any milestone beyond the applicable date specified in the Country Work Order, the cause of such delay and any recommended remedial action.

4.3 Personnel. The following provisions will apply in addition to those set out in Sections 4.5 (Supplier’s Personnel) of the Master Agreement:

4.3.1 For the avoidance of doubt, all Supplier Personnel shall at all times be and be deemed to be employees of Supplier or its sub-contractors and not of Citi. Supplier shall be responsible for the taking of all disciplinary action in respect of its Personnel and for paying any salaries, taxes, benefits, contributions and charges payable in respect of its Personnel.

4.3.2 Supplier shall in relation to its Personnel (and those of its affiliates, agents and sub-contractors):

(i) obtain proof that its Personnel have the necessary work and/or residence permits to enable them to work in the locations in which they do or will work in the performance of this EMEA Addendum and any Country Work Orders;

(ii) establish details of previous residential addresses for ten (10) years prior to the commencement of the recruitment;

(iii) carry out: (a) credit checks, criminal record checks, and other checks to the extent permitted by Applicable Law and reasonably necessary to establish that the Personnel would not be susceptible to committing acts of theft or dishonesty; and (b) any other reasonable and lawful screening, security and vetting procedures as are necessary having due regard to the interests of Citi and the nature of its business, or as are notified by Citi from time to time; and

172

(iv) to the extent that such steps are lawful take all reasonable steps to ensure that no persons who are convicted of a criminal offence (other than minor road traffic offences) are deployed in the provision of the Services.

4.3.3 The provisions of Exhibit CSA-G (Personnel) shall apply in respect of Supplier Personnel.

4.3.4 Replacement of Supplier’s Personnel. The following provisions will apply in addition to those set out in Section 4.6 (Replacement of Supplier’s Personnel) of the Master Agreement:

4.3.5 If any member of Supplier’s Personnel fails (in Citi’s sole determination) to: (i) meet the background check requirements set forth above; (ii) to comply with any Applicable Laws, Exhibit CSA-B (Mandatory Citi Policies) of this EMEA Addendum or any other of Citi’s security or work place policies or procedures (whether or not specified herein); (iii) to perform Projects in a professional and competent manner; or (iv) is unacceptable to Citi for any other lawful reason, Supplier will remove such individual from performing Services for Citi immediately upon receiving a request from Citi and promptly to provide Citi with suitable replacement Personnel; (at no additional charge).

5 FEES, PAYMENT AND TAXES

Section 11 (Fees, Payment and Taxes) of the Master Agreement shall be amended as follows for the purposes of this EMEA Addendum:

5.1 Section 11.3 (Taxes) shall be replaced with the following wording:

5.1.1 All sums payable under this Master Agreement and each Work Order are exclusive of value added tax (“VAT”), Goods and Services Tax (“GST”) or other similar indirect taxes, which will be chargeable, where applicable, on production of a valid VAT/GST invoice by Supplier.

5.1.2 Supplier is solely responsible for the payment of all taxes required of Supplier, including personal property taxes, franchise taxes, corporate excise or corporate privilege, property or license taxes, all taxes relating to Supplier’s Personnel, and all taxes based on the net income or gross revenues of Supplier (or taxes that are similar to, in lieu of, or in substitution for, such taxes).

5.1.3 If Citi is required to withhold and pay any withholding taxes imposed at source on any amount payable to Supplier under the Agreement: (i) Citi shall make available to Supplier, on a timely basis, valid evidence of any withholding tax paid by Customer to such tax authority; and (ii) Citi’s payment of the balance (after deducting any such withholding Tax) shall constitute payment in full of the amount owed by Citi to Supplier.

5.1.4 No amount arising under a Work Order shall be due from Citi prior to Citi’s receipt of a properly and accurately prepared VAT/GST invoice: (i) referencing the applicable Work Order; (ii) separately itemising the charges for the Services, Deliverables or other items in a Work Order; (iii) setting forth, in reasonable detail, the basis for the charges; and (iv) attaching copies of receipts or other documentation supporting charges for expenses or Taxes.

5.2 A new Clause 11.10 shall be added to the Master Agreement as follows:

“Late Payments. If (and only if) interest for late payment is required under Applicable Law, then Supplier shall be entitled to charge interest on undisputed sums only in respect of which Supplier has notified Citi of the non-payment and for which Citi has not sent

173

payment within fourteen (14) days after receipt of such notice. Such interest shall accrue on a daily basis and shall be paid at an annual rate of five percent (5%) (or such lower rate of interest as may be agreed by the Parties in writing) to the related sums following expiration of the relevant notice period until the date of payment.”

6 REPRESENTATIONS AND WARRANTIES AND COVENANTS

In addition to the terms set out in Section 12 (Representations and Warranties and Covenants) of the Master Agreement, the reference to immigration-related Applicable Laws in Section 12.6 (Supplier’s Personnel Policies) shall include the UK Immigration, Asylum and Nationality Act 2006 or its national equivalent for the purposes of any Country Work Orders requiring performance in other countries.

7 CONFIDENTIAL INFORMATION

Where Supplier processes Personal Information at the request of Citi or its Affiliate or is otherwise required to act as a data processor for Citi in relation to Personal Information provided in the course of its performance of the Services, the terms Exhibit CSA-E (Data Protection), which is attached hereto and incorporated herein, shall apply in addition to the requirements of Appendix 13 (Confidentiality) of the Master Agreement.

8 LIMITATION OF LIABILITY

The Parties agree that notwithstanding anything to the contrary in Section 18 (Limitation of Liability), neither the Supplier nor Citi exclude or limit liability to the other for death or personal injury caused by its negligence or that of its Personnel, or for any breach of any obligations implied by Section 12 of the Sale of Goods Act 1979 or Section 2 of the Supply of Goods and Services Act 1982, or for any other liability which cannot lawfully be excluded.

9 INSURANCE

The Parties agree that Section 17 (Insurance Requirements) will not apply. Supplier shall at its own cost maintain adequate insurance, in accordance with Citi policies on insurance, or self-insure, against any losses which are the result of its fault or negligence or that of its employees, for an amount sufficient to cover its liabilities under the Agreement, but in any event not less than £10 million pounds per occurrence, and shall procure that any sub-contractor, agent or contractor shall likewise be similarly insured. Supplier shall, if requested by Citi, produce evidence of such insurance. Supplier shall give Citi thirty (30) days notice before such insurance is cancelled or allowed to lapse or is altered in its scope or coverage. Supplier’s failure to maintain the requisite insurance shall be a breach entitling Citi to immediately terminate the Agreement.

10 NOTICES

Notices in relation to this EMEA Addendum and/or any Country Work Orders will be sent in accordance with Section 21 (Notices) of the Master Agreement to the addresses provided pursuant to the Master Agreement with copies to the addresses set out below.

Where Supplier is not registered or otherwise operating in the United Kingdom (or the relevant country for the purposes of any Local Country Addendum), Supplier irrevocably appoints any of

174

its affiliates registered or otherwise operating in the United Kingdom (or the relevant country for the purposes of any Local Country Addendum) as its agent for service of process in relation to any proceedings in connection with this EMEA Addendum. Where Supplier does not have an affiliate registered or otherwise operating in the United Kingdom, Supplier hereby appoints the person identified below as its agent for service of process.

Citi:		Regional Head of Procurement, EMEA Citibank, N.A. Citigroup Centre Canada Square Canary Wharf London E14 5LB

With copy to:		IP and Technology Legal Department Citibank, N.A. Citigroup Centre Canada Square London E14 5LB

Supplier:		Name: Address: Fax No:

Agent for service of process (if applicable):

11 COMPLIANCE WITH LAW.

For the purposes of Section 22.2 (Export Controls), the Parties agree that the words “and the Export Regulations of the UK and EU” shall be deemed to be inserted after the words “the Export Administration Regulations of the United States”.

12 POLICIES AND PROCEDURES.

12.1 Section 5.7 (Criminal Background Checks) and Section 5.9 (Diversity Initiative) of the Master Agreement shall not apply for the purposes of this EMEA Addendum, any Local Country Addendum or any Country Work Order.

12.2 In addition to the terms set out in Section 14.2 (Right to Audit) of the Master Agreement, the following shall apply as new Section 14.2.7-14.2.10.:

“14.2.7 The transactional information and documentation referred to in Sections 11.7 (Transaction Information) and 29 (Audited Financial Statements) of the Master

175

Agreement will be provided by Supplier in an electronic data format specified by and at such intervals as and when reasonably requested by Citi.

14.2.8 Citi may from time to time for itself or on behalf of its Affiliates review or audit any document, information, process, system, or matter relating to Supplier’s performance and the Agreement (including, without limitation, compliance with Citi’s security policies and Supplier Standards) through its own Personnel or through agents, auditors or advisers and will ensure that such persons are bound by a confidentiality provision substantially similar to that contained in Section 13 (Confidential Information) of the Master Agreement.

14.2.9 Supplier will provide Citi and its Personnel, contractors, agents, auditors and advisers with such information, assistance and access to Supplier’s premises, equipment (including without limitation any security system concerned with processing of Data), Personnel, computer systems and documentation as is reasonable in order that they may fully and promptly carry out each audit or to enable Citi to comply with any applicable legal, regulatory or other required reporting obligations PROVIDED ALWAYS that Citi will permit Supplier the opportunity to deliver up any information required by Citi (or the appropriate Regulator) prior to Citi carrying out any audit hereunder which may render an audit visit unnecessary.

14.2.10 In addition to the rights set out in this Section 14.2, Supplier acknowledges and agrees that certain Regulators from time to time require the right, whether by virtue of law, regulation, code of conduct or otherwise, to investigate the affairs of Citi and, accordingly, Supplier agrees to provide such access as is referred to in this Section 14.2 and all such other access, information and assistance as such Regulators properly require or request in order to fulfil such requirements. If Supplier considers that any requirement relates to information which is confidential to Supplier, Supplier will be entitled to disclose the information directly to the Regulator without having to disclose it to Citi.”

13 CHOICE OF LAW AND JURISDICTION.

For the purposes of all Country Work Orders, Section 23 (Choice of Law and Dispute Resolution) of the Master Agreement shall not apply and will be replaced in its entirety with the following:

“23.1 The relevant Country Work Order and any and all disputes (“Disputes”) arising out of or in connection with it (whether of a contractual or non-contractual nature such as claims in tort, breach of statute or regulation or otherwise) will be governed by and construed in accordance with the laws of England and Wales. For the avoidance of doubt, in the event of a conflict in the interpretation of a provision of the Master Agreement and/or this EMEA Addendum under New York Law and under English Law, the English Law interpretation shall prevail for the purposes of interpreting the parties’ intent regarding the relevant Country Work Order.”

23.2 Disputes arising under this Country Work Order will be resolved in accordance with the provisions of Exhibit CSA-H (Escalation Procedures).

23.3 Jurisdiction. Disputes arising out of or in connection with this Country Work Order shall be subject to the exclusive jurisdiction of the courts of England and Wales.”

176

14 CONSTRUCTION

In addition to the terms set out in Section 28 (Construction) of the Master Agreement, the following shall apply:

In addition to the Sections delineated in Section 28.4 (Survival) of the Master Agreement, the following Sections of this EMEA Addendum will also survive expiration or termination of the Agreement: Section 12.2 (Policies and Procedures).

14.2 A new Clause 28.6 shall be added to the Master Agreement as follows:

“28.6 Rights of Third Parties

28.6.1 Citi Affiliates shall be entitled to enforce the whole of the benefit of this Master Agreement, provided always that the Parties to the Master Agreement may vary or terminate this Master Agreement (or any part thereof) by agreement between them without requiring the consent of the Citi Affiliates.

28.6.2 Subject to the foregoing, unless specified otherwise in the Master Agreement, a person who is not a Party to the Master Agreement (including any employee, officer, agent, representative or subcontractor of either Party) shall not have the right, to enforce any provisions of the Master Agreement without the express prior agreement in writing of the Parties which agreement must refer to this Section 28.6.”

15 COMPLETE UNDERSTANDING:

The following sentence will be added to the end of Section 30 (Complete Understanding) of the Master Agreement: “Nothing in this Section is intended to limit or exclude either party’s liability for fraudulent misrepresentation.”

IN WITNESS WHEREOF, the Parties hereto, through their duly authorised officers, have executed this EMEA Addendum as of the Effective Date designated above.

SUPPLIER:			CITI:

By:			By:

Name:			Name:

Title:			Title:

Date:			Date:

177

EXHIBIT CSA-A-1

COUNTRY WORK ORDER

(Time & Materials)

	Country Work Order No:
	Effective Date:

THIS COUNTRY WORK ORDER is entered into as of the Effective Date designated above, by and between Supplier and Citi (each as defined below). The Parties hereto acknowledge that they are entering into this Country Work Order pursuant to the provisions of the Master Professional Services Agreement dated as of (the “Agreement”) by and between Polaris Consulting & Services Ltd and Citigroup Technology, Inc. (the “Parties”) as supplemented, modified and amended by Appendix 3.3.1 (Local Country Addendum for EMEA (Europe, Middle East and Africa)) (“EMEA Addendum”) to the Agreement [and as further supplemented, modified and amended by the Local Country Addendum for [insert country] incorporated into the Agreement. The Parties further acknowledge and agree that the provisions of the EMEA Addendum are hereby incorporated by reference and shall apply to this Country Work Order as though set forth herein in their entirety. All capitalised terms not otherwise defined herein shall have the meanings set forth in the Agreement (including the EMEA Addendum).

Party:	SUPPLIER	CITI
Name:
Address:
Country of Incorporation:
Registered Number:

Project Name:

Commencement Date:

Completion Date:

Project Managers:	For Supplier:	For Citi:

Name:
Address:

Phone:
Fax:
e-mail:

Description of Services and Deliverables (attach additional sheet if necessary):

Supplier will ensure that all Deliverables comply with Citi’s branding, design, usability and security guidelines that are provided to Supplier.

178

Project Fees: Supplier will perform all Services and provide all Deliverables under this Country Work Order on a time and material basis at the rates set forth below. [If a maximum amount has been negotiated include the following sentence: The total amount of Project Fees shall not exceed Dollars ($ ).] Citi is under no obligation to spend any minimum amount under this Country Work Order. Should Citi require additional Services or Deliverables the Parties will enter into a separate Country Work Order.

Supplier Personnel Skill Set	*Rate per Hour / Day**	Estimated Hours/ Days	Estimated Fee


Estimated Aggregated Total Fees

*Supplier’s rates [select one: do / do not] include travel and living expenses incurred by Supplier in conjunction with its performance of the Services.

Payment Schedule: Supplier will invoice Citi on a monthly basis for Project Fees and reimbursable expenses (if any) that have been earned or incurred during the preceding month.

Citi’s Address to where Supplier’s Invoices should be sent:

Acceptance Criteria:

IN WITNESS WHEREOF, the Parties hereto, through their duly authorised officers, have executed this Country Work Order as of the Effective Date.

Supplier:			Citi:


By:			By:

Name:			Name:

Title:			Title:

Date:			Date:

179

APPENDIX CSA-A-2

COUNTRY WORK ORDER

(Fixed Price)

	Country Work Order No.:
	Effective Date:

Party:	SUPPLIER	CITI
Name:
Address:
Country of Incorporation:
Registered Number:

Project Name:

Commencement Date:

Completion Date:

Project Managers:	For Supplier	For Citi

Name:
Address:
Phone:
Fax:
e-mail:

Description of Services To Be Performed (add attachment if needed):

Description of Deliverables (add attachment if needed):

Supplier will ensure that all Deliverables comply with Citi’s branding, design, usability and security guidelines that are provided to Supplier. In the event that any Deliverable fails to satisfy the applicable

180

requirements, Supplier will be responsible for correcting any omissions or deviations at its sole expense.

Deliverable Milestones (add attachment if needed):
		DATE:
		DATE:
		DATE:

Acceptance Criteria (attach Specifications and other criteria if applicable):

Warranty Period:

Project Fee: Supplier will perform all Services and provide all Deliverables under this Country Work Order for a fixed fee in the amount of Pounds Sterling (£ ). The Project Fee is inclusive of all expenses incurred by Supplier in conjunction with its performance of the Services and providing of the Deliverables.

Payment Schedule: Supplier will invoice Citi for the Project Fee after Citi has accepted the Services and Deliverables.

Citi’s Address to where Supplier’s Invoices should be sent:

Additional Terms and Conditions:

IN WITNESS WHEREOF, the Parties hereto, through their duly authorised officers, have executed this Country Work Order as of the Effective Date.

Supplier:			Citi:


By:			By:

Name:			Name:

Title:			Title:

Date:			Date:

181

EXHIBIT CSA-B

MANDATORY CITI POLICIES

I: ON-SITE REQUIREMENTS

Supplier’s employees, staff, and authorised subcontractors who will have access to Citi or an Affiliate’s (“Citi”) premises (“Supplier Staff”) must be made aware of this Exhibit CSA-B. Supplier will procure that each member of Supplier Staff complies with the policies set out in this Exhibit CSA-B and any Citi policies referred to in Section 5 (Policies and Procedures) of the Agreement.

SECURITY

Each member of Supplier Staff will be issued with a non-transferable security pass that must be displayed at all times. All passes must be returned to Citi’s security department at the end of the day or relevant work period, or immediately on demand. Any lost passes must immediately be reported to Citi’s security department. The names of Supplier Staff scheduled to work at weekends must be submitted to Citi’s security department by noon on the previous Friday. All Supplier Staff entering or leaving Citi premises, including items in their possession, may be subject to a physical search or scan.

BEHAVIOUR

Citi operates a non-smoking policy in all of its buildings and smoking is permitted only in designated areas. Supplier Staff must at all times (a) act and dress in a professional manner and with minimum interference to Citi’s normal operations; and (b) while on Citi premises, refrain from carrying or consuming alcohol or drugs (other than prescribed medications). Any member of Supplier Staff may be required to leave Citi premises at any time.

PHYSICAL WORK

Before any Supplier Staff commences any work that may interfere with building functions or its fabric, permission in writing must be obtained from Citi’s facilities department. It is Supplier’s responsibility to safeguard and mark any areas of work that might reasonably be considered hazardous. On completion of any work, the area worked in must be left clean and tidy.

FIRE

Supplier is responsible for familiarisation of Supplier Staff with all fire precautions and exit routes prescribed by Citi. Details of such exit routes are available on notice boards throughout the premises. Under no circumstance will any Supplier Staff block fire exits, prop open a fire exit door or leave any materials within the stair wells or lobbies. Any interruption to Citi premises’ fire prevention system must be approved in writing by Citi’s security manager before such interruption. Supplier Staff shall ensure that portable fire extinguishers are available in all areas affected by the work of Supplier Staff.

182

DELIVERIES AND REMOVALS

All equipment belonging to Supplier Staff that is stored on Citi premises is stored at his and Supplier’s sole risk. Supplier Staff may not park vehicles on Citi’s premises unless there is an essential business need which has been agreed in advance. After completion of work, Supplier must remove all equipment, tools and materials from Citi premises. If Citi property is required to be removed from the premises, an asset removal form must be completed and approved by Citi. On completion of a delivery, Supplier shall promptly remove all packing, pallets and other debris.

EQUIPMENT

Supplier Staff are responsible for the security of equipment provided to them or to which they are given access, and no other person may use such equipment.

183

EXHIBIT CSA-C

[Reserved]

184

EXHIBIT CSA-D

DATA PROTECTION AND INFORMATION SECURITY

In addition to the requirements of Appendix 13 (Confidentiality) of the Master Agreement, the Parties further agree as follows.

1. ADDITIONAL DEFINITIONS

“Confidential Information” of either Party means all data, information, and material relating to the business, customers, internal policies, systems or affairs of that Party, its representatives or its customers that is or has been: (i) disclosed by that Party to the other Party under or in connection with this Master Agreement, whether orally, electronically, in writing or otherwise, including copies of such information; or (ii) learnt, observed, acquired or generated by the other Party in connection with this Master Agreement.

The following shall be Citi’s Confidential Information: (a) the terms of this Master Agreement; (b) any Citi Personal Data acquired or generated by Supplier and/or any Supplier Affiliate; and (c) Work Products.

“Citi Personal Data” means Personal Data relating to Citi’s Personnel or customers or their Personnel or customers which is received by or on behalf of Supplier in the course of providing Services to the Citi under a Work Order;

“Personal Data” means any information that can be used, directly or indirectly, alone or in combination with other information, to identify an individual;

2. PERSONAL DATA AND INFORMATION SECURITY

2.1. Additional definitions. In this Paragraph 3, “Data Controller”, “Data Processor”, “data subject”, and “processing” shall be interpreted in accordance with the UK Data Protection Act 1998 (or, if applicable, and subject to the provisions of a Local Country Addendum, in accordance with such country’s implementation of Directive 95/46/EC).

2.2. International access. Supplier agrees for itself and on behalf of its Personnel, Affiliates and Associated Persons that this Master Agreement, any documentation created pursuant thereto, and any Personal Data contained therein will be held by Citi in central database(s) and other storage mechanisms which may be accessed by (and that copies of the same may be made available or disclosed to) Citi Affiliates and relevant legal and Regulatory Bodies and other third parties such as advisors and consultants on a worldwide basis.

2.3. Data processor. Citi and Citi Affiliates, as relevant, will be the Data Controller and the Supplier will be the Data Processor when processing Citi Personal Data in the course of the Supplier providing Services to Citi under a Work Order. In this context, Supplier shall and shall procure that any Associated Person processing Citi Personal Data shall:

(i) only process Citi Personal Data for the purpose of providing Services, and only to the extent strictly necessary to do so;

(ii) only carry out processing of Citi Personal Data in accordance with Citi’s: (a) relevant policies, standards and procedures; and (b) instructions, in each case as notified to Supplier and as amended by Citi from time to time;

185

(iii) promptly advise Citi of any notices, requests or queries from data subjects, any data protection supervisory authority or any law enforcement authority, for Citi to resolve;

(iv) at no additional cost, promptly provide such information and assistance to Citi as it may reasonably require to allow it to comply with the rights of Data Subjects, including subject access rights, or with information notices served by the Information Commissioner or to facilitate timely resolution of any matter arising hereunder or any investigation;

(v) implement (and update from time to time as needed) appropriate technical, organisational, and security measures (including any specific security measures notified by Citi) to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, disclosure, or alteration, and provide Citi with a written detailed description of such measures promptly on request from time to time;

(vi) without limiting the foregoing, follow best industry practice (including background checks and ongoing training) to ensure: (a) the reliability of Citi’s Associated Persons who may have access to Personal Data; and (b) that such measures include the ability to retrieve promptly any Personal Data in such format and on such media as Citi reasonably requests;

(vii) include in any subcontract with any subcontractor who has been approved pursuant to Section 15 of the Master Agreement and who will process Personal Data, provisions in favour of Citi which are equivalent to those in this Exhibit CSA-D, including sufficient guarantees in respect of the appropriate technical and organisational measures governing the processing to be carried out; and procure the right for Customer to perform a ISA (defined below) on the subcontractor; and

(viii) if Customer determines, in its sole discretion and acting reasonably, that data protection related Applicable Law requires amendment to this Master Agreement or any Work Order, or execution of further or additional agreements between the Parties, Supplier shall enter into such amendments or further or additional agreements.

2.4. Non EEA Access and Storage. Supplier shall not, without Citi’s express prior written approval, send any Citi Personal Data to, store Citi Personal Data at, or provide access to Citi Personal Data from, any facility or data center outside the European Economic Area. If required by Citi, Supplier shall promptly execute, or shall procure that the relevant Supplier Affiliate or Associated Person promptly executes, an agreement in the form set out in the European Commission’s Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under EU Directive 95/46/EC on Data Protection, or any replacement or additional form approved by the European Commission from time to time (the “Data Transfer Agreement”), populated as reasonably required by Citi, with Citi or any Citi Affiliate that requires this in order to benefit from the Services in compliance with Applicable Law. A template Data Transfer Agreement is embedded in the Annex to this Exhibit CSA-D.

186

2.5. Data controller obligations. To the extent that it is a data controller, Supplier shall comply (and shall ensure that its Associated Persons comply) with the Data Protection Act 1988 or any analogous law or regulation. If a supervisory authority for data protection considers, or Citi reasonably considers, that Supplier is a data controller in relation to Personal Data provided to Supplier pursuant hereto, Supplier shall make such changes to this Exhibit CSA-D as Citi may reasonably require.

2.6. Information security. Supplier shall ensure that Services are provided in accordance with: (1) Citi’s information security standards as set out in the Citi Supplier Standards; or (2) Supplier’s security standards if such standards have been approved by Citi in accordance with the Citi Supplier Standards.

2.7. Information Security Assessment. Supplier will permit Citi’s representatives, upon prior notice and at reasonable times, to examine and verify compliance with Supplier’s obligations under this Appendix with respect to (i) the safeguarding and use of Citi’s Confidential Information; and (ii) the detection, prevention and mitigation of an actual or attempted theft or misappropriation of computing resources and Confidential Information (including Personal Data).

2.8. Each examination and verification may include conducting information security assessments (“ISA”) of Supplier and of Supplier’s practices and procedures, and those of any subcontractor engaged by Supplier to perform Supplier’s obligations with access to Citi Confidential Information. ISAs may consist of: (a) security questionnaires requiring responses from Supplier or its Personnel; (b) visits to locations where (or from where) Citi’s Confidential Information may be stored, processed, administered or accessed; and (c) review of all records and files in Supplier’s or its Personnel’s possession relating to the purposes above. Citi will endeavour to have ISAs conducted in a manner that does not unreasonably interfere with Supplier’s business operations.

2.9. If the findings of an ISA disclose or indicate security problems or concerns, Citi will detail them in a notice to Supplier, and provide reasonable assistance and guidance so that Supplier corrects the problems and addresses the concerns to Citi’s reasonable satisfaction.

2.10. Supplier’s failure to correct the problems or adequately address the concerns expeditiously will be a material breach of this Agreement. Citi agrees that the findings of any ISA is Supplier’s Confidential Information. Supplier grants Citi the right to distribute and use the findings of any ISA with any Citi Affiliate, auditor or Regulatory Body as may be necessary to transact business with Supplier or to fulfill any compliance or information security process or policy of Citi or its Affiliates. Where Supplier regularly undergoes independent technology control assessments, these will be leveraged as far as possible by Citi’s ISA process.

2.11. The Parties agree that:

(i) Supplier must take reasonable precautions (having regard to the nature of its other obligations hereunder), including compliance with recommendations made as part of any ISA, to preserve the integrity of Citi Personal Data and to prevent any corruption or loss of such data;

(ii) Supplier must make a backup copy of Citi Personal Data every week (or such other frequency as may be agreed) and record the copy on media from which Citi Personal Data can be re-loaded if there is any corruption or loss of Citi Personal Data;

187

(iii) if Citi Personal Data is corrupted or lost as a result of any default by Supplier, Citi may, in addition to any other remedies that may be available to it, require Supplier to (a) restore or procure the restoration of Citi Personal Data as soon as practicable, at no additional charge; or (b) promptly reimburse Citi for any expenses Citi reasonably incurs when restoring or procuring the restoration of Citi Personal Data; and

(iv) all right, title and interest in Citi Personal Data shall vest and remain vested solely in Citi or those who provided the data to Citi.

2.12. Security Incident Reporting Process.

(i) Supplier shall develop, implement, document and maintain an information security incident reporting process (“SIRP”) to ensure that (a) both Parties are able to immediately address, contain and mitigate any possible risk arising from any actual or potential misuse, unauthorised use, disclosure or access, loss, destruction, compromise, damage, alteration or theft of Citi’s Confidential Information or Citi’s Systems; and (b) there is a consistent process for identifying, reporting, investigating and closing information security incidents.

(ii) Such SIRP shall (a) provide an accurate and up-to-date list of Supplier and Citi Personnel to be contacted if there is an actual or suspected information security incident; (b) detail incident severity definitions consistent with Citi’s policies, standards and processes; and (c) set specific escalation procedures and timeframes based on the breach severity level of the actual or suspected information security incident. At a minimum, the SIRP must mandate that: (i) all Supplier Personnel notify their management if any Supplier Personnel becomes aware of any action which indicates that there has been or may be an information security incident; and (ii) the Citi Project Manager (or any alternative or additional contact(s) notified by the Citi) must be contacted immediately if there is an actual or likely disclosure of Citi’s Confidential Information, in accordance with such SIRP’s procedures.

188

Annex to EXHIBIT CSA-D

Template Data Transfer Agreement

189

EXHIBIT CSA-E

LOCAL PURCHASES PROCEDURE

1. General.

1.1. In the event that an Affiliate wishes to engage Supplier or any of the Local Supplier Companies listed in Exhibit CSA-F (Local Supplier Companies) of this EMEA Addendum (which list may be updated from time to time by the Parties) for the purpose of purchasing Services, Software, products and/or Deliverables in a particular country, the procedures outlined in this Exhibit CSA-D (Local Purchases Procedure) will apply.

1.2. The relevant Citi Affiliate may place Country Work Orders directly with the Supplier or the relevant Local Supplier Company, which Country Work Order will include any necessary local terms and conditions.

1.3. In addition, the Parties to the Master Agreement may enter into a Local Country Addendum.

1.4. For the avoidance of doubt, the Agreement and all Local Country Addenda will be in the English language and in the event that versions of any documents related to the Agreement (including any Local Country Addenda) are translated, the English language version of such documents will prevail.

2. Engagement of Local Supplier Companies

Where Citi places a Country Work Order with Local Supplier Company, Supplier will ensure that such Local Supplier Company enters into the Country Work Order on the terms and conditions of the Agreement, save that: for the purposes of such Country Work Order, the “Supplier” shall be the relevant Local Supplier Company and all references in the Agreement to “Supplier” shall be deemed to refer to the Local Supplier Company.

190

Attachment A: TEMPLATE LOCAL COUNTRY ADDENDUM

LOCAL COUNTRY ADDENDUM

MASTER PROFESSIONAL SERVICES AGREEMENT

	Country:
	Effective Date:

Party:	SUPPLIER	CITI
Name:
Address:
Country of Incorporation:
Registered Number:

THIS LOCAL COUNTRY ADDENDUM is entered into by and between the Supplier and Citi identified above to amend and supplement the Master Professional Services Agreement dated as of , by and between Polaris Consulting & Services Ltd and Citigroup Technology, Inc. (the “Agreement”), as amended and supplemented by the EMEA Addendum. Citi and/or its Affiliates may enter into such Country Work Orders with the Supplier or such Local Supplier Companies as are identified in (i) the Agreement; and/or (ii) Annex 1, which is attached hereto and incorporated herein; and/or (iii) such other Local Supplier Companies as the Parties may agree to in writing.

IN CONSIDERATION of the mutual covenants and undertakings contained herein, and intending to be legally bound, Supplier and Citi agree as follows.

1. DEFINITIONS

1.1 Specific Words or Phrases. For purposes of this Local Country Addendum, each word or phrase defined in the Agreement shall have the meaning designated therein, and each word or phrase listed below shall have the meaning designated. Other words or phrases used in this Local Country Addendum may be defined in the context in which they are used, and shall have the respective meaning there designated.

2. TERM AND TERMINATION

This Local Country Addendum shall commence as of the Effective Date designated above, and shall continue in effect thereafter until the Agreement in general, or this Local Country Addendum in particular, is superseded or otherwise terminated by Citi. For the avoidance of doubt, the termination of the Local Country Addendum shall not result in the termination of any Country Work Order, each Country Work Order being terminable only in accordance with its own provisions.

3. CITI’S POLICIES AND PROCEDURES

Without limiting the generality of Supplier’s obligations under the Agreement, Supplier further agrees to any specific policy guidelines relevant to the country as may be advised by Citi.

191

4. CHARGES AND PAYMENT TERMS

4.1 Charges. The charges to be paid by Citi for Products or Services properly furnished by Supplier pursuant to this Local Country Addendum, are as set forth (in the Agreement). To the extent that such charges are not set forth in the Agreement, the charges detailed in Annex 2 (Local Charges) will apply. All relevant charges (including any relevant charges not included in the Agreement or Annex 2 to this Local Country Addendum as may be agreed by the Parties) will be identified in the applicable Country Work Order.

4.2 Taxes. Supplier may invoice Citi for sales and use taxes in accordance with the Agreement, except as may be otherwise required in this Local Country Addendum.

4.3 Terms of Payment. Invoices will be payable in accordance with the terms in the Agreement except as may be otherwise required in this Local Country Addendum or in the applicable Country Work Order.

5. ADDRESSES FOR NOTICES

Citi:		[insert local Citi Procurement contact details]

With copy to:		IP and Technology Legal Department Citibank, N.A. Citigroup Centre Canada Square London E14 5LB

Supplier:

Name:
Address:

Fax No:

Agent for service of process (if applicable):

6. ESCALATION PROCEDURE

The level 1 and Level 2 Dispute Managers identified in the Agreement shall be consulted in the event of a dispute related to a Country Work Order entered into in the country identified above, unless alternative Level 1 and/or Level 2 Dispute Managers are identified in Annex 3 hereto.

192

7. INTERPRETATION

In the event of any inconsistency between the provisions of the Agreement, this Local Country Addendum or any Country Work Order, the following priorities will prevail. The provisions of the Country Work Order shall govern all inconsistencies between the Country Work Order and either the Agreement or this Local Country Addendum, for purposes of such Country Work Order only. The provisions of this Local Country Addendum will govern all inconsistencies between this Local Country Addendum and the Agreement for the purposes of purchases made in the country identified above.

IN WITNESS WHEREOF, the Parties hereto, through their duly authorized officers, have executed this Local Country Addendum as of the Effective Date designated above.

SUPPLIER:			CITI:

By:			By:

Name:			Name:

Title:			Title:

Date:			Date:

193

Annex 1: Local Supplier Companies

In addition to such Local Supplier Companies as may be identified in the Agreement, Citi or the Affiliates may also enter into Country Work Orders with the following Local Supplier Companies:

194

Annex 2: LOCAL CHARGES

195

Annex 3: Dispute Resolution Managers

Level 1 Dispute Managers:

Citi:

Supplier:

Level 2 Dispute Managers:

Citi:

Supplier]

196

EXHIBIT CSA-F

LOCAL SUPPLIER COMPANIES

Citi and/or the Affiliates may also enter into Country Work Orders with the following Local Supplier Companies]

197

EXHIBIT CSA-G

PERSONNEL

For the purposes of this Exhibit CSA-G (Personnel), the following words have the following meanings:

“Replacement Supplier” means a service provider selected by Citi to provide services (in whole or in part) to replace the Services provided by Supplier following the expiration or termination of the Agreement;

“Transfer Legislation” means (i) the European Union Acquired Rights Directive; and/or (ii) any relevant local legislation implementing the European Union Acquired Rights Directive in the relevant jurisdictions; and/or (iii) any Applicable Law which contains provisions that are similar in nature or similar in effect to the provisions of the European Union Acquired Rights Directive.

General

1. Supplier shall be responsible for all emoluments and outgoings for its Personnel up to the point of any transfer on termination or expiration of the Agreement and shall indemnify and hold harmless Citi against all losses, costs, claims, demands, actions, fines, liabilities, damages and/or expenses (“Damages”) in respect of the Supplier’s failure to pay them.

2. To the extent that any Applicable Law applies to Supplier Personnel emoluments and outgoings, such that any of the Supplier Personnel should become eligible to receive additional compensation (whether such compensation is monetary or in the form of additional benefits), Supplier shall also be responsible for such additional compensation (whether paid by Citi or directly by Supplier) and will indemnify and hold harmless Citi against all Damages in respect of any claims that such additional compensation should have been made to any Supplier Personnel.

3. Supplier shall not unlawfully discriminate in its provision of the Services whether in relation to its own Personnel and/or Citi Personnel and whether in respect of race, gender, religion, belief, disability, sexual orientation, age or otherwise.

4. Each obligation on Supplier herein will include additional obligations to procure compliance with that obligation by its affiliates, agents and sub-contractors.

5. All indemnities from Supplier in this Exhibit CSA-G (Personnel) will benefit Citi and any Replacement Supplier. Notwithstanding anything to the contrary in the Agreement, the parties agree that Replacement Suppliers shall be third party beneficiaries to the Agreement for the sole purpose of benefiting from such indemnities and are entitled to enforce those indemnities directly.

6. Where (on commencement, termination or expiration of all or part of the Services) there is no applicable Transfer Legislation, Citi may request that certain employees become employed by (on commencement) Supplier, its affiliates, agents or sub-contractors or (on termination or expiration) Citi or Replacement Supplier (a “Transfer Request”). Supplier will offer all reasonable assistance and co-operation in order to put any Transfer Request into effect.

Commencement

7. Where on commencement of the Services (or any part of the Services) (the “Service Commencement Date”) any employees of Citi or of an existing supplier of Citi (the “Affected Employees”) may become employees of Supplier or any of its affiliates, agents or sub-contractors as a result of:

(a) applicable Transfer Legislation; or

(b) a Transfer Request;

it is acknowledged and agreed that Citi shall have no responsibility or liability for such employees and the principles set out in Sections 8 and 9 below will apply.

8. Supplier will co-operate to ensure a smooth transfer of the Affected Employees.

9. Supplier hereby indemnifies Citi in respect of all Damages which relate to the Affected Employees before each relevant Service Commencement Date. This will include, by way of example only, any breach of Supplier’s information and consultation obligations or as a result of any claim for constructive or actual dismissal resulting from the application of the Transfer

198

Legislation or the Transfer Request by any member or former member of the incumbent supplier personnel. Supplier also indemnifies Citi in relation to any claims made by individuals that they should have transferred to Supplier pursuant to the Transfer Legislation or the Transfer Request.

During the Term

10. Supplier hereby indemnifies Citi and/or any Replacement Supplier in respect of Damages relating to the employment of any Supplier Personnel (or termination of said employment) from and including each relevant Service Commencement Date.

Termination/Expiration

11. Supplier will be required to provide (and keep updated) certain information on all material matters relating to Supplier Personnel engaged on the Services in the period leading up to termination or expiration of the Agreement including terms and conditions of employment. Such information will be provided to Citi in accordance with Section 13 below, or otherwise as may be reasonably requested by Citi. Supplier hereby permits Citi to pass that information to potential Replacement Suppliers, if required by Citi; provided that such data is presented to potential Replacement Suppliers in a form that renders it anonymous.

12. Where on termination or expiration of the Services (or any part of the Services) any employees of Supplier or any of its affiliates, agents or sub-contractors may become employees of Citi or a Replacement Supplier as a result of:

(a) applicable Transfer Legislation; or

(b) a Transfer Request;

the principles set out in Sections 13, 14 and 15 below shall apply.

13. As termination or expiration approaches, Supplier will be required to provide a final list of any employees who will transfer to Citi or a Replacement Supplier pursuant to the applicable Transfer Legislation or a Transfer Request at least three (3) months prior to termination or expiration of the Agreement.

14. Supplier will be prohibited from making certain staffing changes in the three (3) month period leading up to termination or expiration of the Agreement, including, but not limited to:

(a) assigning new employees to, or terminating the employment of existing employees assigned, to;

(b) reducing or varying the involvement of any member of Supplier Personnel in;

the performance of Supplier’s obligations under the Agreement without the written agreement of Citi, such agreement not to be unreasonably withheld or delayed

15. Supplier will indemnify Citi and/or any Replacement Supplier in respect of liabilities relating to the employment of any employees (or its termination) who transfer to Citi or a Replacement Supplier who were not notified to Citi in accordance with the requirement mentioned in Section 13 above.

16. Supplier hereby indemnifies Citi and/or any Replacement Supplier in respect of Damages in connection with or as a result of any claim or demand by or in respect of any Supplier Personnel, including without limitation in respect of redundancy, unfair dismissal, breach of contract, any other claim arising at common law, discrimination on the grounds of sex, race, disability, sexual orientation, religion or belief, age, equal pay, rights of fixed-term or part-time workers, any breach of Supplier’s information and consultation obligations and any claim in contract, tort or otherwise (in all cases whether arising under English or European law or otherwise) relating to the period prior to the date on which the provision of the Services (in whole or in part) reverts back to Citi and/or any Citi Affiliate or transfers to a Replacement Supplier (as the case may be).

199

17. Supplier also indemnifies Citi and/or Replacement Supplier in relation to any claims made by or in respect of any Supplier Personnel that they should have transferred to Citi or Replacement Supplier pursuant to the Transfer Legislation.

200

EXHIBIT CSA-H

ESCALATION PROCEDURES

For the purposes of this Exhibit CSA-H (Escalation Procedures), the following words have the following meanings:

“Level 1 Dispute Managers” mean in respect of Citi [ ] and Supplier [ ]; and

“Level 2 Dispute Managers” mean in respect of Citi [ ] and Supplier [ ].

1 Any dispute arising out of or in connection with the Agreement which cannot be resolved by the individuals identified as the respective Level 1 Dispute Managers within ten (10) days of the matter being referred to them, shall be referred for resolution to the individuals identified as the respective Level 2 Dispute Managers.

2 Nothing in this Exhibit CSA-H (Escalation Procedures) shall be deemed to restrict or limit either Party’s rights under this Master Agreement, including, any termination right or any right to seek a remedy for breach by the other Party under this Master Agreement.

3 For the purpose of this Exhibit CSA-H (Escalation Procedures), the identity of the respective Level 1 and Level 2 Dispute Managers shall be as set out in this Exhibit or as otherwise set out in the relevant Local Country Addendum.

4 Either Party may change its Level 1 and/or Level 2 Dispute Manager upon written notice to the other Party, provided that the replacement for each such individual occupies the same or similar position in the organisational hierarchy of the Party as the individual currently set forth in this Addendum or of the applicable Local Country Addendum.

201

Appendix 3.8 — Additional Terms and Conditions for Customer-Facing Services

The following terms and conditions supplement and/or modify the terms and conditions of the Agreement with respect only to the provision by Supplier of Customer-Facing Services.

1. DEFINITIONS.

1.1 Specific Words or Phrases. The following is added to Section 1.1 (Specific Words or Phrases) of the Agreement with respect to any Customer-Facing Services only: All references in the Agreement to “Services” or “services” are deemed to refer to the Customer-Facing Services described in this Appendix 3.8.

The Parties acknowledge and agrees that the term “Applicable Law” includes: (a) state foreclosure laws and regulations and (b) the rules, guidelines and other releases issued by various United States Federal Agencies, including the Office of the Comptroller of the Currency (sometimes referred to as Red Flag Guidelines and Regulations) implementing section 114 of the Fair and Accurate Credit Transactions Act of 2003.

“Content” means Citi’s Confidential Information and any other data, reports, statistics or information of any kind (a) furnished or made available directly or indirectly to Supplier by or on behalf of Citi or its Affiliates or by or on behalf of its or their clients, customers or service providers, (b) created, produced via the Services, or (c) derived from any of the foregoing.

2. Working Hours. The following is added to Section 5.8 (Working Hours) of the Agreement with respect to Customer-Facing Services only: “Supplier acknowledges and agrees that its commitment under Section 5.8 (Working Hours) of the Agreement includes Supplier’s obligation to instruct, and to use reasonable efforts to ensure that, those of its Personnel working on Citi’s facilities do not attempt to gain access to Citi’s facilities outside of normal working hours (or on a scheduled holiday) for those facilities and to cooperate with, and comply with the security-related instructions of, Citi’s Personnel.”

3. Policies and Procedures. The following is added to Section 5.1 (General) of the Agreement with respect to Customer-Facing Services only: “Supplier acknowledges and agrees that its commitment under Section 5.1 (General) of the Agreement to have those of its Personnel working on Citi’s facilities comply with Citi’s workplace policies and procedures includes compliance with the physical security procedures and other security measures of Citi and its Affiliates. Citi will use reasonable efforts to keep Supplier apprised of all physical security procedures and other security measures. Citi will have the discretion to issue, activate, confiscate and deactivate identifications cards, keys or other security devices to or from those of Supplier’s Personnel working on Citi’s facilities; provided that Citi’s conducting of these actions will not be deemed to imply any employment relationship between Citi and such Personnel.”

4. The following replaces in its entirety Section 4.10.6 (Disaster Recovery Plan) of the Agreement with respect only to Customer-Facing Services:

“4.10.6 Disaster Recovery Plan. Supplier will maintain a contingency plan (a “Disaster Recovery Plan”) for the continuation of business (and provide evidence of its current and periodic testing if requested by Citi) so that despite any disruption in Supplier’s ability to provide the Services or to perform its other obligations hereunder from any particular location or through the efforts of any particular individuals, Supplier will promptly be able to provide the Services and perform its obligations from an alternate location or with replacement Personnel. A copy of the Disaster Recovery Plan must be provided to Citi within ten (10) days of the Effective Date of each Work Order entered into between Citi and Supplier for Customer-Facing Services, and annually thereafter for so long as each Work Order is in effect. Supplier will provide Citi with any instructions or other information necessary for Citi to continue to receive Services from Supplier under circumstances where Supplier has had to invoke its Disaster Recovery Plan. Supplier represents, warrants and covenants that its disaster recovery plan will, at a minimum, include: (i) maintenance by Supplier of a secondary disaster recovery site separate from the Service locations, the storing of back-up media at a location separate

202

from the Service locations, the use of redundant communications lines and servers, etc.; (ii) procedures for back-up/restoration of operating and application of the Services, including a detailed, documented plan for responding to a prolonged disruption in Services caused by power failure, system failure, natural disaster, or other unforeseen circumstances that includes processes and procedures for resuming operations within a mutually agreed upon time period; (ii) procedures for the protection of all Content; (iii) procedures and any third party agreements for replacement equipment (e.g., computer equipment), and (iv) procedures for any off-site production facilities. In addition, Supplier’s Disaster Recovery plan will provide that: (a) Supplier will notify Citi in writing within two (2) hours of any disaster that could negatively impact the Services; (b) Supplier will provide Citi, within 24 hours of said notice, a plan to continue to provide the Services at an alternative processing facility, and (c) the Services must be fully operational within 48 hours of the initial notice. Supplier agrees, upon request, to release the information necessary to allow Citi to develop a disaster recovery plan and a continuity of business plan, which will work in concert with Supplier’s disaster recovery plan and continuity of business plan. Supplier agrees to annually test its disaster recovery plan and, upon request, provide a written report of the results of the disaster recovery test to Citi. In the event that parts of Supplier’s facilities are inoperable, Supplier will treat Citi no less favorably than Supplier treats its other commercial customers. Supplier will ensure that any Subcontractor of Supplier maintains a Disaster Recovery Plan and related processes and controls that are fully consistent with the provisions and requirements of this Section 4.10.6 (Disaster Recovery Plan) applicable to Supplier.”

5. Diligence Certificate. Supplier acknowledges that Citi and its Affiliates are required to conduct regular diligence of those of its suppliers that conduct Customer-Facing Services through an annual questionnaire/certificate (the “Diligence Certificate”) that addresses: (1) Supplier’s business licenses (including articles of incorporation, certificates of good standing any applicable required licenses), (2) Supplier’s compliance with Applicable Law, (3) insurance coverage, (3) skills, qualifications, and expertise, (4) Supplier’s capacity (including staffing levels and workload balancing), (6) business processes, (7) compensation practices, (8) financial viability and counterparty risk, (9) reputation risk (complaints / pending litigation), (10) Customer-facing policies and practices, (11) Supplier’s references, (12) relationship of principals, (13) reliance on subcontractors, contractors or any third party providers, (14) training program review, (15) business continuity plan, (16) quality audit results and compliance with any applicable service level commitments, and (17) document management and storage. Supplier will, from time to time, provide Citi with any other information or documents as Citi may request in order to ensure compliance with (i) this Agreement, (ii) Citi’s corporate policies, and (iii) regulatory requirements applicable to Citi and Supplier.

6. Security. If any Confidential Information, as defined in Appendix 13 (including any Customer Data), is maintained or in any manner stored on a website or web accessible system, Supplier will disclose to Citi, which disclosure may be included in the description of Services. If Supplier maintains or stores Citi Confidential Information as contemplated above, then Supplier (i) (a) will cause a SSAE 16 audit (or any successor authoritative guidance for reporting on service organizations) to be performed once a year during the term of this Agreement, and (b) will provide to Citi, no more than once annually, a copy of the reports Supplier receives related to compliance with SSAE 16 (or any successor authoritative guidance for reporting on service organizations); (ii) will comply with ISO/IEC 27002 information security management standards (or successor information security management standards that establish higher standards and protocols); and (iii) will abide by the computer security provisions attached hereto as Exhibit 1 to this Appendix 3.8.

7. Customer Complaints. Supplier agrees to notify Citi’s “Executive Response Unit,” attn: Escalation Manager or as otherwise instructed by Citi in writing, as well as provide written notice in accordance with Section 22.1 (General) of the Agreement within twenty-four (24) hours of any written or oral submission of dissatisfaction or concern (collectively, “Complaints”), received by Supplier from any Customer or from any Regulator related to Supplier’s performance under this Agreement, the Services, Citi, Supplier’s possession of the Customer Data or which relate to the privacy rights of any Customer. Unless Citi makes such a system available to Supplier, Supplier will also develop, implement, and maintain a system

203

(“Tracking System”) reasonably satisfactory to Citi to track Complaints and provide Citi, at its discretion, a copy of reports or access to systems. The Tracking System will (i) categorize Complaints by type, date received and date notice of the Complaint was provided to Citi, (ii) track the course of handling of the Complaint until conclusion/resolution, and (iii) provide for all other matters as may be reasonably requested by Citi. The Tracking System must be designed to allow Supplier to determine if it receives an inordinate amount of Complaints regarding a particular matter so that Supplier (in consultation with Citi) can (a) determine if there is a systemic issue regarding Supplier’s business or its provision of Services hereunder, and (b) promptly correct problems.

204

Exhibit 1 to Appendix 3.8 — Computer Security Guidelines

A. General

Appoint one Supplier employee, knowledgeable about computer security matters, to respond to Citi’s inquiries regarding computer security.

Use commercially reasonable efforts to monitor, on a regular basis, reputable sources of computer security vulnerability information such as FIRST, CERT/CC, and vendor mailing lists, and take appropriate measures to obtain, thoroughly test, apply and provide to Citi relevant service packs, patches, upgrades, and workarounds.

Test, on at least a quarterly basis, the implementation of its information security measures through the use of network, system, and application vulnerability scanning tools and/or penetration testing.

Permit Citi to request and/or perform, at the expense of Citi, up to two security assessments per year, including but not limited to, review of policies, processes, and procedures, on-site assessment of physical security arrangements, network, system, and application vulnerability scanning, and penetration testing.

Maintain, for a period of at least 180 days (or such longer period as may be required by law or contract) detailed logs files concerning all activity on Supplier’s systems including, without limitation:

· All sessions established

· Information related to the reception of specific information from a user or another system

· Failed user authentication attempts

· Unauthorized attempts to access resources (software, data, processes, etc.)

· Administrator actions

· Events generated (e.g., commands issued) to make changes in security profiles, permission levels, application security configurations, and/or system resources.

All log files should be protected against unauthorized access, modification, or deletion.

B. Network and Communications Security

Deploy multiple layers of defense including on Supplier systems, but not limited to firewalls, network intrusion detection, and host-based intrusion detection systems. All security monitoring systems including, but not limited to, firewalls and intrusion detection systems must be monitored 24 hours per day, 365 days per year.

Configure firewalls, network routers, switches, load balancers, name servers, mail servers, and other network components in accordance with commercially reasonable industry standards.

At the request of Citi, based on information received by Citi about vulnerabilities and threats, restrict access to any Citi-specific component of the networks, systems, and applications used to provide services under this Agreement.

C. Infrastructure Platforms, Services, and Operations Security

Configure all infrastructure platforms and services (operating systems, web servers, database servers, firewalls, routers, etc.) used to provide services under this Agreement and authentication mechanisms according to industry best practices.

Ensure that all remote administrative access to production systems is performed over encrypted connections (i.e., SSH, SCP, SSL-enabled web-management interfaces, and VPN solutions).

D. Application Security

Permit only authenticated and authorized users to view, create, modify, or delete information managed by applications used in connection with providing services under this Agreement.

205

Ensure that web browser cookies that store confidential data are encrypted using a public and widely accepted encryption algorithm. This encryption must be performed independently of any transport encryption such as Secure Sockets Layer. All other cookies must be opaque.

“Time out” and terminate system communication sessions after a mutually agreed upon period of user inactivity.

Terminate any active sessions interrupted by power failure, system “crash,” network problem, or other anomaly, or when the connection is interrupted by the user.

Validate all input and output prior to use to avoid data-driven attacks such as “cross-site scripting” and “SQL injection.”

E. Data Security (check if applicable)

Transmit all highly confidential Citi information via some mechanism other than a Web browser, using a Citi approved encryption algorithm.

When database storage is required, store all Citi information classified “Confidential” or above in a separate database (i.e., a database that is not shared with or accessible by other Supplier customers).

F. Physical Security

Maintain all workstations, servers, and network equipment used to provide services under this Agreement in secure facilities owned, operated, or contracted for by Supplier.

Limit access to these secure facilities to authorized Supplier staff members with job-related needs.

Monitor access to these secure facilities through the use of security guards, surveillance cameras, authorized entry systems, or similar methods capable of recording entry and exit information.

Maintain all backup and archival media containing Citi information, or other information used to provide services under this Agreement, in secure, environmentally-controlled storage areas owned, operated, or contracted for by Supplier.

Limit access to backup and archival media storage areas and contents to authorized Supplier staff members with job-related needs.

G. Malicious Code and Virus Protection

Use the latest, commercially available virus and malicious code detection and protection products on all workstations and servers used to provide services under this Agreement.

Report all occurrences of viruses and malicious code, not handled by deployed detection and protection measures, on any workstation or server used to provide services under this Agreement, to Citi within 24 hours of discovery.

H. Business Continuity and Recovery

Perform backups of all systems, applications, and data used to provide services under this agreement in a manner consistent with the business resumption specified elsewhere in this Agreement.

Periodically transfer backup media to a secure off-site storage facility.

Have a detailed, documented plan for responding to a prolonged disruption in services caused by power failure, system failure, natural disaster, or other unforeseen circumstances that includes

206

processes and procedures for resuming operations within a mutually agreed upon time period.

207

Appendix 4.2.3 — Governance

Steering Committee
Citi		Supplier
· Managing Director Global Resource and Location Strategy · Managing Director Global Head of Technology Information (CTI) · Managing Director, Chief Technology Officer (CTO) · Managing Director GCB Head of Technology · Managing Director Global ICG O&T Head · Managing Director Enterprise Supply Chain		· CEO, Polaris · Chief Client Officer, Citi Relationship · Delivery Head1, Citi Relationship · Delivery Head 2, Citi Relationship · Sales Head, Citi Relationship
Program Manager
Citi		Supplier
Manager of Citi Enterprise Supply Chain — Sourcing, IT Professional Services		Operations Head — Citi Relationship

208

Appendix 4.7.1 — Key Personnel — Restricted Entities

Banco Santander

Bank of America

BNP Paribas

HSBC

JPMorgan Chase

Wells Fargo

Any affiliate of the above-named entities

209

Appendix 6.4.3 — Quality of Service Metrics

Supplier shall for engagements which are not deliverables-based (i) use commercially reasonable efforts to perform the Services in accordance with the guidelines/metrics set forth below and (ii) track and report achievement of each of the metrics set forth below on a monthly basis through monthly status reports. Such guidelines/metrics would be discussed and agreed upon by the parties depending on the type of resources and skill set required on a case to case /Work Order basis and may be included as Service Levels in the Work Order.

[*]	[*]	[*]	[*]	[*]	[*]
[*]	[*]	[*]	[*]	[*]	[*]
[*]	[*]	[*]	[*]	[*]	[*]
[*]	[*]	[*]	[*]	[*]	[*]
[*]	[*]	[*]	[*]	[*]	[*]
[*]	[*]	[*]	[*]	[*]	[*]

Notes:

(1) Target: Measurement of each Target will derived using the following formula: (Opportunity Minus Defect) Divided by Opportunity

210

Appendix 6.4.4 — ADM Service Standards

TABLE OF CONTENTS

GENERAL		213

*Introduction*		213

*Order of precedence*		213

*Global Development Center (GDC) Requirements*		213

METHODOLOGIES, STANDARDS, AND ARCHITECTURE		215

*Methodologies, tools, and practices*		215

*Standards*		215

*Architecture*		216

APPLICATION DEVELOPMENT SERVICES		217

*General*		217

*New development and major enhancements*		217

*Engagement phases*		218

*System requirements development*		218

*Deployment*		218

*Training for new authorized users*		219

*Third parties and third party applications*		220

*Software export classifications*		221

APPLICATION TESTING		221

*General*		221

*Application testing*		221

*Authorized user testing*		222

*Application testing: minor enhancements*		223

APPLICATION MAINTENANCE SERVICES		225

*Error correction*		225

*Preventive maintenance*		225

*Minor enhancements*		226

*Regulatory changes*		226

*Production control and scheduling*		227

*Legacy interface services*		228

APPLICATION PLANNING / ANALYSIS STANDARDS		228

INTEGRATION MANAGEMENT STANDARDS		229

*Strategic planning*		229

*Verification and validation*		229

*Program management*		230

GENERAL MANAGEMENT STANDARDS		231

*Engagement management*		231

*Engagement plans*		233

*Application change management*		236

*Application problem management*		237

*Application documentation*		238

*Application portfolio management*		238

*Release control*		238

211

*Source code security*		239

*Data interfaces*		239

*Existing or new application integration*		240

Intentionally Left Blank		241

*Application continuity*		241

*Authorized user support*		241

*Logical database administration (ldba) support*		242

*Deployment management*		243

*Application operations management*		244

*Application quality assurance*		245

*Reporting*		245

*Hours of operation*		246

RESOURCE STAFFING STANDARDS		246

*Application development FTEs*		246

*Supplier management personnel qualifications*		247

*Training for Supplier Personnel*		247

212

GENERAL

Introduction

Supplier shall provide to Citi the Services and functions, and shall assume the responsibilities, in accordance with this ADM Managed Services Standards document. Supplier shall provide the Services in accordance with the applicable Service Levels.

Transition

Supplier will take responsibility for the Services defined in awarded Work Orders, as of contract award date.

Supplier will work directly with the current incumbent service providers in order to put in place the necessary arrangements to accomplish transition.

Supplier pricing must include all costs associated with any transition activities necessary to meet the contract award start date requirement.

Order of precedence

Where obligations of Supplier are described in the Work Order and its Attachments, such obligations shall be read, to the extent reasonably possible, as consistent obligations and, to the extent not reasonably possible, the order of precedence shall be, in descending order:

· The Work Order (including a Work Order designated as a statement of work)

Attachments or exhibits to the Work Order, other than any technical solutions documents (“TSDs”) that happen to be attached to the Work Order.

Any TSDs that may also be attachments or exhibits to the Work Order. TSDs are intended to be only clarifying reference documents of Supplier’s technical solution. They shall not redefine, alter or modify the Work Order obligations without prior written Citi approval. They shall also not redefine, alter or modify the Service Level requirements or the Pricing and Payment Provisions without prior written Citi approval. If there is a discrepancy or inconsistency between a TSD and any of the Work Order, or any attachments or exhibits to the Work Order, including the Service Level or Pricing and Payment Provisions exhibits, the TSD shall in all cases be accorded the lowest order of precedence in resolving the discrepancy or inconsistency. In any case, nothing in any TSD shall be interpreted to add any additional Charges for the Services, as all such Charges are set forth in Pricing template.

Global Development Center (GDC) Requirements

Supplier is responsible for providing the base facility infrastructure of a Global Development Center, including, without limitation, secure floor space for its Personnel, and software and hardware conforming to Citi standards. In addition, Supplier is responsible for hardware and software required to enable its offsite team to achieve similar productivity to on-site locations, regardless of where that hardware/software is located. Upon written consent of Citi, Supplier may add or change its GDC strategy. The information below provides the minimum requirements for a Supplier’s GDC.

GDC Infrastructure Overview

· All changes or additions to hardware (except Desktop Hardware) shall be in accordance with mutual written agreement of the Parties. Supplier shall maintain standards of facilities and services that Citi and Supplier mutually agree are adequate for the conduct of work under the Work Order. If any changes in the requirements of standards are proposed by Citi, Supplier will use reasonable efforts to implement such requirements. Citi and Supplier will mutually agree on any reimbursement for additional or incremental cost of complying with such additional requirements, subject to the procedure set forth below and provided that the cost of any infrastructure adjustments requested by Supplier and approved by Citi shall be borne by Supplier.

· Major infrastructure needs will be identified and agreed upon by Citi and Supplier ninety (90) days in advance to ensure adequate resources will be

213

set aside by Supplier to implement infrastructure improvements and changes in a timely manner. Implementation of major infrastructure adjustments require adequate notification — a minimum of ninety (90) days prior written notice — to Supplier prior to commencement of the adjustments to ensure that there are no disruptions to service levels. Such adjustments, including but not limited to expansion of existing facilities or establishment of new facilities from which Citi’ Work Order are to be executed, will only be undertaken by Supplier upon receiving explicit written approval from Citi’s authorized official.

· Supplier is required to be linked to Citi’s location via high speed data link(s). The cost of these and additional link(s) will be borne by Supplier (see Section 2 below). The cost of any network demarking equipment (e.g., routers) that needs to be installed at Citi premises and Citi last mile connectivity (up to Citi firewall) - will be borne by Supplier. The cost of any equipment behind Citi’s firewall will be borne by Citi, with the exception of Productivity Hardware/Software. Supplier will provide no less than quarterly reports to Citi detailing data, voice and video usage, originating to and from the Global Development Center.

· Supplier shall ensure complete redundancy on the last mile circuits (no single point of failure) between Supplier and Citi network, including but not limited to redundant, alternate PPT central offices.

· Usage of links must not exceed an average of seventy percent (70%) over a fifteen (15) minute time period over a ten (10) hour day for normal use as seen on the telecom circuit. Occasional file transfer requirements (“FTP”) are exempt from this requirement. Citi will provide assistance in measuring the utilization. If in seventy percent (70%) of the samples during a month, the link utilization exceeds seventy percent (70%), Supplier will provide Citi with upgrade plans for the link with Citi and initiate necessary actions to implement the upgrade after approval from Citi. The seventy percent (70%) link utilization measurement will be done by monitoring from the CSU/DSU or other link/WAN devices output, and will NOT be taken as estimation via the LAN/Ethernet port.

· All equipment connected to Citi must adhere to Citi’ published standards and technology stacks. Citi will provide Supplier with the standards and may update them regularly. Citi allow a reasonable time for Supplier to move to new standards.

· Where appropriate, Citi will consider opportunities to sub-license or loan, at no cost to Supplier, Citi-specific hardware, software, case tools etc. that Citi uses to enhance productivity (to the extent permitted by the relevant product license) so as to ensure usage of common “best practices” in the development of the Personnel of Citi and Supplier.

GDC Connectivity Requirements

· Deployment of Cisco routers at designated Citi Data Center(s) at Supplier’s expense. (The Citi Data Centers may not be in the same country as Supplier).

· These routers will be monitored and managed by Supplier and will require Fast Ethernet (100MBPS/Full Duplex) interfaces for Citi to Vendor DMZ handoff.

· WAN service to each designated Citi Data Center. The circuits will be owned and monitored by the bidding vendor. Each circuit will need to have complete carrier diversity including last mile central office diversity.

· Supplier will encrypt all Citi data across the WAN infrastructure through the use of external WAN encryption units or IPSEC Triple DES encryption between Cisco routers. Additional encryption of sensitive data may also be required.

214

· All IP subnets used to exchange routing information must be public routable address space assigned to Supplier. No private addressing will be allowed to be advertised into Citi’s network.

· Citi prefers to use dynamic routing protocols to exchange routing information between companies. RIP V2 and BGP are the preferred routing protocols with Citi.

Connections to/from Supplier to other parties (such as approved subcontractors) will be provided at Supplier’s expense.

METHODOLOGIES, STANDARDS, AND ARCHITECTURE

Supplier shall use Citi specified work standards, and as these evolve over time (and where these are not specified, industry work standards) for delivery of Services specified in the Work Order.

Methodologies, tools, and practices

Supplier’s responsibilities include, but are not limited to:

Performing Application Development and Maintenance (ADM) Services with structured methodologies and automated tools, including tools for Engagement Management, and best practices it uses that supplement the ADM methodologies;

Utilization of Citi’s SDLC methodology and Planview tool;

Supporting Citi’s SDLC Methodology which describes the activities used by Citi to manage the delivery of Information Technology (IT) solutions to Citi’s business units for Application Engagements associated with the scope of each Work Order;

Conforming to Citi’s IT Infrastructure standards as the standard for IT Service management and for Engagements associated with the scope of each Work Order;

Completing the On-Going Engagements listed in Attachment (On-Going Engagements);

Installing, managing and monitoring Engagement Planning tools and methods;

Identifying and documenting change requirements in accordance with Citi’s Change and Release Management Processes;

Conducting walk-through reviews of all changes and Major Enhancements in accordance with Citi’s Change and Release Management Processes;

Verifying conformance to requirements and programming standards.

Standards

Supplier’s responsibilities include, but are not limited to:

Conforming to Citi’s data and physical security standards as provided (and revised) by Citi form time to time;

Within those standards, developing and communicating standards specific to the Application(s) within the scope of each Engagement;

Developing and communicating standards to, as appropriate, Citi and/or third parties;

Understanding and communicating to Citi and third parties the impact of standards on third party agreements;

Developing processes and procedures to meet standards;

Ensuring compliance with Citi’s enterprise architecture; (Citi retains approval and final determinations of such compliance.)

Conforming to Citi’s information security standards as provided (and revised) by Citi form time to time;

215

Providing orientation to Citi’s standards and security practices as part of its new staff orientation training and overview.

Architecture

Supplier’s responsibilities include, but are not limited to:

Participating in the development of Citi architecture and design guidelines, and assigning an Architect as necessary;

On an Engagement basis, assigning an Architect to participate in the development of Engagement-specific Architecture;

Distributing, communicating, using, and complying with architecture and design guidelines;

Using a Citi approved standard approach in developing and maintaining System Architectures for development and Maintenance modifications of Systems, including different views of each Application (e.g., communications, deployment, component, business processes, developer, architecture, hardware, software, infrastructure, interface and data components, etc.);

Applying appropriate System Architecture design to Application Enhancements;

Certifying and auditing compliance to design guidelines. Any auditing results that identify non-compliance must be accompanied by a corrective action plan with timing and content agreeable to Citi;

Communicating System and Infrastructure Architecture(s) to Application developers, including third parties;

For Application Maintenance, maintaining System Architecture documentation and updating the documentation with changes and modifications as they occur, in Supplier code and document management systems;

Proactively identifying and recommending System Architecture changes that provide benefits to Citi;

For Application Maintenance, working with Citi standards committees to exchange ideas on architecture relevant to Citi Application Services;

Delivering Applications for use on Citi-specified operating system software consistent with Citi standards;

216

APPLICATION DEVELOPMENT SERVICES

General

Supplier will provide ADM Services in alignment with Citi’s organizational and strategic objectives. Supplier, Citi and third party responsibilities are specified herein, including the Work Order and Responsibility Matrix.

Citi will use Customer Service Request (CSR) forms to request Services under each Work Order.

All ADM Engagements must be approved in advance by Citi. Prior to Supplier making source code modifications to any Application package, Supplier will obtain approval by Citi to make such changes. Citi at its sole discretion may disapprove any changes Supplier desires to make.

After Citi approval of Engagements, modifications to the business requirements or reprioritization of ADM Engagements shall be governed by Citi’s Change and Release Management Processes.

Citi may, at any time, cancel or reprioritize all or a portion of an Applications Engagement.

Upon completion of ADM Engagement Deliverables in accordance with requirements, Citi shall perform acceptance testing for the Deliverables, using Citi’s Acceptance Criteria.

New development and major enhancements

Supplier’s responsibilities include, but are not limited to:

For all Enhancement Engagements, using existing requirements and documentation, stored in Citi designated code and document management systems, for the System(s) as a starting point;

Using Supplier’s engagement estimation methodology including:

· Determining if additional resource requirements are needed for Development services

· Determining the cost of transitioning third party applications into the Development environment

· Providing estimates for Application Engagements, including the level of effort of each type of FTE, the skill levels that will be used, the on-shore/off-shore resource mix that will be employed, and the method of knowledge transfer which will be used as FTEs are moved on and off of the proposed Engagement;

Developing, for Citi’s approval, a set of Application Acceptance Criteria, to include processes and procedures, as a Critical Deliverable;

Logging each Citi request for Application Engagement on a CSR as described in the Engagement Management (Customer Service Request Estimates) section of the Work Order (Supplier shall ensure the request includes functional descriptions of the new business requirements, and supporting information (e.g., screen samples, report samples text descriptions, etc.));

Providing developmental facilities;

Selecting the development environment and tools (The development environment should be an equivalent or mutually agreed upon platform to the production environment (e.g., operating system, database version, type of hardware));

Providing Engagement initiation services including:

· Providing tools, techniques, and applicable methodologies to Citi to assist and guide ROI and cost/benefits justification,

· Providing a full description of Engagement scope (similar in specificity to this Work Order), Deliverables, functional and financial responsibilities of the parties involved,

· Developing Engagement Plans, schedules and resource estimates,

217

· Estimating work effort and duration required to complete the tasks and each type of test,

· Designing alternatives,

· Training requirements,

· Acquiring approval of Engagement Deliverables;

Maintaining design documentation, run-time manuals, and source code libraries as a normal part of Supplier’s Application Development efforts, and in accordance with the documentation section of the Work Order (On-going updates related to changes in the Applications and Authorized User documentation will be supplied to Citi according to Citi’s documentation and distribution standards.);

Using Citi’s Change and Release Management Processes to migrate the results of the new development to the pre-production and production environments

Engagement phases

Supplier will create/update all deliverables associated with the phases of Citi’s Engagement Methodology applicable to the Services, as defined in Citi Technology’s SDLC Standard (to be provided upon request).

System requirements development

Supplier’s responsibilities include, but are not limited to:

Loading all System requirements into Citi’s requirements Not clear what this means;

For business processes that are not documented by Citi, documenting the current state business processes, as requested by Citi;

Analyzing, refining, and documenting future state business processes, as requested by Citi;

Facilitating and documenting the business requirements, as requested by Citi;

As requested by Citi, developing and documenting System requirements for Plan and Define Phases including:

· Developing use case briefs,

· Participating in use case input sessions,

· Conducting COTS selection,

· Incorporating standard non-functional System requirements,

· Providing additional non-functional System requirements,

· Developing use cases,

· Developing prototype(s),

· Deriving System requirements,

· Defining releases.

Deployment

Correction of Non-Conformities Revealed during Deployment

All Application Non-Conformities which occur during deployment (or during Warranty Period) will be corrected by Supplier, and appropriate documentation for such correction produced and delivered to Citi, on a mutually acceptable schedule as described in Citi’s Change and Release Management Processes.

Non-Conformities during deployment will be logged through a Service Desk that will answer Calls from Authorized Users, log the problems, provide Level 1 Support and route Level 2 Support issues through to Supplier Engagement team as soon as they are discovered.

218

Supplier’s responsibilities include, but are not limited to:

Communicating Non-Conformities to Engagement Stakeholders and updating them on the status immediately upon identification;

Classifying the Non-Conformities as defects vs. requirements changes, and obtaining Citi concurrence;

Routing the Non-Conformities to Supplier deployment team members to resolve the problems;

Correcting Non-Conformities in the development environment;

After successfully testing the corrected Non-Conformities, assisting the third party that is responsible for promoting the Application to production in accordance with Citi’s Change and Release Management Processes;

Informing the Service Desk that the Non-Conformity has been fixed.

Maintenance during Deployment

Supplier’s responsibilities include, but are not limited to:

Maintaining the Application during initial deployment and warranty period;

Assigning Supplier team members to specific functional and technical areas with responsibility to resolve possible Non-Conformities during the deployment period;

Track changes and implement corrections in accordance with Citi’s Change and Release Management Processes.

Non-disruptive Transition to the Citi Application

Supplier’s responsibilities include, but are not limited to:

Performing the transition to the new Application and migrating of data to the new Application in a non-disruptive manner;

Performing transition activity in such a manner that it causes no disruption to Authorized User operations at any time;

Performing transition activity during scheduled Maintenance windows or as otherwise mutually agreed.

Deployment Acceptance

Supplier’s responsibilities include, but are not limited to:

Preparing a written notice of having met all Citi Acceptance Criteria for initial deployment, in accordance with the deployment plan

Submitting to Citi for review and approval the written notice indicating that Citi’s Acceptance Criteria have been met

Training for new authorized users

Citi retains the right to approve training materials prior to implementation.

Supplier’s responsibilities include, but are not limited to:

Scheduling and providing Train-the-Trainer sessions to Citi designated personnel for the applicable Services;

The content of the training will include the following:

· A general introduction to Citi’s policies and typical Equipment and Software for Authorized Users,

· Authorized User interface orientation,

· Data protection (backup and security),

· Application log on/off and general security procedures,

· Changing passwords (Network and email),

· Accessing Applications and communications,

· Service Desk procedures and contact information,

· Remote dial-up procedures (as applicable);

219

Establishing training related to Services that is customized for Authorized Users for the Services within Citi’s environment;

Composing multiple levels of training for specific applications (for example beginner, intermediate, and advanced training in standard Applications used by Authorized Users);

Creating training in the use of Equipment and/or Software that are used by Authorized Users (or will be used as part of a new technology roll-out);

Compiling Authorized User training and associated “user guide” documentation for all Services.

Third parties and third party applications

Application Development and Enhancement Engagements may be competitively bid to Supplier and third parties. These Engagements will be viewed as separate events requiring separate pricing and staffing. In the event that Supplier is not awarded an Application Development and Maintenance Engagement, Supplier will assist and fully cooperate with third parties that have been selected to implement certain specific Engagements. Supplier and Citi will use the Change Management process to determine the impact on Supplier’s scope from implementing third party Software.

Supplier’s estimator model should also illustrate the situations when Supplier will need to use the ARC/RRC process to increase or decrease Application support resources to accept third party applications.

Supplier’s estimator model must be within twenty percent (20%) of the budgeted work effort to accept third party application(s). Until such acceptance is obtained, no such applications will be part of Supplier’s responsibilities under this Agreement. Notwithstanding, Citi is under no obligation to approve the pricing of third party applications because it is within twenty percent (20%) of estimate.

Supplier Application Acceptance Criteria will describe the criteria that such Applications must satisfy in order for Supplier to accept, without extra charge, the Applications as part of the Services.

Supplier’s responsibilities include, but are not limited to:

Initiating and executing third party contracts for third party components;

Performing contract negotiations for Supplier’s subcontractors;

Working with Citi to assist third parties to integrate into Supplier’s development environment and help estimate any additional level of effort for future work;

Providing third party Software developers with all necessary documentation, processes and standards, including but not limited to:

· Integration standards,

· Guidelines for implementation,

· Infrastructure requirements,

· Guidelines for support, standards and methodology,

· Interface requirements including, with Citi’s prior written consent, application source code, to the extent either is available;

Conducting Quality Assurance reviews of third party Software developers’ Software for compliance with standards and methodology;

Assisting third party Software developers with interface testing;

Accepting third party Software developers’ Software in accordance with Supplier Application Acceptance Criteria with production sign-off, deficiency report and acceptance for AD;

Reviewing and coordinating implementation of third party Software developers’ Software, including supporting the transition from Application Development to Application Maintenance, providing guidance and recommendations, and participating in issue resolution processes and deployment planning activities.

220

Software export classifications

Requirements for Plan and Define Phases

Supplier’s responsibilities include, but are not limited to the following.

In addition to its obligations as set forth in the Terms and Conditions, Supplier will provide information to Citi for the export classification of planned Applications(s).

If an export license must be obtained in conjunction with the planned Application(s), Supplier must:

· Obtain export licenses from appropriate government authorities

· Notify Citi that such licenses were obtained

· Include such license information in the Application Deliverables.

Requirements for Construct/Test Phases

Supplier’s responsibilities include, but are not limited to:

In addition to its obligations as set forth in the Terms and Conditions, Supplier will verify that the export classification for the developed Application has not been changed from the classification determined at the conclusion of the Plan/Define Phases

If an export license must be obtained in conjunction with the Application(s) under development, Supplier must:

· Obtain export licenses from appropriate government authorities

· Notify Citi that such licenses were obtained

· Include such license information in the Application Deliverables

APPLICATION TESTING

General

Supplier will follow the testing processes as described in Citi’s policy and procedures guides.

Application testing

Before introducing new Development or Major Enhancement into Citi’s Production Environment, Supplier will be responsible for the following testing activities to ensure that the new Development or Major Enhancement is compatible with Citi’s standard suite of products, Commercial Off-the-Shelf Software (COTS) and custom developed Applications.

Supplier’s responsibilities include, but are not limited to:

Validating compliance with the Quality Assurance (QA) processes

Creating a test plan as described in Citi’s Policy and Procedures Guide for each new Development or Major Enhancement to perform the appropriate types of level of testing and coordinating all testing with Citi as appropriate, including:

· Unit testing:

· The unit test manager will ensure that the necessary documentation, test plans or test scripts, and data will be available before promoting the testable unit to the unit test region.

· If no problems are encountered, the exit criteria will be fulfilled and the testable unit will become part of the unit test build.

· If problems are encountered, the testable unit will be demoted to development.

· The unit test manager will prepare reports using the problem tracking tool for use by the development team.

· System regression and integrated component testing as defined in Citi Technology’s SDLC Standard (to be provided upon request)

221

· Performance testing as defined in Citi Technology’s SDLC Standard, including load and stress testing:

· A series of tests will be executed with the aid of load testing tools. Application performance criteria set in technical and functional specifications will be the basis for determining the acceptable performance of Applications.

· Performance under load criteria will determine screen response under average and peak conditions as well as overall extended uptime characteristics of Applications.

· Capacity limit testing will be performed on variables such as input volume or number of concurrent processes.

· Supplier test team will facilitate participation in test analysis and load testing activities with a cross-functional team of Application performance test experts, Application development teams and operations performance experts.

· Disaster recovery testing as defined in Citi Technology’s SDLC Standard

· Regression testing when a change impacts multiple components of an Application. Citi expects to have regression tests maintained as part of the Application acceptance process and that they will be updated as needed.

Promptly correcting any Non-Conformities revealed by such tests (and appropriate documentation for such correction produced and delivered to Citi), and resubmitting to testing the corrected system, sub-system, or a logical grouping of one or more executable modules. Correction of non conformities will be responsibility of Build team;

Where applicable, verifying compliance with Citi’s integration specifications and requirements;

Establishing the test environment in accordance with Citi Technology’s SDLC Standard when such activity is assigned to Supplier;

Providing test facilities/labs and beta test sites for testing web-based Applications as needed

Validating compliance with Citi’s QA processes.

Authorized user testing

Supplier’s responsibilities include, but are not limited to:

Coordinating User Acceptance Testing (UAT), in an established Citi-approved pre-production environment;

Developing a UAT structure for using Citi-provided test cases, including:

· Supplier test team and selected subject matter experts (SMEs) will observe the execution of the automated test scripts and analyze their results,

· The SMEs will use the test cases to perform tests on the Application to ensure it meets specifications,

· Problems will be logged and a team will be convened to discuss issues resulting from the tests and to determine if the Application has passed acceptance tests or needs to be demoted to the integration test region;

Implementing a matrix of Authorized User and design requirements to test cycles and scripts;

Completing all required UAT documentation;

Developing and maintaining UAT data and repositories;

Monitoring and reviewing production errors in order to improve UAT models over time;

Logging UAT results;

Conducting walk-throughs of UAT results with appropriate Citi Personnel;

Reviewing changes and Enhancements with Authorized Users to obtain sign off.

222

Application testing: minor enhancements

Supplier will follow the testing processes for Minor Enhancements as described in Citi’s Policy and Procedures Guide.

Before introducing a Minor Enhancement into Citi’s production environment, Supplier will be responsible for the following testing activities to ensure that the Minor Enhancements are compatible with Citi’s standard suite of products, Commercial Off-the-Shelf Software (COTS) and custom developed Applications.

Supplier’s responsibilities include, but are not limited to:

Validating compliance with Citi’s Quality Assurance (QA) processes;

Creating a test plan for each Minor Enhancement to perform the appropriate types of level of testing for each Enhancement, and coordinating all testing with Citi as appropriate, including:

· Unit testing:

· The unit test manager will ensure that the necessary documentation, test plans or test scripts, and data will be available before promoting the testable unit to the unit test region.

· If no problems are encountered, the exit criteria will be fulfilled and the testable unit will become part of the unit test build.

· If problems are encountered, the testable unit will be demoted to development.

· The unit test manager will prepare reports using the problem tracking tool for use by the development team.

· Functional testing. The process for integration and functional testing shall be the same as unit testing with the following modifications:

· The integration test manager ensures that all units in the Application have been successfully tested prior to execution of the integration tests.

· The integration test plan will be developed from Authorized User requirements and unit test plans and configured into an automated test tool.

· Additional tests will be run by testers to identify unexpected results from unexpected inputs.

· Problems encountered will be classified as to their severity by an Integrated Process Team (IPT) and a decision will be made whether to accept the Application or to perform additional work.

· If additional work is required, the Application will be demoted to the unit test region.

· Stress testing:

· A successful acceptance test will be the pre-requisite for entry into the stress testing region. This region will be configured substantially the same as the production environment.

· Performance under load criteria will determine screen response under average and peak conditions as well as overall extended uptime characteristics of Applications.

· Capacity limit testing will be performed on variables such as input volume or number of concurrent processes.

223

· Supplier’s infrastructure staff, developers, and system owners will be involved in the process, but overall execution and ownership of integration testing and test results will be the responsibility of Supplier’s testing team. This testing team will not report into the development or Application configuration teams.

· Systems integration testing,

· LAN/WAN connectivity testing,

· Application inter-connectivity testing that simulates Citi’s production environment,

Where applicable, verifying compliance with Citi’s integration specifications and requirements;

Establishing the test environment;

Providing test facilities/labs and beta test sites for testing web-based Applications as needed;

Validating compliance with Citi’s QA processes;

224

APPLICATION MAINTENANCE SERVICES

Error correction

Supplier’s responsibilities include, but are not limited to:

Performing error corrections within the framework of the Change Management and Problem Management processes as documented in Citi’s Change and Release Management Processes, and Citi’s Incident and Problem Management Processes

Develop and maintain a model equivalent to the Build/Integrate/Operate model specified earlier in this document;

Providing a separate staff for L1/L2 production support from the Build staff;

Using the error correction model for use in performing Application Maintenance Services as documented in Citi’s Policy and Procedures, including:

· Problem description and outline of planned correction, including recreate and assess problem, specify development plan, confirm problem and perform correction,

· Developing support materials, prepare for testing, performing programming cycle, performing development testing, performing system and UAT, and deployment of correction,

· Solution closure and Root Cause Analysis (RCA), to include possible process improvements, updates to Authorized User or technical documentation and training, or additional preventive Application Maintenance activities;

Updating Authorized User, system, and operations documentation as necessary;

Taking responsibility (when mutually agreed to by Citi and Supplier)for Citi’s third party Software and Supplier’s third party Software by:

· Identifying Application and/or database problems,

· Notifying the applicable third party,

· Arranging for corrections to be made,

· Coordinating the corrections,

· Testing the corrections,

· Scheduling the installation of the corrections into production,

· Submitting changes to production.

Preventive maintenance

Supplier’s responsibilities include, but are not limited to:

Providing tools and conducting Application tuning, code restructuring, and other efforts as typically undertaken to improve the efficiency and reliability of programs;

Using structured and consistent maintenance processes across all Applications to improve the quality, efficiency and reliability of Applications and to minimize on-going maintenance;

Proactively monitoring Applications as part of on-going Application Maintenance activities to assess opportunities for improvement in efficiency and reliability, and presenting such opportunities to Citi for its prioritization and approval;

Identifying opportunities to make long-term improvements in Applications in order to reduce daily maintenance and allow Applications to be more flexible, responsive, and cost effective;

Evaluating package Applications for release and version currency to minimize and/or eliminate as many customizations as possible;

Documenting modifications and making documentation available to all Application groups, to share knowledge and increase savings;

Using a CSR form to estimate preventive maintenance Engagements for review with Citi for approval prior to commencement of the work;

225

Providing tools to identify methods for improving Application efficiencies;

Providing experience, tools, and methods to be proactive in the identification of run-time improvements;

Identifying potential run-time improvements, to include the performance of Applications, as well as the efficiency of Database Management System (DBMS) usage;

Monitoring and analyzing trends to identify and proactively prevent potential problems;

Performing Application modifications, testing and acceptance testing needed to maintain all third party Software;

Performing Application modifications, testing, and acceptance testing needed to support up to two (2) migrations per year to support security enhancements;

Performing Application modifications, testing and acceptance testing needed to support infrastructure hardware refreshes;

Projecting capacity required to meet the needs of Supplier-responsible and third party-responsible applications.

Minor enhancements

Supplier’s responsibilities include, but are not limited to:

Creating Minor Enhancements to Applications within the Change Management and Problem Management procedures as documented Citi’s Change and Release Management Processes and Citi’s Incident and Problem Management Processes, and as described herein or in the Work Order;

Providing input to allow Citi to prioritize Engagements;

Complying with Citi’s Infrastructure Management processes for Service support and delivery;

Loading all System requirements into Citi requirements repository;

Analyzing, refining, and documenting future state business processes;

Facilitating and documenting the business requirements;

Developing and documenting System requirements for Plan and Define Phases including:

· Revising and/or developing use case briefs,

· Participating in use case input sessions,

· Incorporating standard non-functional System requirements,

· Providing additional non-functional System requirements,

· Revising and/or developing use cases,

· Deriving System requirements,

· Defining releases;

Coordinating implementation, including following testing procedures;

Updating Authorized User, System, and operations documentation;

Managing Minor Enhancement Engagements and reporting on the progress of each Enhancement using reports agreed to be Citi Technology.

Regulatory changes

Supplier’s responsibilities include, but are not limited to:

Assessing the technical impact of regulatory changes and the associated technical modifications on the Applications;

Supporting Applications as required to maintain compliance with regulatory changes;

Supporting any litigation reviews, regulatory reviews, audits, compliance assessments and data-gathering exercises in a suitable time frame, as required;

226

Production control and scheduling

Citi’s business units are responsible for determining and controlling their specific production schedules.

Citi must approve production schedules prior to implementation.

Production processing will be available based upon the requirements as stated in the Applications Baseline Template, except during scheduled maintenance hours.

Supplier’s responsibilities include, but are not limited to:

Working jointly with Citi and other third parties to define and control production schedules, to include:

· Maintaining the common schedule as approved by Citi,

· Maintaining Site-specific schedules,

· Requesting job schedule changes,

· Coordination with production staff,

· Turning User Acceptance Testing (UAT) on at the beginning of the testing window, and off at the end of the testing window,

· Identifying job dependencies, creating and maintaining job dependencies on the master scheduling database, prioritizing and scheduling batch jobs and reporting distribution systems in accordance with Citi’s schedule parameters to optimize use of processing windows and scheduled availability of on-line Applications dependent on batch processing, while ensuring that batch completion times are met,

· Processing a weekly schedule, at a time to be mutually agreed between Citi and Supplier,

· Resolving ABENDS or interruptions caused by conditions internal to production programs,

· Providing prompt notification to Citi if special requests will affect the timely completion of other tasks;

Integrating production schedules with the Mainframe, Application and Server production and control scheduling functions for ADM Services;

Assisting Citi business units with production schedules to meet their requirements;

Supporting production processing activities as required;

Using a commercially-available tool that provides full scheduling coordination with linked Applications;

Rerunning Applications, modifying production controls, and modifying Applications which do not:

· Run correctly,

· Run on time,

· Generate the desired results,

· Terminate successfully;

Maintaining a complete production schedule for Applications running on platforms under its responsibility;

For Applications running on external systems which trigger processes or events on external systems, interfacing with appropriate production control personnel supporting those platforms to ensure production problems are resolved in a timely manner;

Providing business and Application knowledge to Citi Authorized User groups and other third parties to ensure that all service levels are met;

Providing input to the scheduling process and monitoring the production system runs.

227

Legacy interface services

Citi will retain authority for approval of all data or system access requests.

Supplier’s responsibilities include, but are not limited to:

Working with other third parties to provide seamless operational interfaces including technical support/consulting, logical network design/operations, data interfaces, Change Management and Problem Management activities;

Assuming responsibility for maintaining the operational interfaces with other third parties that provide legacy and infrastructure services necessary for Supplier to perform the Services;

Providing data interface support to Legacy Systems including coordinating with other third parties to debug, resolve issues, circumvent difficulties and make certain that the transaction rates (response time and volumes) meet Citi business standards and developing or ehnacing the interfaces in a manner to prevent the loss of transactions;

Providing a testing environment including support of the interfaces;

Working with other third parties to provide seamless data security including data access, system access, secure transport, and security support and consulting;

Coordinating with other third parties for researching system security problems, maintaining data access authority, processing Citi approved/completed security requests, performing security audits to ensure quality security procedures are in place, and providing incident investigation support;

Working with other third parties to provide seamless Engagement support for those Engagements that involve interfaces/integration to Legacy Systems, Commercial-Off-the-Shelf-Software (COTS), data sources or communications through the existing infrastructure;

Working with other third parties to provide real-time and batch data exchange to interface with Applications and files;

Maintaining systems to exchange real-time and batch information with several Applications on various platforms as described in Application Baseline Template;

Ensuring that Enhancements and other new functionality provided by Supplier adhere to the current integration architecture (When an alternative integration architecture is required by Citi, whenever possible Supplier will recommend solutions that adhere to Citi standards. If a non-standard solution is required, Supplier will obtain approval for implementation of the non-standard solution.);

Ensuring that only authorized IT systems have access to data that is made available for system to system interfaces as documented in approved data sharing agreements.

APPLICATION PLANNING / ANALYSIS STANDARDS

Supplier’s responsibilities include, but are not limited to:

Ensuring that all Application Development and Maintenance activities and plans are consistent with Citi’s approved technical architecture and standards in the Technical Architecture and Product Standards;

Analyzing the objectives for both the overall Applications portfolio and individual Applications, and assessing the current and planned technical environment;

Identifying requirements by engaging and working with the Application stakeholders;

Developing functional specifications for proposed Application Enhancements and/or functionality changes to existing Applications, with prior approval from Citi;

Defining high-level data requirements for Applications under development;

Developing initial integration requirements for Applications, including legacy environments;

228

Working with the appropriate infrastructure teams to ensure that the necessary infrastructure will be in place to support the Application requirements;

Documenting all initial functional and technical Application requirements in a Citi-acceptable format;

Performing a make/reuse/buy analysis for Application Engagements;

Performing an Engagement risk analysis;

Integrating quality management, improved productivity and operation, and support management into the Engagement Plan;

Selecting the development environment and tools. The development environment should be an equivalent or mutually agreed upon platform to the production environment (e.g., operating system, database version, type of hardware);

Conducting planning, analysis, and progress reviews with appropriate Citi Personnel.

INTEGRATION MANAGEMENT STANDARDS

Strategic planning

Inputs to Annual Applications Portfolio Planning Process

Supplier’s responsibilities include, but are not limited to:

Assisting Citi in conceiving and planning transformation activities oriented to business improvement through the use of information technology

Collecting high level design, cost, benefits, and risk information, and assisting Citi to subsequently develop, maintain and present a proposed portfolio for any given planning cycle;

Providing Citi estimates for specific cost components of defined engagements to support Citi’s total engagement cost estimates;

Supporting Citi in reviewing proposed engagements relative to synergy, rationalization opportunities, and alignment to the strategy across the enterprise proposed engagement set;

Reviewing with Citi value realization for all Engagements and comparing received benefits to expectations;

Preparing portfolio change requests and delivering change request to Citi, any time an Engagement will exceed the Engagement estimate by established variance thresholds;

Providing Supplier access requests to Citi’s Application portfolio management system to Citi.

Verification and validation

Testing

Supplier’s responsibilities include, but are not limited to:

Assisting Citi to identify common failure modes and providing recommendations for improvements in technical Architecture(may be beyond the scope of testing team), process definition and execution;

Obtaining approval recommendations from Citi on standardized testing deliverables during acceptance reviews;

Providing confirmation to Citi that test scripts have been re-ran to validate results as needed when test result review indicates potentially inadequate test execution;

Working with Citi to make appropriate data available in order for Citi to create the test metrics;

Recommending changes to the testing processes to Citi as necessary to drive continuous improvement in the testing processes, tools and techniques.

Process Quality Standards

Supplier’s responsibilities include, but are not limited to:

229

Recommending changes to the verification and validation processes to Citi as necessary;

Recommending changes to Citi processes as necessary.

Product Quality Standards

Supplier’s responsibilities include, but are not limited to:

Collaborating with Citi as Citi plans and coordinates acceptance reviews of Citi and Supplier deliverables;

Assisting Citi in developing an integrated process quality assurance plan for each engagement;

Providing estimates, including cost, size (functions points), effort (hours), and duration, for validation by Citi.

Program management

Citi Delivery Processes

Supplier’s responsibilities include, but are not limited to:

Recommending changes to Citi’s delivery processes to Citi as necessary;

Providing suggestions to Citi on improvements to process tailoring.

Executive Management Review Processes

Supplier’s responsibilities include, but are not limited to:

Recommending changes to the executive management review processes to Citi as necessary.

Facilitate Executive Management Review Processes

Supplier’s responsibilities include, but are not limited to:

Providing review data as required by data collection templates provided to engagement teams from Citi;

Collaborating with Citi to present the results of the review, recommended actions and anticipated results of actions if approved.

Risk Identification and Mitigation

Supplier’s responsibilities include, but are not limited to:

Collaborating with Citi to perform reviews at proposal and Engagement start-up that focus on management of high probability risks (e.g., incompatibility of multi-Supplier products) to prevent occurrence of problems related to such risks;

Working with Citi to identify engagement risks for which the Performing Supplier does not have responsibility and/or visibility and reporting the risk to Citi for resolution.

Escalation and Issue Resolution

Supplier’s responsibilities include, but are not limited to:

Working with Citi to identify program issues that need to be communicated to Citi;

For each issue identified, collaborating with Citi to identify the underlying problem, identifying alternative solutions and presenting the potential impacts to the Citi lead to support Citi risk mitigation decision making;

Verifying that program issue resolution results are documented and reported back to the engagement teams by Citi.

Standardized Metrics and Reporting

Supplier’s responsibilities include, but are not limited to:

Tracking and reporting progress to Citi on approved Engagements including actual performance (including cost) improvement compared to expected benefits and cost;

Providing metrics data specified in the metrics and measurement standards for consolidation, analysis, and reporting by Citi;

230

Verify with Citi that the provided data can be reported in several views including geographical and business unit views or as requested by Citi;

Adhering to standardized processes for measuring and reporting metrics;

Providing analysis on metrics data for trends, performance issues and opportunities for improvement to Citi;

Storing metric data and reports in a web based, Citi accessible format with ad-hoc reporting capabilities based on records retention policy;

Recommending changes to the metrics reporting processes to Citi as necessary.

Change Management

Supplier’s responsibilities include, but are not limited to:

Collaborating with Citi to implement measures to minimize the business impact and risk to Citi of any change activity;

Supporting Citi by participating on enterprise infrastructure process as needed.

Release Management

Supplier’s responsibilities include, but are not limited to:

Providing Segment expertise as Citi creates and maintains a 90-day schedule, 12-month plan, and 24-month outlook of all release activity to support the global master release schedule;

Coordinating with Citi as Citi establishes scheduling and communications for Citi Operating System upgrades/changes managed by third party;

Coordinating with Citi as Citi establishes scheduling and communications for Citi hardware insertions or refreshes managed by third party.

GENERAL MANAGEMENT STANDARDS

Engagement management

Citi maintains and uses the SDLC methodology and Planview tool for Engagement Management. Supplier will follow this methodology or Supplier’s institutionalized methodology, approved by Citi, to perform Engagement Management activities. Supplier will ensure that Supplier methodology used will maintain compliance with identified touch points (including development of Engagement Plans, equivalent Deliverables, and milestones) as the methodology may be revised or modified during the term.

General

Supplier’s responsibilities include, but are not limited to:

Upon receipt of a request for Services and in accordance with the Change and Release Management Processes, preparing Proposals, Engagement Plans, Engagement timelines, impact analyses on integrating Engagements with existing Citi Systems, and cost estimates for the design, development, integration, implementation, test, and required training for such requests;

Requesting engagement specific tailoring of system delivery processes based on standard acceptance criteria and providing recommendations to Citi during Citi approval process;

Following Supplier’s Engagement Management methodology;

Using Engagement Management tools for all major Engagements, and employing a regular reporting mechanism to identify Engagement tasks, present current status reports, and identifying potential bottlenecks and problems;

Assisting Citi with developing and defining activities to aid in Engagement Management to ensure Engagements are on time, on budget, and meet quality expectations;

Developing for each phase of the Engagement:

· High-level milestones and Deliverables,

· Supplier and Citi responsibilities, skill sets and number of personnel,

231

· Activities for the next Phase, including major tasks, dependencies, high level milestones and start/stop dates;

Participating, as required, in the development and analysis of Citi business requirements and in the development of the functional specifications for Engagements;

Examining current Citi processes by Supplier transition team and senior staff members to become knowledgeable about such processes (e.g., how work gets authorized, configuration management, Engagement Management, creation of requirements/scope, quality and testing, production implementation procedures, Problem Management, portfolio management, risk assessment, estimating, and future investment prioritization);

Shadowing, where appropriate, incumbent third parties and Citi support personnel for a period of time to help learn how Supplier will support Authorized Users;

Training the transition team and senior staff members in current processes to become knowledgeable about the processes;

Training senior staff to understand the existing Citi and third party organizations that support Citi;

Assigning staff to review existing Citi Maintenance processes (e.g., how work gets authorized, configuration management, engagement management, creation of requirements/scope control, quality and testing, production implementation procedures, problem management, portfolio management, risk assessment, estimating, and future investment prioritization, etc.);

Documenting and presenting on a regularly scheduled basis a list of issues (i.e., the issues log) to Citi regarding the status of Engagements. Supplier will also review the risk and issues log with Citi along with the Severity of identified problems;

Providing Engagement Management training to Supplier personnel as needed;

Providing all relevant deliverables standards, and meeting all relevant milestones;

Providing methodologies, tools and practices for Citi’s Applications including:

· Documenting and mapping Supplier’s methodologies to Citi’s,

· Installing and monitoring Engagement Planning tools and methods,

· Identifying and documenting change requirements,

· Verifying conformance to requirements and Engagement deliverables

· Managing Supplier tasks across the Services, coordinating with appropriate Citi Personnel,

· Preparing Engagement Proposals as appropriate,

· Where applicable, including an estimate of on-going operations and support costs for the Application(s);

To the extent applicable in each Engagement, reducing the number of interfaces, reusing objects, enabling Application portability and recommending commercially available third party products requiring little or no customization;

Monitoring Engagement resource priorities, and resolving conflicting priorities;

Assessing technology risks;

Performing cost and schedule variance analysis;

Pricing/costs:

· Developing pricing structure for Engagements

· Ensuring that Engagement costs are contained and properly accounted/reported;

For Engagement changes:

· Receiving, monitoring and reporting change requests and keeping a change log,

· Estimating time and costs for changes,

· Identifying and communicating changes,

· Conducting walk-through reviews of all changes and Enhancements,

· Maintaining System change request status;

232

Assisting and fully cooperating with third parties that have been selected to implement Engagements;

Providing status reports, which summarize performance to schedule, delivered functionality, outstanding issues, accomplishments, planned deliverables, planned deliverables which were not accomplished, and risks;

Supporting and participating in account management committees and the procedures adopted by the Parties to charter each such committee;

Participating in related Citi business planning meetings upon request to review operations and business plans and recommend appropriate IT services to support plan execution;

Managing the integrity of Engagement documentation and products, including describing how documents can be accessed, how changes to the documents will be coordinated, and the versions of documents that will be preserved;

Continually enhancing its global capabilities and knowledge base by using the feedback from Citi’s Proposal/Engagement reviews and lessons learned.

Customer Service Request (CSR) Estimates

Citi will prioritize each proposed Engagement based on business benefits. Supplier will complete a Customer Service Request (CSR) for each Engagement.

Citi will sign and date each approved CSR for each Engagement. Citi may select certain open CSRs for detailed estimates.

Citi will determine which CSRs to accept for implementation. Citi acceptance of CSRs shall be given in writing. All CSRs accepted by Citi for implementation shall be included in the Service Level calculations.

Supplier and Citi will review open CSRs by business area on a mutually agreeable schedule.

Supplier’s responsibilities include, but are not limited to:

Logging each Engagement and Enhancement request on a CSR form, to include a functional description of the change, applicable screen samples, report samples, and text descriptions of the new business requirements;

Using a tool to log CSRs that is mutually agreeable to Supplier and Citi. Supplier’s CSR tool shall be made accessible to Citi and authorized third parties;

Obtaining sufficient functional information from Citi to prepare an adequate estimate;

Where applicable, including an estimate of on-going operations and support costs;

Ensuring the final estimation package submitted for acceptance and signing by Citi and contains the correct version of business requirements and technical support documentation;

When required by Citi, providing notification when Supplier begins implementing a CSR;

Ensuring each CSR is completed on time, on or below budget, and meets business requirements;

For issues which consist of business or technical conditions that prevent work from being performed:

· Recording issues on the issue log, and meeting with Citi on a regular basis to resolve those issues,

· Documenting the issue, due date, and person responsible for resolution,

· Maintaining a status of each issue (such as open, deferred, or closed), and recording the final resolution to each issue.

Engagement plans

Engagement Plan

For Application Engagements, Supplier will develop Engagement Plans in accordance with Citi’s engagement methodology that consist of sections as defined in such methodology,

233

including management procedures, Engagement issues, risk mitigation plans, and Work Breakdown Structures (WBS) that are developed and maintained in an Engagement Management tool.

To facilitate completion of the Phases on a timely and cost-efficient basis, Engagement Plans will define the principal tasks which will be completed by Supplier as part of its obligations related to the Phases of the Engagement.

The Engagement Plan critical performance milestones may be modified or amended as provided in the Work Order, this document or pursuant to Citi’s Change and Release Management Processes.

Supplier’s responsibilities include, but are not limited to:

Reviewing Citi’s functional needs to develop, complete and deliver to Citi an initial Engagement Plan, and updating/revising Plan for each Engagement Phase;

Maintaining Engagement Plans in an accurate and timely manner to reflect changes requested by either Supplier or Citi, and subject to Change Management procedures;

Incorporating other Engagement Plans (i.e., sub-Engagement Plans) developed and maintained for specific activities (e.g., Training Engagement Plan) into the overall Engagement Plan;

Including in each Engagement Plan:

· Critical performance milestones and the dates when each milestone will occur,

· A critical path of tasks which is visible for the life of the Engagement,

· The sequence in which the Engagement tasks will be undertaken by Supplier and the dates by which it will complete all Engagement tasks,

· Performance responsibilities that Citi and third parties must perform,

· Tasks in short time intervals (e.g. < 40 hours),

· Constructing/maintaining a Work Breakdown Structure (WBS) to include:

· Identification of dependencies between tasks for the tasks identified in the WBS,

· Estimating work effort and duration required to complete the tasks,

· An appropriate allocation of resources to complete the tasks;

Soliciting feedback from Citi on regular basis from each of the Engagement areas at the task level as Engagements are in process (The responsible lead person for each area will make a judgment of completion level based on the requirements specific to each of the tasks. Status meetings, involving affected organizations, namely Citi, Supplier, and third parties, will be coordinated formally on a weekly basis, or as mutually agreed in writing.);

Tracking percentage of completion (e.g., hours expended/hours budgeted) for Engagement tasks;

Monitoring responsibilities, requirements, Deliverables, issues, and any other element of the Engagement, and communicating with all personnel involved in the Engagement;

Making certain that Engagement procedures and plans satisfy the specifications of the appropriate business requirements and Citi’s Engagement Management methodology, and correcting all Non-Conformities in Engagement procedures and plans.

234

Risk Mitigation Plan (RMP)

Supplier’s responsibilities include, but are not limited to:

Performing reviews at Proposal and Engagement start-up that focus on management of high probability and/or high impact risks (e.g., incompatibility of multi-vendor products) to prevent occurrence of problems related to such risks;

Creating mitigation options to reduce risk and improve quality, and then integrating these options in future methodology releases or used as a baseline for future RMPs;

Preparing an initial RMP and updating/revising plan for subsequent development phases. The RMP will include:

· Who is responsible for managing various areas of risk,

· How the initial identification and quantification outputs will be maintained,

· How contingency plans will be implemented,

· Documented risk management procedures to identify, analyze and respond to risks associated with the Engagement.

Communication Plan

Supplier’s responsibilities include, but are not limited to:

Providing an initial communication plan, and updating/revising the communications plan in subsequent phases. The communication plan will include:

· A description of what information needs to be given to which Engagement stakeholders and the method and frequency of disseminating that information,

· Documentation of how the Engagement team will ensure that information is communicated to persons interested in the Engagement,

· Definition of who, what, where and how the information will be communicated.

Quality Assurance (QA) Plan

Supplier’s responsibilities include, but are not limited to:

Providing an initial Quality Assurance (QA) plan and updating/revising the QA plan in subsequent phases. The QA plan will include:

· Standard measures for QA analysis, including:

· Quality Assurance Reviews — Planned vs. Actuals

· Defects identified by checklists (severity)

· Defects identified by checklists (origin)

· Defects identified by checklists (aging)

· Standard measures for test managers, including:

· Defects identified during testing by phase, date, and severity

· Defects identified during testing by origin and severity

· Defects identified during testing by aging;

· A description for how the Engagement team will address QA, quality control and process improvement during the Engagement to insure that the Engagement will satisfy objectives within constraints;

· Documentation which includes standards and compliance monitoring, major checkpoints, deliverable reviews, test planning and testing strategy, library and configuration management, measurement and audits;

· Documentation for how the Engagement team will ensure that QA and quality control objectives are satisfied within the constraints of the Engagement;

· Using internal and external QA reviewers that are independent of the Engagement;

· Reviewing RMPs as part of the QA Reviews;

235

· Performing QA reviews at the Proposal stage and, based on Engagement risk and complexity, performing reviews at regularly scheduled intervals throughout the life cycle of the Engagement. Reviews will be conducted at the ADM Site where Engagement Deliverables are accessible and team members can be interviewed, and will include:

· Capture of learning points for future process improvements,

· Citi expectation management,

· Engagement management controls (e.g., management of scope, risks, issues, and approval process),

· Stakeholder commitments (Supplier and Citi),

· Team commitments,

· Engagement infrastructure (e.g., Engagement organization, communication, document tracking, etc.).

Staffing Plan

Supplier’s responsibilities include, but are not limited to:

Delivering to Citi (and revising as necessary) a staffing plan specifying each function which Supplier will perform in connection with each Engagement task;

Identifying the personnel who will perform each such function in terms of qualifications, numbers and length of time;

Committing to critical engagement resources retention throughout engagement cycle.

Application change management

Citi may pre-approve routine, minor, or emergency changes as documented in Citi’s Change and Release Management Processes.

Citi may audit Supplier and any of Supplier’s subcontractors to verify the accuracy of Change Management/configuration management including scripts, operational documentation, and Engagement management data, exclusive of cost data or Engagement staff data except as set forth in the Terms and Conditions.

Citi at its discretion may choose to use its internal audit staff or a mutually agreed-to outside independent audit firm to perform these audits.

Supplier’s responsibilities include, but are not limited to:

Receiving, monitoring, and reporting change requests from Authorized Users;

Maintaining a change log for all Change requests, to include current status of change request;

Estimating time and costs for Changes;

Identifying and communicating proposed changes to Change and Release Management Processes approved by Citi ;

Evaluating the impact of the Change(s) to Citi and environment;

Coordinating Changes across the environment with all other affected third parties;

Performing Changes after receiving approval from Citi;

Conducting reviews of Changes with Citi after implementing the changes;

Communicating the results of the Changes to Citi;

Updating the following documents to reflect Application code and/or operational Changes:

· Authorized User training,

· System operation guide,

· System maintenance guide,

· System user guide,

· Design best practices for shared services,

· Business and system requirements documents,

236

· Architecture document,

· Design document,

· Operational playbooks,

· Test plans, cases, and scripts.

Application problem management

Supplier’s responsibilities include, but are not limited to:

Operate Staff to be utilized for L1 / L2 production support (see section “M” for additional details.);

Providing emergency support and crisis management for Applications by Classification as specified in Applications baseline template in order to:

· Reduce production abnormal program terminations (ABENDs) through proactive maintenance, immediately resolve ABENDs, and assist in identification of root-cause for ABENDs with product vendor,

· Correct errors or invalid data,

· Rectify any other problems that may occur with Applications, databases, operating systems, communications facilities or Equipment (i.e., “fix when broken”). This includes taking any action necessary to reinstate both the system and the service to the business, including coordination with mainframe, Application and server operations to restart or amend production schedules due to:

· Late arrival of critical interfaces or Applications, databases or operating systems,

· Equipment or network communications problems;

When a problem occurs with an Application, fully engaging in the multi-Supplier Incident Management processes until a definitive root cause is determined (Regardless of root cause, Supplier shall provide workarounds and/or short term fixes to restore capability to the Authorized Users as quickly as possible.);

Devising short-term work-arounds to contain the impact of problems, even if the problem root cause is not a Supplier-responsible item;

Providing the results of the post-outage review to Citi, and including Citi Personnel and/or other third parties in the review as appropriate, with results of the post-outage review including a root cause analysis and corrective action document;

Creating temporary diagnostic versions of the Software module to identify and isolate problems;

Creating and delivering production Software patches;

Working with third parties and Authorized Users to resolve problems;

Developing and maintaining a database containing all problems and associated Application workarounds (The database shall be electronically accessible to Citi and other third parties (primarily Service Desk personnel) for use in providing short term fixes to end user incidents. The database shall, at a minimum, contain workarounds for all possible system interface communication failures.);

Developing and maintaining a database containing contact information and escalation procedure for each application (The database shall be electronically accessible to all Citi, Supplier, and third parties (primarily Service Desk personnel). In addition, the contact information and escalation procedures shall be easily printed (i.e. one mouse click prints all information for all Applications) for disaster recovery purposes.);

Identify the root cause of problems affecting Application availability or performance even if the root cause is not a Supplier responsible item;

Ensure problem notification in accordance with escalation procedures in Citi’s Incident and Problem Management Processes;

237

Providing support on tracking interface issues, providing issue trouble shooting and resolution, and identifying issue responsibilities, which may involve third party or Citi processes ;

Designing and resolving problems with end user access control on an end-to-end basis (including interfacing with third parties supporting parts of the end-to-end access control.

Application documentation

Supplier’s responsibilities include, but are not limited to:

Maintaining all Application and Authorized User documentation for the Applications as detailed in Citi’s Policy and Procedures. And documenting all Applications Minor Enhancements developed by Supplier in a manner acceptable to Citi in form and content;

Developing and maintaining all documentation on Application systems and services, including all Authorized User related documentation (Where it is determined that documentation is inaccurate (e.g., due to errors, obsolescence, etc.), and as such inaccuracy may affect the Services, Supplier will correct documentation as part of normal day-to-day operational support.);

Providing support, advice and assistance to Authorized Users consistent with current documentation. All documentation maintained by Supplier will be subject to approval by Citi;

Creating and updating on-line Authorized User documentation;

Identifying and documenting runtime improvements;

Creating and updating programming documentation and reference manuals.

Application portfolio management

Supplier’s responsibilities include, but are not limited to:

Ensuring Citi inquiries that may result in Application Enhancements are pre-approved with Citi representatives as part of the Application portfolio management process (Supplier will integrate its processes with Citi’s processes.);

Populating Data into Citi’s Application portfolio management system (i.e., population of Application Data) and maintaining the accuracy of the Data.

Release control

Supplier’s responsibilities include, but are not limited to:

Implementing a formal, effective scheduling of Application releases in compliance with Citi requirements, monitoring the release schedule, and reporting all schedule exceptions to Citi as required by the release management process;

Performing Application modifications, testing and acceptance testing needed to maintain all third party Software Release currency;

Being responsible for Application modifications, testing and acceptance testing needed to maintain Application compatibility with this degree of currency;

Supporting Citi’s process for priority setting, planning and scheduling of releases;

Responsibility for release packaging and Engagement commitments for the Applications;

Following or, with Citi approval, improving Citi’s service delivery and release management processes in accordance with the existing Citi business planning, work authorization, and release management processes;

Providing necessary interfaces during Minor Enhancement testing and implementation phases;

Maintaining source code and version control;

Performing virus scanning and eradication on new and modified Application releases;

238

Distributing and implementing releases;

Coordinating implementation;

Identifying and resolving resource conflicts;

Coordinating Application releases with system owner, deployment manager, and other Citi staff as appropriate;

Implementing, maintaining, coordinating and executing contingency plans;

Defining and controlling production schedules;

Performing installation testing;

Summarizing and reporting test results;

Assisting with Citi acceptance activities;

Enhancements release management:

· Grouping Enhancements into releases to provide cost savings through economies of scale in the testing and implementation tasks and to allow for more rigorous control over the Application configurations,

· Supporting Citi in the prioritization and planning of Enhancements in order to ensure the most efficient scheduling of version releases,

· Coordinating code reuse opportunities;

Managing all license keys for licensed third party Software including license key acquisition from third party and installation on Citi license management servers;

Assisting with the implementation and all Applications enhancements and developments in a manner that prevents disruption to Citi’s business environment.

Source code security

Access to the source code and executables will be based on various security levels (e.g. Authorized User code/password, appropriate role levels and associated privileges, etc.) and will be granted based on approval of Citi.

Supplier’s responsibilities include, but are not limited to:

Maintaining current and prior versions of the Application source code and executables within a secured source code environment;

Adhering to Citi Information Security Standards by implementing appropriate security strategies and practices to address the requirements described in the data, physical, and security standards as described in the MPSA and Citi’s Information Security Policies;

Using version control standards to protect Application source code and executables and ensuring that changes are applied to the correct releases and versions of each system element;

Responsibility for the implementation of all security requests and password change requests associated with Applications code and executables, as approved by Citi;

Installing and maintaining source control Software;

Reporting any security violations;

Assisting third parties in monitoring and safeguarding access to data;

Monitoring and restricting access to source code;

Complying with Ad Hoc, annual audit and regulatory requests;

Performing data/source security audits and reporting test results.

Data interfaces

Application Maintenance Services shall include all data and system interfaces, even when these interfaces are owned by a third party. For those owned by a third party, Services will be performed in accordance with third party license agreements.

239

Citi will review the functional specifications for data interfaces prior to their implementation.

Citi will provide documentation for the data target, the source of the data, the number of files, the number of data elements, the complexity, and the frequency of interface generation.

Supplier’s responsibilities include, but are not limited to:

Working jointly with Citi and its third parties in defining the technical requirements and functional specifications of the application programming interfaces (APIs) as defined within the Engagement scope;

Developing the APIs based upon the functional specifications;

Conforming to documented interface standards set forth by Citi, and supplementing or enhancing Citi’s standards as needed, with input and approval from Citi (This approach will provide Citi with operational interfaces including technical support/consulting, logical network design/operations, data interfaces, Change Management and Problem Management activities.);

Providing all interfaces to new and existing systems including third party Software packages, distributed systems, temporary or transitional interfaces between systems, and data conversions as necessary to provide homogeneous systems;

Developing interfaces in conformance with Citi architecture standards. Any non-conforming standards must be approved in advance through the Change and Release Management Processes;

Providing support on tracking interface issues, providing issue resolution, and identifying issue responsibilities, which may involve third party or Citi processes;

Providing trouble shooting and resolution for interface operation;

Identifying to Citi discrepancies in interfaces operation and interface failures, or incomplete transfers of data;

Documenting data interfaces;

Providing interfaces on developed Software;

Providing temporary or transitional interfaces between systems;

Updating the enterprise data model based on data interfaces.

Existing or new application integration

Supplier’s responsibilities include, but are not limited to:

Ensuring that Applications are integrated across platforms and technologies, to include investigating and communicating the benefits/risks of new technologies, and complying with enterprise infrastructure requirements;

Supporting the integration of existing and new Applications with Supplier or third parties;

Identifying, resolving, and mitigating integration problems and risks via thorough integration architecture planning, integration testing, and regression testing (Integration activities will begin with assessments of the cost/benefits/risks to the proposed integration efforts. This information will be used to further understand the cost/benefit of the solution and evaluation of alternatives.);

Per risk mitigation requirements, risks will be documented and elevated to Citi as appropriate. Integration testing will be followed by regression testing to minimize current and future errors;

Advising Citi of risk issues;

Executing processes and procedures for system integration testing;

Integrating new or modified Applications in testing procedures;

Keeping abreast of Citi and Supplier internal standards;

240

Tracking issue resolution;

Making local modifications to tables and reference data structures for integration into the local environment;

Localizing Applications as required to conform to local language, currency, numeric punctuation, etc. (create specification);

Ensuring compatibility with current Authorized User applications;

Providing expertise, benefits/risks and advisory services to Citi on new technologies.

Intentionally Left Blank

Application continuity

Supplier’s responsibilities include, but are not limited to:

Supporting Continuity Plans (CPs) and procedures and Service Continuity (SC) testing for Applications in the classifications as identified in Applications Baseline Template;

Inventorying Supplier supported Applications, including their Continuity of Business (COB) classifications and locations;

At least annually, reviewing and refining retention policies and practices to ensure compliance with outside regulators and outside audits;

Developing and running processes that will determine/modify the list of Applications, annually subject to Citi’s approval of the list of Applications and Application Classifications;

As part of new Engagements for Applications with the following Classifications (Vital, Critical and Important), performing Application recovery testing every twelve (12) months;

Retesting any unsuccessful annual test within ninety (90) days of the failure;

Developing and maintaining Application COB plan as the Application or business needs change

Implementing COB plans upon the occurrence of disasters.

Authorized user support

General

Supplier’s responsibilities include, but are not limited to:

Providing support, advice and assistance to Authorized Users for all Applications through direct interaction with Authorized Users and through Service Desk referrals/transfers;

Identifying trends in Authorized User problems (e.g., inadequate documentation, cumbersome interfaces, or the need for additional training);

Identifying and reporting to Citi opportunities that may increase Authorized User satisfaction and decrease problems/trouble reports;

Responding to Ad Hoc Authorized User inquiries;

Balancing Authorized User satisfaction versus development productivity in responding to Authorized Users;

Providing support, advice and assistance to Authorized Users as needed to interface with legacy Applications and files;

Documenting requests for Ad Hoc services from Authorized Users.

Levels 1 and 2 Support

Supplier’s responsibilities include, but are not limited to:

241

Providing Application-specific Level 2 Support to Authorized Users, which will include investigating and resolving Authorized User problems, providing technical support and advice, supporting Application installations and answering Authorized User queries;

Providing training to Service Desk personnel providing Level 1 Service Desk support and Level 2 Support before any new Application or functionality is installed into production;

Providing and maintaining systems and/or Authorized User documentation for Applications such that the Service Desk for all Services will be able to resolve most Level 1 and Level 2 Support for Applications without requiring a transfer to Level 3 support.

Level 3 Support

Supplier’s responsibilities include, but are not limited to:

Providing Level 3 support, advice, and assistance to Authorized Users in a manner consistent with Citi’s practices for the Applications prior to the Effective Date;

Providing Citi with a continuously-updated list of Application support personnel who are responsible for Level 3 Support, including contact phone numbers;

Providing clearly defined points of contact, available 7x24, to receive and appropriately respond to notice of Severity 1 and Severity 2 problems from Level 1 Service Desk or Level 2 Support personnel;

Advising Level 1 Service Desk, Level 2 Support personnel and/or Authorized Users of the estimated time required for resolving problems. This resolution time will be consistent with Service Levels;

Providing status updates to the Level 1 Service Desk, Level 2 Support personnel and/or Authorized Users during problem resolution.

Logical database administration (ldba) support

Supplier’s responsibilities include, but are not limited to:

Performing logical database administration (LDBA) functions as required for Application Maintenance Services, with the assistance of appropriate personnel responsible for physical database support Do we need to support Reorg, Image copy and Runstats);

Working jointly with Citi and third parties to support LDBA functions;

Providing appropriate resources and skill sets to support the LDBA functions for the Applications as required;

Assisting in analyzing, performance tuning and maintaining test and production databases;

Reviewing with Citi new Database Management System (DBMS) releases to understand the business and technical impacts;

Identifying and evaluating design considerations;

Analyzing database design and its impact on specific Application modules by developing data models (using a common toolset and central repository), and translating logical models into physical designs so that the data models will meet performance requirements;

Setting up and maintaining test and production databases if and as specified in an applicable Work Order;

Proposing database changes;

Implementing new transactions in existing databases;

Coordinating with Citi to provide design consistency across Applications and to identify data redundancies;

Documenting all changes to databases;

242

Making database changes in a timely manner;

Monitoring and analyzing database activity to proactively identify and prevent potential Incidents and also recommend performance improvements;

Testing impact on Applications of new DBMS Software releases;

Providing system generation for new transactions;

Maintaining data dictionary systems;

Reporting all security violations.;

For Application databases containing Citi Data, the data retention requirements will be documented as specified by Citi. Backup/Restore requirements must also be documented and be in-line with the data retention requirements

Deployment management

General

Supplier’s responsibilities include, but are not limited to:

Responsibility for deployment of ADM Engagements in a manner that minimizes disruption to Citi’s business environment;

Coordinating deployment with Citi system owner, deployment manager, and third parties;

Developing and coordinating contingency plans;

Scheduling deployment dates;

Defining production schedules;

Performing installation testing;

Summarizing and reporting test results;

Installing Equipment and Software per Engagement Plan;

Supporting Application startup activities;

Resolving resource conflicts, including those related to third parties and/or third party Software;

For each Application Engagement, developing a deployment Engagement Plan which addresses the implementation requirements including implementation dates, release dates, testing requirements, criticality of the Application, and impacts and risks to Citi at implementation;

Developing an installation and acceptance plan which incorporates Citi requirements;

Developing back-out or fall-forward plans in the event that problems arise with the deployment (The decision of which method of recovery is used will be determined by the risk involved with the change and with concurrence of Citi.);

Scheduling deployments to minimize the impact to Citi and to occur during scheduled maintenance windows whenever possible;

For Application development performed by third parties, Supplier’s responsibilities include, but are not limited to:

· Resolving Supplier and third party resource conflicts,

· Identifying potential implementation conflicts and coordinating problem resolution with appropriate third parties.

Deployment Engagements Sourced to a third party

Supplier’s responsibilities include, but are not limited to:

In cases where ADM deployment Engagements are sourced to third parties, working with the third parties to create transition plan for deployment and support as well as the appropriate SLAs;

243

Providing transition plans to Citi;

Ensuring that complete documentation (e.g. start-up/shutdown, troubleshooting, configuration, backup/recovery, architecture, process flows, etc.) will be provided;

Ensuring that third parties provide sufficient training to support the Applications;

Assuming support of third party-developed Applications upon receipt of complete Application documentation, necessary hardware, software and tools, and completion of training;

Application operations management

Supplier’s responsibilities include, but are not limited to:

Supporting Citi in determining Application component monitoring requirements and thresholds for Enterprise Operations Monitoring;

Implementing and monitoring an effective and efficient Applications operations environment;

Providing Application operation support services that include third party Software and application support;

Performing data archiving based upon Citi agreed to schedule, at minimum annually;;

Performing database / table updates based upon Citi agreed to schedule;

Performing Application tuning and code restructuring to improve efficiency and reliability;

Adhering to Citi’s standard naming conventions when adding/deleting resources to/from Citi’s hosting/server environment(s);

Supporting production staffs with scheduling, backout recovery, job balancing, production output monitoring for completion and correctness, and monitoring exception logs;

Managing (e.g., create, maintain, delete) third party Software configuration files located on Citi servers;

Planning and executing operational/physical changes to the Application environment to support Application development changes;

Confirming that a reliable Application backup solution is in place and/or implemented for Citi. The backup solution will adhere to Citi’s guidelines and standards;

Performing Application recovery using tools and supported processes as defined by the Application third party or developer, monitor the recovery process, and documenting actions taken;

Creating and maintaining third party Software Authorized User login/logon scripts;

Providing:

· Application monitoring to validate that specified Applications are performing as planned,

· Support for code and content promotion in the pre-production and production environments,

· Application installation support for the Application operations environment,

· Support for Application business owners,

· Performance of computer operations activities to validate that third party Software is performing as planned,

· Logical and physical management activities to validate that third party Software is performing as planned;

Updating system change request status;

Creating and maintaining reasonable documentation for Applications and Authorized User procedures that affect operations;

244

Monitoring production output for correctness;

Prioritizing Application operations during a crisis.

Application quality assurance

Supplier’s responsibilities include, but are not limited to:

Use of a Citi-directed and approved Quality Management methodology while providing engagement management methodology Deliverables and documentation for Tollgates;

Complying with Citi’s Quality Assurance (QA) processes and procedures ;

Delivering standard measures for Quality Assurance (QA) analysis, including:

· Quality Assurance Reviews — Planned vs. Actuals,

· Defects identified by checklists (severity),

· Defects identified by checklists (origin),

· Defects identified by checklists (aging);

Delivering standard measures for test managers, including:

· Defects identified during testing by phase, date, and severity,

· Defects identified during testing by origin and severity,

· Defects identified during testing by aging;

Ensuring compliance with QA procedures

Identifying best QA practices and informing Citi of results

Setting baselines for quality measurement in all ADM environments;

Implementing and managing QA processes and procedures for the delivery of ADM Services, including processes to measure effort, size, schedule and quality

Performing QA reviews and providing Citi with the results;

Designing and maintaining Citi satisfaction scorecards;

Conducting Citi satisfaction surveys; tracking and reporting on the results of these surveys on a periodic basis;

Systematically documenting and incorporating “lessons learned” from Engagements and activities into future work;

Allowing and participating in Quality Assurance audits conducted by Citi or its designates;

Reporting

Citi will work with Supplier to develop a set of status reports that Supplier will be required to provide on a periodic basis.

General

Supplier’s responsibilities include, but are not limited to:

Preparing and providing to Citi periodically (monthly or quarterly at Citi’s direction) a series of performance, financial, utilization and status reports as described in Reports template, and those that Citi reasonably identifies or changes in the future;

Supplier FTE reports shall include, for both Supplier and Supplier Subcontractor personnel:

· Number of FTEs,

· Applications to which the FTEs are assigned,

· The actual hours worked each time period by resource type (e.g., manager, functional analyst, technical analyst, programmer, admin, etc.),

· Major work segment (e.g., modifications, break/fix, liaison to database administration, security, etc.),

245

· Total actual hours worked by Application and/or business area,

· Separate reports (or pages) shall be prepared for each Application and/or business area,

· Hours not worked due to training, illness, holidays or vacations should be separately identified so the total hours reported are at least equal to the number of FTEs times the number of work hours per month,

· Providing the reports to Citi in standard electronic format (e.g., Microsoft Excel),

· Identifying the names of the individuals in each resource type upon request;

Providing trend analysis through review and analysis of trends, exceptions, anomalies and year-to-date comparisons, and other relevant activities;

Performing Ad Hoc reporting, or provide Citi with access to installed Ad Hoc tools to enable Citi to perform Ad Hoc reporting;

Engagement reporting:

· Monitoring, tracking and reporting required actuals and forecasts,

· Developing and publishing Engagement schedules and status reports;

Providing Citi with timely access to repository information in an electronic format including Engagement Plans, status reports, issues lists, etc.

Productivity

Supplier’s responsibilities include, but are not limited to:

Measuring and reporting to Citi the initial level of productivity for all ADM Services within six (6) months after the Effective Date (Such measurement will be subject to approval by Citi, who may use either its own resources or third parties to verify the methodology and data used to produce the measurement. Supplier’s approach to measuring productivity is described in Citi’s Policy and Procedure Guide.);

Maintaining, and if possible, improving, the level of productivity and quality that exists within Citi prior to the Effective Date;

Achieving any and all productivity improvements that may be included within the Resource Baseline projection for ADM Services, as provided in Resource Baselines Attachment;

Providing productivity measures, including:

· The mechanisms for tracking productivity for all ADM Services on an on-going basis and reporting productivity measures to Citi on at least a quarterly basis, the productivity measures to include the level of effort (FTE), elapsed time, and output size (units of work);

· Correlation of productivity measures with quality measures (e.g., Engagements delivered on time and on budget, error rates, etc.), such measurements to be subject to approval by Citi, who may use either its own resources or third parties to verify the methodology and data used to produce the measurements.

Hours of operation

The Hours of Operation can be found in Application Baseline Template.

RESOURCE STAFFING STANDARDS

Supplier and Citi will identify those Supplier team members to be designated Key Employees.

Application development FTEs

Supplier’s responsibilities include, but are not limited to:

Providing FTEs to Citi:

· to support the current mix and workload of the Applications,

246

· Trained and skilled in Citi’s support tools and Citi’s Policy and Procedures Guide,

· Such that the FTEs have appropriate training and capabilities to provide the support required for current and future Applications,

· To meet the delivery projections and service level commitments in support of the in-scope Applications as such Applications may be changed, supplemented or replaced over the Term,

· For discretionary and non-discretionary work,

· In accordance with Supplier’s Transition Plan;

Managing FTEs:

· Managing the activities and time of each FTE to meet requirements while operating under the priorities set by Citi,

· Prioritizing work to focus on non-discretionary tasks as defined by Citi, allowing as much time as possible for discretionary work while fulfilling Service Level responsibilities,

· Such that individual FTE unavailability due to holidays, vacation or sick time will not degrade Supplier’s ability to meet applicable Service Levels;

Knowledge transfer:

· Providing for the knowledge transfer required as the personnel and skill set mix changes over the Term,

· Providing a detailed plan for Citi approval, which describes how knowledge transfer will be accomplished prior to modifying any change in the skill set mix of the resource pool (The plan shall address cross-training of critical resources/roles, as identified by Supplier and agreed by Citi, for those within the team as well as succession planning for resources that leave.);

Reporting to Citi changes in the skill sets, experience and professional characteristics that comprise the FTE team;

Providing and documenting for Citi review training for FTEs:

· A minimum of 40 hours of relevant training per year and an average of 60 hours of relevant training per year,

· Ensuring that within two (2) weeks of FTEs being assigned to Citi, the FTEs hasl received the following minimum training provided by Supplier:

· One half day for Citi Engagement orientation,

· Two (2) days of Citi’s engagement methodology training;

· Three (3) days of training in the base technologies or processes (However, actual job experience in the base technology of at least 3 months may be used as a substitute for the three days of training. Citi will not incur the cost for this training.);

· The minimum training requirements listed above shall be completed prior to engagement commencement and shall not count toward Supplier’s minimum training obligations per year.

Supplier management personnel qualifications

Supplier’s responsibilities include, but are not limited to:

Assigning management personnel to Citi who are fully qualified and professionally certified where appropriate, and dedicated to perform the required Services

Utilizing its Engagement Management team to monitor Engagement quality and mitigate risks so issues can be identified and resolved

Training for Supplier Personnel

Supplier’s responsibilities include, but are not limited to:

247

Providing Supplier Personnel properly trained, certified and experienced to deliver the Services including:

· Personnel trained and skilled in Citi’s support tools and processes set forth in Citi’s Policy and Procedures Guide,

· Training Personnel for new products and services introduced using the Change Management Procedure prior to implementation of such products and services in the Business Units;

Employing a training and education program proposed by Supplier and reviewed by Citi to further develop and maintain the requisite skills and technical knowledge for Supplier personnel supporting this Agreement;

Proactively planning with Citi and providing relevant Citi business training per year to Supplier’s Personnel.

248

Appendix 7 - Service Levels

1. Introduction

1.1. For Existing Work Orders, the Service Levels in such Work Orders shall continue to apply as set forth therein through the Completion Date set forth therein or December 31, 2015, whichever is earlier, and shall as of such earlier date automatically be considered revised as necessary to accord with this Appendix 7.

1.2. Each New Work Order (other than those for Staff Augmentation Services that are provided under the direct, day-to-day supervision of Citi) and each extension of an Existing Work Order shall include Service Levels and KPIs such that the Services are provided at a “best in class” level (as agreed by Citi and Supplier, working towards a high industry standard) and, at a minimum, in the event that service levels for such Services were tracked by Citi or its other service providers prior to the effective date of such New Work Order, at least equal to such service levels, and Citi and Supplier will negotiate the appropriate Service Levels, Service Level Credit Allocations, Performance Components, Performance Targets, Performance Target Bases, Service Level Credits, Reporting Events, Reporting Frequencies; Reporting Levels and, as applicable, the Performance Commencement Dates, the Production Periods, Stages, and Turnaround Targets and any measuring and monitoring tools (collectively, the “Service Level Metrics”), which shall all be set forth in a schedule to the applicable Work Order, using the template included as Appendix 3.2 (Form of Work Order) of the Agreement. If and to the extent Citi agrees to an exception to this Section 1.2 of this Appendix 7 for any particular Work Order, such exception must be expressly defined in the Work Order and clearly limited in scope and duration in order to be valid.

1.2.1. The Service Level Metrics for New Work Orders and for extensions of Existing Work Orders involving ADM Services and L3 Support Services (as referenced in each Work Order) shall be based on those set forth on Appendix 7(a)(i) (Standard Service Levels for Application Development and L3 Support Services), as supplemented by the Parties in the New Work Orders.

1.2.2. The Service Level Metrics for New Work Orders and for extensions of Existing Work Orders involving Services for Testing Services (as referenced in each Work Order) shall be based on those set forth on Appendix 7(a)(ii) (Standard Service Levels for Testing Services), as supplemented by the Parties in the New Work Orders.

1.2.3. The Service Level Metrics for New Work Orders and for extensions of Existing Work Orders involving Services for L1 and L2 Support Services (as referenced in each Work Order) shall be based on those set forth on Appendix 7(a)(iii) (Standard Service Levels for L1 and L2 Production Support Services), as supplemented by the Parties in the New Work Orders.

2. General

2.1. Supplier shall provide each Service in a manner that meets or exceeds the Performance Targets for the Service Levels and KPIs applicable to that Service.

2.2. Whether a Performance Target has been met or exceeded will be determined by comparing the actual measure, using the Performance Target Basis, of the Performance Component for such Service Level or KPI for the applicable Reporting Level against the applicable Performance Target for the applicable Reporting Window.

2.3. Supplier’s performance will be measured against the Performance Target, and Supplier’s obligations pursuant to Section 2.1 above of this Appendix 7 shall apply to the period of time beginning on the Performance Commencement Date and shall continue through the completion of the applicable Work Order(s). For the avoidance of doubt, for Service Levels for which the Reporting Window includes the Production Period, such obligations shall also apply to the Production Period.

249

3. Definitions

3.1. Allocation Pool means [***] of the At-Risk Percentage, except for Work Orders for which Service Levels do not apply and except to the extent a higher percentage is otherwise specified in the applicable Work Order.

3.2. At-Risk Amount means the amount of Service Fees payable under a Work Order multiplied by the At-Risk Percentage to determine the maximum amount of the Service Level Credit associated with a Service Level Default, which shall be the amount of Fees apportioned to the relevant Reporting Window provided that:

3.2.1. where a Performance Target measures performance at one Stage to assess the quality of performance in prior Stages (e.g., Defect Density or Defect Leakage), the At-Risk Amount shall be the cumulative Fees paid or payable for the month(s) and/or the milestone(s)/Deliverable(s) up through and including the Stage at which the applicable Performance Target is measured; and

3.2.2. in no event shall the total Services Credits paid or payable under a Work Order exceed the product of the At-Risk Percentage and the total amount of Fees paid or payable for such Work Order.

3.3. At-Risk Percentage means [*********************] for ADM Services, except for Work Orders for which Citi agrees that Service Levels do not apply and those Work Orders for which Supplier agrees to a higher “At Risk Percentage.” If a Work Order refers to the “At Risk Amount” as a percentage, rather than an amount, then such percentage shall be treated as the “At Risk Percentage”, and the “At Risk Amount” for such Work Order shall be as defined in Section 3.2 (At-Risk Amount) of this Appendix 7.

3.4. Interim Reporting means those portions of the Reports (as such term is defined in Section 5.1 of this Appendix 7) delivered for Reporting Frequencies during which the applicable Stage (or work on the applicable milestone/Deliverable) remains uncompleted for those Service Levels for which the Reporting Event indicates that cumulative reporting will apply (e.g., a Reporting Event that is “Monthly Stage Cumulative”).

3.5. KPIs means the key performance indicators, or the key measures, used to determine the overall efficiency and effectiveness of the Services. Default KPIs for ADM Services are set forth in Appendix 7(a)(iv) of this Appendix 7, which includes the KPI definitions and formulas followed for the KPI metrics.

3.6. Performance Commencement Date means the date starting from which Service Level and KPI measurements under a Work Order are measured and Service Level Credits apply. Unless otherwise specified in a Work Order, the Performance Commencement Date shall be the Effective Date of the applicable Work Order(s) except for new or modified Service Levels to the extent that the Performance Targets remain to be determined or are increased pursuant to Sections 9.2 and 9.3 of this Appendix 7, in which case the Performance Commencement Date for the new or increased Performance Target shall be the date immediately following the Reporting Window that led to the determination or increase of the Performance Target.

3.7. Performance Component means the detail or component for which performance is measured by the Service Level and/or KPI (e.g., schedule variance, defect density).

3.8. Performance Target means the performance level requirement for a particular Service Level or KPI

3.9. Performance Target Basis means the unit of measurement (count, percentage) used to calculate performance of the Service Level or KPI.

3.10. Production Period means, when the Stage is “Production,” the duration of time after the Deliverable has been placed in Citi’s production environment for which the applicable Service Level or KPI performance is measured (e.g., number of days, number of months, “Post Go-Live”).

3.11. Report has the meaning set forth in Section 5.1.

3.12. Reporting Event means the trigger for measurement of a Service Level or KPI, which shall be set forth in the Work Order and may be completion of a Stage,

250

completion of a milestone, completion of a month or other period of time and/or of such other state of performance.

3.13. Reporting Frequency means the frequency at which performance measurements will be calculated and reported, which shall be monthly unless otherwise explicitly set forth in the applicable Work Order.

3.14. Reporting Level means the level at which the Service Level or KPI will be calculated (e.g., at the application level (i.e., per individual application) or at the Work Order level (cumulatively for all applications serviced/supported for the Work Order)).

3.15. Reporting Window means the period of time covered in a Report, which will be the period of time from the beginning of Supplier’s work to achieve the Reporting Event through the Reporting Event. For instance, for a Service Level with a Reporting Event that is identified as “Monthly (Stage Cumulative)” where the Stage commenced on the 15th of January and was completed in mid-July, the monthly reports covering January through June will have a Reporting Window beginning on the 15th of January and ending with the most-recently completed month, while the report for July will have a Reporting Window beginning on the 15th of January and ending with completion of the Stage. By contrast, for a Service Level with a Reporting Event that is identified as “Monthly”, the Reporting Window shall be the applicable month.

3.16. Service Levels means the metrics and performance standards that will apply to the provision of the Services, including (i) those set forth in the Agreement and the Work Order and (ii) any other metrics and performance standards relating to the Services as may be mutually agreed upon by the Parties in the Work Order.

3.17. Service Level Credit has the meaning set forth in Section 7.2.

3.18. Service Level Credit Allocation (or “Service Level Weight”) means the portion, expressed as a percentage, of the Allocation Pool applied to a particular Service Level. In the event that the Work Order does not specify a percentage allocation, the Allocation Pool shall be [*******] across the Service Levels. No one Service Level may have a Service Level Credit Allocation assigned to it of more than [*************].

3.19. Severity Level means the category of impact that a particular event, incident, defect, or other problem may have on Citi’s business or operations. Specific Severity Levels applicable to ADM Services under this Agreement are defined below:

3.19.1. Severity Levels covering ADM Services, Level 3 Support Services, and testing Services shall be defined as follows:

3.19.1.1. Severity 1 (or “SEV1”): Critical impact. The impact of the defect is very severe and testing and/or implementation cannot proceed without resolving the problem.

3.19.1.2. Severity 2 (or “SEV2”): Major impact. The impact of the defect is severe, and an interim solution is not available for the system to go into the production environment without resolving the problem.

3.19.1.3. Severity 3 (or “SEV3”): Moderate impact. The impact of the defect is not severe, and an interim solution is available for the system to go into the production environment without resolving the problem. These are also the defects that could potentially be resolved via documentation.

3.19.1.4. Severity 4 (or “SEV4”): Low Impact. Defects that does not need to be corrected immediately or can be considered as requirements for the next release.

3.19.2. Severity Levels covering Level 1 Support Services and Level 2 Support Services (“Production Support”) shall be defined as follows:

3.19.2.1. Severity 1 (or “SEV1”): Critical impact. Production issue resulting in total or substantial loss, inaccessibility, or unusability of service, impeding mission critical operations, and/or deemed to be an emergency by Citi. No

251

workaround or manual process available or acceptable. Examples include but are not limited to: system outage, system crashes or hangs indefinitely, data integrity compromised or likely to be compromised, failure of back-up or recovery operations, issue causing or likely to cause security incident, significant financial impact, disruption of multiple users or services, or impediments to impending deadlines (end of day, end of quarter, etc.), etc.

3.19.2.2. Severity 2 (or “SEV2”): Major impact. Production issue resulting in restricted or impaired access or usability of service, but that does not render the services completely inaccessible or unusable. No workaround or manual process available or acceptable. Examples include, but are not limited to: function, feature or other failure that requires ongoing intervention to maintain productive use, slow response time, slow performance, etc.

3.19.2.3. Severity 3 (or “SEV3”): Moderate impact. Production issue resulting in partial or limited loss of non-critical functionality, but no impact on essential operations, significant business processes, production, or productivity, and no material restriction of use or access. Stable and acceptable workaround or manual process available. Examples include, but are not limited to: non-critical service is partially degraded, individual users’ access or use is partially disrupted, etc.

3.19.2.4. Severity 4 (or “SEV4”): Low Impact. Production issue with no impact on the delivery, quality, performance, or functionality of the service. Stable and acceptable workaround or manual process available. Examples include, but are not limited to: questions of general usage, installation, configuration, or integration, enhancement or cosmetic suggestions for future improvement, etc.

3.20. Stage means a stage in the Services life cycle (e.g., for ADM Services, SIT, UAT, Production, etc.).

3.21. Tickets means actionable events that are to be logged and tracked in Citi’s Systems (e.g., ticketing or email systems). For clarity, all of the following are included in the definition of Tickets: notification emails, requests, incidents, problems, system alarms, system alerts and other like events.

3.22. Turnaround Target means the timeframe within which a task must be performed. For example, if the Service Level requires that a Severity 1 Ticket be acknowledged no later than 15 minutes from notice, then “15 minutes from notice” is the Turnaround Target for acknowledgement of a Severity 1 Ticket. The Turnaround timeframe for ADM Services is measured from the point of the initial notification or the time of logging into the system, whichever is earlier, of a Defect (e.g., where the Service Level is Defect Resolution Performance) or a Ticket (e.g., where the Service Levels are for Production Support).

3.23. Working Day has the meaning set forth in Section 6.1 of this Appendix 7.

4. Service Level Measurement and Formulas

4.1. For the measurement of Service Levels and KPIs, Supplier shall:

4.1.1. be responsible for measuring and reporting performance. Such measurement and reporting shall provide the level of detail sufficient to verify compliance with the Performance Targets and shall be subject to audit by Citi;

4.1.2. provision, implement, maintain and support tools required to measure performance; and

4.1.3. be solely responsible for the collection, measurement and analysis of data pertaining to the Service Levels and KPIs as reflected in any Service Level Metrics or other relevant reports. Citi shall be responsible for coordinating the collection of data from sources that are beyond the control of Supplier.

4.2. Failure to properly measure and report performance with respect to any particular Service Level or KPI as per the applicable Reporting Window will be deemed to be a Service Level Default with respect to such Service Level or KPI, provided that

252

Supplier will be given notice and a thirty (30) day opportunity to cure each such failure (but no cure period shall apply with respect to any subsequent failure to properly measure and/or report performance with respect to the same particular Service Level or KPI).

5. Service Level Reporting

5.1. For Service Level reporting, and any other reporting requirements as defined in the Work Order, Supplier shall provide Citi with a set of hard and/or (at Citi’s request) soft-copy reports on Supplier’s performance against the Service Levels and KPIs for each Reporting Level as per the Reporting Frequency (each, a “Report”). Each such Report will cover only those Service Levels and KPIs (a) for which a Reporting Event has occurred since the previous Report or (b) for which Interim Reporting applies. In each Report, Supplier will (i) notify Citi of any Service Level Credits to which Citi is entitled or, with respect to Interim Reporting, would be entitled if Sections 7.1 and 7.2 applied to Interim Reporting, if such reporting is called for in the applicable Work Order; and (ii) describe any Service Level Default that has occurred. Each Report shall be submitted no later than five (5) Business Days after the completion of the period covered by the Reporting Frequency. Supplier shall upload the same onto Citi SharePoint or any other Citi online portal that Citi may designate. Supplier will make such Reports accessible to Citi online at all times. Detailed supporting information for each Report will be provided to Citi as reasonably requested by Citi.

5.2. For avoidance of doubt, the raw data and detailed supporting information will be owned by Citi and considered Citi Confidential Information in accordance with the terms of the Agreement.

6. Time Periods

6.1. Except as otherwise specified, all references to hours, time, days, months and quarters will be according to the applicable Work Order. “Working Days” shall mean the days Services are required to be provided by Supplier pursuant to the coverage set forth in the Work Order and may, therefore, include days that are not Business Days.

7. Service Level Defaults, Credits and Termination Events

7.1. Service Level Default — In the event that Supplier fails to meet a Performance Target for a Service Level for a Reporting Level during a Reporting Window (other than a Reporting Window for Interim Reporting, unless otherwise set forth in the Work Order), other than because of an Excused Event (as defined in Section 10 below of this Appendix 7 (Service Levels)) (such unexcused failure, a “Service Level Default”), Supplier will be required to provide Service Level Credits to Citi, as further detailed in Section 7.2 of this Appendix 7 (Service Levels).

7.2. Service Level Credits

7.2.1. Service Level Defaults shall result in a “Service Level Credit” to Citi computed as follows:

7.2.1.1. Service Level Credit = A x B, where A = the Service Level Credit Allocation for the Service Level for which the Service Level Default has occurred and B = the product of (x) the applicable At-Risk Percentage and (y) the applicable At-Risk Amount.

7.2.1.2. For example, if a Service Level Credit Allocation of [***] is assigned to a Service Level for which a Service Level Default occurred, [************] and the applicable Service Fees are $[****], the Service Level Credit for such Service Level Default will be [*******************************].

7.2.2. A Service Level Credit shall accrue for each Service Level Default; provided that in no event will the total amount of Service Level Credits actually credited to Citi with respect to Service Level Defaults occurring in any single Reporting Window (other than a Reporting Window for Interim Reporting, unless otherwise set forth in the Work Order) exceed, in the aggregate, the product of the applicable At-Risk Percentage and the applicable At-Risk Amount for such Reporting Window.

253

7.2.3. In the event Citi is entitled to a Service Level Credit, the amount of such Service Level Credit will be set forth as a credit note to Citi on Supplier’s invoice for the first full month immediately following the Reporting Window (other than a Reporting Window for Interim Reporting, unless otherwise set forth in the Work Order) in which the applicable Service Level Default has occurred.

7.2.4. The Parties acknowledge and agree that the Service Level Credits are intended to incentivize Supplier’s compliance with the Performance Targets for the Service Levels and will not be deemed as liquidated damages or as any other remedy to address a breach or other failure by Supplier to comply with its obligations under this Agreement or any Work Order. In the event that a Service Level Credit is paid for the same breach that results in a claim by Citi for Damages, such Service Level Credit shall be returned to Supplier in the form of a credit against such Damages.

7.2.5. When the Work Order expires or is terminated, Supplier shall issue a credit note to Citi for an amount equal to the total of any unused Service Level Credits no later than sixty (60) days after such expiration or termination, or within such other timeframe required pursuant to written notice by Citi. Such credit note may be applied toward any other Work Orders.

7.3. Service Level Termination Event. Notwithstanding the application of any Service Level Credits, Citi shall also retain all other rights and remedies available to Citi under this Agreement or at law or in equity, including the right to terminate any specific Service or Work Order for cause pursuant to Section 2.2.2(a) (For Cause) of the Agreement if:

7.3.1. Supplier fails to meet the same Service Level’s Performance Target for [***************] Reporting Windows or any [****************] out of any [******************] Reporting Windows; or

7.3.2. Service Level Credits earned by Citi and, in the case of Interim Reporting, the Service Level Credits that Citi would have earned during such month if Sections 7.1 and 7.2 applied to Interim Reporting [****************************] for [****************] or [***********] out of any period of [*****************] Reporting Windows; or

7.3.3. In any period of [*****************], Citi has earned Service Level Credits that, together with any Service Level Credits that Citi would have earned during such months if Sections 7.1 and 7.2 applied to Interim Reporting, [*************************************************************].

8. Root Cause Analysis. Each time Supplier fails to meet a Performance Target for a Service Level or KPI, Supplier shall promptly:

8.1. Conduct a root cause analysis of the failure and deliver to Citi a written report identifying such root cause(s),

8.2. Discuss with Citi the root cause(s) of the failure and Supplier’s position with regard to such root cause(s),

8.3. Correct the problem and begin meeting such Service Level as soon as practicable, and

8.4. Regularly advise Citi of the status of such corrective efforts. All Service Level Metrics remain in effect notwithstanding Supplier’s use of commercially reasonable practices to correct any performance problem.

9. Changes to Service Levels

9.1. Citi may make additions, modifications and deletions to Service Level Metrics or KPIs (and their Performance Targets) under any Work Order by giving written notice to Supplier at least thirty (30) days prior to the proposed effective date of the proposed addition, modification or deletion. The Parties will reach mutual agreement to any changes pursuant to Sections 9.1 or 9.2 of this Appendix 7 (Service Levels).

9.1.1. Unless otherwise agreed for a specific Work Order, Performance Targets for New Work Orders, for Existing Work Orders from and after December 31, 2015, and

254

for any renewals of Existing Work Orders prior to such date shall be set as follows.

9.1.1.1. Where Citi or one of its other service providers has collected four (4) or more months of performance data relevant to the Service or Service Level, the Performance Target shall be set based on [*************************] (or, if [**************************************************] for which data is available).

9.1.1.2. Where [***********************] data is available for a particular Service or Service Level, Supplier will provide Citi with information on the [**************************] to [*******] for the same or similar Services for other engagements (within and outside of Citi) for the purpose of developing appropriate Service Levels Metrics. The Parties will attempt, in good faith, to agree on Service Level Metrics using [*********], as well as [********************************].

9.1.1.2.1. If the Supplier fails to provide the necessary benchmark data, or the Parties cannot reach agreement as set forth above, Citi will assign a Performance Target using the performance data Citi has collected from its other service providers, industry standards, and other third party research.

9.1.2. Citi and the Supplier may mutually agree to modify existing Service Level Metrics or to add new Service Level Metrics pursuant to Sections 9.1 and 9.2 of this Appendix 7. Any change to Service Level Metrics will be subject to Citi’s review and written approval.

9.1.3. When adding or deleting a Service Level, Citi will modify the Service Level Credit Allocation to ensure the total Allocation Pool for all Service Levels remains equal [******]. Modification of the Service Level Credit Allocations will not require any new or additional baselining of the Service Levels or any change in the Fees.

9.2. Eligibility for Upward Adjustment.

9.2.1. Citi expects Supplier to continuously improve its performance capabilities resulting from the use of improved technologies and processes to perform the Services.

9.2.2. Whenever the average of the measurements across the previous [*************] has exceeded (i.e., has improved, it being understood that, for instance, having a smaller percentage of errors than the maximum number specified in a Service Level is exceeding that Service Level) the existing Performance Target for a Service Level, Citi may, on thirty (30) days’ notice, increase the Performance Targets for that Service Level for future Reporting Windows to the average of the measurements for the [*******************], but shall not increase the Performance Target by more than [****************] of the difference between the then-current Performance Target and the ideal level, which: (a) would be [*****************] measured in percentage for which a higher percentage is better for Citi (e.g., a minimum accuracy level), (b) [******************] measured in percentage for which a lower percentage is better for Citi (e.g., a not-to-exceed inaccuracy level), (c) [*********************] for Performance Targets not measured in percentage for which the Performance Target is a minimum level and (d) [***************] amount for Performance Targets not measured in percentage where the Performance Target is a not-to-exceed level (e.g., 0 Working Days where the Performance Target is that something must be accomplished within 3 Working Days).

9.2.2.1. For example, in the instance of a Service Level where the existing [****************] and the average measured performance (as calculated under this Appendix) of the [*************************], the Performance Target may not be increased by Citi to an at least percentage higher than [****].

255

9.2.3. If the average measurement for the [**********************] is [***************], it being understood that, for instance, having a larger percentage of errors than the maximum number specified in a Service Level is [*****] than the Performance Target), the Performance Target will [*********] and [*****************].

10. Excused Events

10.1. Subject to Sections 10.2 and 10.3 below of this Appendix 7, Supplier will be excused for failure to meet a Performance Target, and such failure will not be used for purposes of calculating Service Level Credits to the extent that such failure is caused by any one or more of the following (each, an “Excused Event”):

10.1.1. a force majeure event

10.1.2. a material breach of the Agreement by Citi, the willful misconduct of Citi or its Personnel, or a violation of law by Citi or its Personnel.

10.1.3. Citi’s failure to perform or delay in performing a Citi responsibility set forth in the Agreement or the Work Order to provide any Citi resources, or to perform one of its responsibilities that has a direct, significant adverse effect on Supplier’s ability to provide the Services in accordance with the applicable Service Level

10.1.4. a failure of Citi’s third party supplier responsible for performing a third party responsibility that has a direct, significant adverse effect on Supplier’s ability to provide the Services in accordance with the applicable Service Level

10.2. In order for Sections 10.1.3 and 10.1.4 of this Appendix 7 to apply, Supplier must demonstrate that Citi’s or said third party’s failure or delay was the direct cause of Supplier’s inability to perform in accordance with the applicable Service Level and that such failure or delay is not attributable to Supplier’s failure or delay in performing any obligation.

10.3. To qualify for any Excused Event as described hereunder, Supplier must take reasonable steps to mitigate the effects of delays in performance or failures to perform, must notify Citi and escalate concerns to Citi management in a timely manner, and must provide to Citi satisfactory (in Citi’s reasonable judgment) evidence of the applicability of the claimed Excused Event. Supplier must further document (in a Ticket or otherwise) the event and the steps taken, and must retain responsibility for seeing it through to resolution

256

Appendix 7(a)(i)

Standard Service Levels for Application Development and L3 Support Services

Service Level Name	Service Level Description	Performance Formula for Measuring Service Level
Schedule Variance	Supplier’s ability to provide Deliverables according to the planned schedule in the Project Plan or as otherwise agreed.	Schedule Variance% = [(Actual delivery date - Planned delivery date) /(Planned delivery date - Planned start date )] *100 Or Schedule Variance = Actual delivery date - Planned delivery date
Defect Density	Supplier’s ability to provide quality code based Deliverables (i.e., without Defects). Note: The At Risk Amount for this Service Level will be the cumulative Fees paid and payable to the Supplier through the Stage at which the applicable Performance Target is measured.	Defect Density% = [(Number of Defects for the given Stage and the Service Level Defect Severity)/(Deliverables size)] *100 Or Defect Density = Number of Defects for the given Stage and the Service Level Defect Severity for the given Deliverables
Defect Resolution Performance	Supplier’s ability to provide resolutions/fixes for Defects (including L3 support tickets) accurately (e.g., correct the first time) and efficiently (e.g., within the agreed time).	Defect Resolution Performance% = [(Number of Defects for the given Service Level Defect Severity and the given Stage that adhered to the performance requirement for the given period)/(Number of total Defects for the given Service Level Defect Severity Level, for the given Stage for the given period)] *100

257

Appendix 7(a)(ii)

Standard Service Levels for Testing Services

Service Level Name	Service Level Description	Performance Formula for Measuring Service Level
Schedule Variance	Supplier’s ability to provide Deliverables according to the planned schedule in the Project Plan or as otherwise agreed.	Schedule Variance% = [(Actual delivery date - Planned delivery date) /(Planned delivery date - Planned start date )] *100 Or Schedule Variance = Actual delivery date - Planned delivery date
Test Coverage Variance	Supplier’s ability to test all functionality/requirements.	Test Variance Coverage% = {[(Number of signed-off requirements for the given Stage) - (Number of signed-off requirements with >= 1 test case for the given Stage)] / (Number of signed-off requirements for the given Stage)} *100
Defect Rejection	Supplier’s ability to identify valid Defects.	Defect Rejection% = [(Number of invalid Defects found in the given Stage) / (Number of total Defects found in the given Stage)] *100 Or Defect Rejection = (Number of total Defects found in the given Stage - Number of valid Defects found in the given Stage)
Defect Leakage	Supplier’s ability to identify all identifiable Defects in the given Stage, as evidenced by the lack of Defects identified in the subsequent Stage(s). Note: [******]	Defect Leakage% = [(Number of Defects for the given Stage and the Service Level Defect Severity)/(Total post delivery Defects till the given Stage)] *100 Or Defect Leakage = Number of Defects for the given Stage and the Service Level Defect Severity

258

Appendix 7(a)(iii)

Standard Service Levels for L1 and L2 Production Support Services

Service Level Name	Service Level Description	Performance Formula for Measuring Service Level
Severity 1 Ticket Performance	Supplier’s ability to respond to/ acknowledge, escalate, resolve and/or analyze Severity 1 Tickets.	Severity 1 Ticket Performance% = [(Number of Severity 1 Tickets that adhered to the performance requirement for the given period)/(Number of total Severity 1 Tickets for the given period)] *100
Severity 2 Ticket Performance	Supplier’s ability to respond to/ acknowledge, escalate, resolve and/or analyze Severity 2 Tickets	Severity 2 Ticket Performance% = [(Number of Severity 2 Tickets that adhered to the performance requirement for the given period)/(Number of total Severity 2 Tickets for the given period)] *100
Severity 3 Ticket Performance	Supplier’s ability to respond to/ acknowledge, escalate, resolve, and/or analyze Severity 3 Tickets	Severity 3 Ticket Performance% = [(Number of Severity 3 Tickets that adhered to the performance requirement for the given period)/(Number of total Severity 3 Tickets for the given period)] *100
Severity 4 Ticket Performance	Supplier’s ability to respond to/ acknowledge, escalate, resolve and/or analyze Severity 4 Tickets	Severity 4 Ticket Performance% = [(Number of Severity 4 Tickets that adhered to the performance requirement for the given period)/(Number of total Severity 4 Tickets for the given period)] *100
Overall Ticket Performance	Supplier’s ability to respond to/ acknowledge, escalate, monitor and/or resolve overall Tickets. Resolution may be measured as (i) overall resolution, (ii) resolution without rework (i.e., first time right) and/or (iii) resolution upon first contact with end-user (i.e., first contact resolution).	Overall Ticket Performance% = [(Number of Tickets that adhered to the assigned performance requirement for the given period)/(Number of total Tickets for the given period)] *100 When the Performance Component is: · First Time Right, the performance requirement measured is the number of Tickets resolved correctly on the first occurrence / notification, without requiring rework · First Contact Resolution, the performance requirement measured is the number of Tickets resolved upon the first contact with the end-user · Alerts and Notification Emails Monitoring, the performance requirement measured is the number of alerts and notification emails correctly monitored as per the defined schedule. For the purpose of this performance measurement, the “number of total Tickets” is the count of alerts and notification emails for which the monitoring requirement has been defined
Batch Job Success Rate	Supplier’s ability to successfully monitor and/or complete batches and/or feeds within the defined schedule	Batch Job Success Rate% = [(Number of batches and/or feeds successfully monitored and/or completed in the production environment as per the defined schedule for the given period) / (Number of total batches and/or feeds scheduled in the production environment for the given period)] * 100

259

Appendix 7(a)(iv)

Key Performance Indicators (KPIs) for ADM Services

KPI Name	KPI Description	Performance Formula
KPIs APPLICABLE TO ANY ADM SERVICES
Onsite Personnel Ramp Up Efficiency	Supplier’s ability to ramp up onsite resources at Citi location(s) specified in Work Order within the timeframe specified by Citi. May apply to new resources or existing or known resources newly assigned to a project.	Onsite Personnel Ramp Up Efficiency% = [(The number of resources ramped up onsite in the specified timeframe)/(The total number of resources required/planned for ramp-up onsite in the specified timeframe)] * 100
Offshore Personnel Ramp Up Efficiency: Citi Location	Supplier’s ability to ramp up resources at Citi offshore location(s) specified in Work Order within the timeframe specified by Citi. May apply to new resources or existing or known resources newly assigned to a project.	Offshore Personnel Ramp Up Efficiency% = [(The number of resources ramped up at offshore Citi location in the specified timeframe)/(The total number of resources required/planned for ramp-up at offshore Citi location in the specified timeframe)] * 100
Offshore Personnel Ramp Up Efficiency: Supplier Location	Supplier’s ability to ramp up resources at Supplier offshore location(s) specified in Work Order within the timeframe specified by Citi. May apply to new resources or existing or known resources newly assigned to a project.	Offshore Personnel Ramp Up Efficiency% = [(The number of resources ramped up at offshore Supplier location in the specified period)/(The total number of resources required/planned for ramp-up at offshore Supplier location in the specified timeframe)] * 100
Retention of Key Personnel	Supplier’s ability to retain Key Personnel, as identified in the Work Order or Work Order. Attrition includes voluntary resignation, project moves, termination due to performance, termination due to breach of policy, and termination by Services Provider. Attrition does not include request by Citi to reduce team size.	Retention of Key Personnel = {1 - [(The number of Key Personnel planned departures from the engagement in any one three month period) + (The number of Key Personnel unplanned departures from the engagement in any one three month period)] / (The average number of Key Personnel accounted to provide Services)} Average number of Key Personnel = (Number of Key Personnel at the beginning of the three month period + Number of Key Personnel at the end of the three month period) / 2
Retention of Project Resources	Supplier’s ability to retain Personnel, including Key Personnel. Attrition includes voluntary resignation, project moves, termination due to performance, termination due to breach of policy, and termination by Services Provider. Attrition does not include request by Citi to reduce team size.	Retention of Project Resources = {1 - [(The number of planned departures from the engagement in any one three month period) + (The number of unplanned departures from the engagement in any one three month period)] / (The average number of Supplier Personnel accounted to provide Services)} * 100 Average number of Supplier Personnel = (Number of Supplier Personnel at the beginning of the three month period + Number of Supplier Personnel at the end of the three month period) / 2
Key Personnel Succession Planning	Supplier’s ability to implement succession planning for Key Personnel	Key Personnel Succession Planning% = (Number of Supplier Key Personnel with a documented succession plan / Total number of Supplier Key Personnel) * 100

260

KPI Name	KPI Description	Performance Formula
KPIs APPLICABLE TO ANY ADM SERVICES
Rework of Document Based Deliverables	Supplier’s ability to provide Deliverables that meet Acceptance Criteria. This KPI will capture a measure of the Deliverables provided by Supplier to Citi that do not meet the Acceptance Criteria and require rework.	Rework of Document Based Deliverables% = [(The number of document-based Deliverables rejected or returned for revision(1)) / (The total number of document-based Deliverables provided)] *100 If a document-based Deliverable is rejected or returned for revision more than once, each rejection shall be counted separately. In other words, a document-based Deliverable returned twice before meeting the Acceptance Criteria shall be counted as two returns. The total number of Deliverables, however, shall count each Deliverable only once; no matter how many times an item is returned.
Test Preparation/Design Productivity Improvement	Supplier’s ability to increase the number of test cases prepared/designed (by complexity) in a day. Supplier is expected to improve such productivity over a six month period from the baselined data. Baselined data shall be defined as of the Work Order Commencement Date, and shall be reset semi-annually.	Test Preparation/Design Productivity Improvement = {[(Current number of test cases prepared/designed per day) - (Baseline number of test cases prepared/designed per day)] / (Baseline number of test cases prepared/designed per day)} * 100
Test Execution Productivity Improvement	Supplier’s ability to increase the number of test cases executed (by complexity) in a day. Supplier is expected to improve such productivity over a six month period from the baselined data. Baselined data shall be defined as of the Work Order Commencement Date, and shall be reset semi-annually.	Test Execution Productivity Improvement = {[(Current number of test cases executed per day) - (Baseline number of test cases executed per day)] / (Baseline number of test cases prepared/designed per day)} * 100
Defect Rejection Quality	Measurement of the quality of information provided to the development team about the Defects.	Defect Rejection Quality = [1 - (Number of Defects returned by development team to Supplier for more information, clarification, etc.) / (Number of Defects identified by Supplier)] * 100
Automation Level Variance	Supplier’s ability to automate test cases.	Automation Level Variance% = {[(Number of targeted automated test cases/ Number of regression test cases) - (Number of actual automated test cases/ Number of regression test cases)] / (Number of targeted automated test cases/ Number of regression test cases)} * 100

261

KPI Name	KPI Description	Performance Formula
KPIs APPLICABLE TO ANY ADM SERVICES
First Contact Resolution (Note: if “First Contact Resolution” is included in the Service Levels, please be sure to remove this row from this KPI table. If “First Contact Resolution” is not included in the Service Levels, keep this row in this table as a KPI)	Supplier’s ability to resolve tickets upon first contact with the end-user.	First Contact Resolution% = (Number of Tickets resolved by the Supplier upon the first contact between the end-user and the Supplier / Total number of Tickets received by the Supplier) * 100

The below file shall be used to specify metrics for each Work Order.

262

Appendix 11.1 - Schedule of Supplier’s Time and Material Rates and Role Descriptions

ENTERPRISE RATE CARD

[*********************************]

[*************************************************]

[**********************************************************]

[*****************************]

[**********************************************]

[*********************************************************]

STANDARD SKILLS

Locations

Canada

China

India

USA
(high
cost)*

USA

Ireland(1)

Korea

Singapore

Mexico(2),(3),(4),(5),(6),(7)

Central
America(2),(3),(4),(5),(6),(7)

Brazil(2),(3),(4),(5),(6),(7)

South
America(2),(3),(4),(5),(6),(7)

Project Manager

[***]

Technical Lead / Project Lead

[***]

Senior Developer

[***]

Developer

[***]

Senior DBA

[***]

DBA

[***]

Sr. Systems Engineer

[***]

Systems Engineer

[***]

Business Analyst

[***]

Quality Assurance Test Lead

[***]

Quality Assurance Tester

[***]

Architect

[***]

Senior Architect

[***]

Operations Support

[***]

[******************************]

263

SPECIALTY SKILLS

Locations

Canada

China

India

USA (high
cost)*

USA

Ireland(1)

Korea

Singapore

Project Manager

[***]

Technical Lead / Project Lead

[***]

Senior Developer

[***]

Developer

[***]

Senior DBA

[***]

DBA

[***]

Sr. Systems Engineer

[***]

Systems Engineer

[***]

Business Analyst

[***]

* (high cost locations include: New York, New York)

Specialty Skills

Enterprise Architecture and Service Oriented Architecture

BI / OLAP / DW Tools (ETL, Data Stage, Sagent, Informatica, SAS, Ab Initio)

ERP Skills (Peoplesoft, SAP, Oracle Applications etc.)

CRM (Siebel, Vantive, Remedy, etc.)

[*******************************************************************]

[****************************************************************************]

[*****************************************************************************************************]

[*******************************************]

[******************************************************************]

(7) In addition to ensuring that all Supplier Personnel are fluent in written and spoken Spanish and Portuguese as appropriate to the location for which the Services are provided, Supplier will ensure that Key Personnel supplied by or on behalf of Supplier to provide Services in the LATAM/Mexico regions will be fluent in written and spoken English.

264

ENTERPRISE RATE CARD - For LATAM and Mexico

1. [***************************************************************]

1.1 [****************************************]

1.2 [***************************************************************************]

1.3 [********************************************************************]

Annual Volume Rebate:

Tiered Discount Structure (USD)

Reference from Above	From	Up to	Discount %
[******]	[******]	[******]	[******]
[******]	[******]	[******]	[******]
[******]	[******]	[******]	[******]

1.4 The scenario below further illustrates the rebate structure. Annual volume numbers are purely indicative.

Illustrative Examples

2014 Volume	Rebate to Paid to Citi in Jan 2015 (USD)	Explanation
[******]	[******]	[******]
[******]	[******]	[******]
[******]	[******]	[******]

265

ROLE DESCRIPTIONS

Role	Function Performed	Required Experience	Other Included Roles
Project Manager	· Possesses experience in the overall responsibility for structuring a project, performing the detailed planning, and managing project execution and completion of moderate or large projects · Defines the phase deliverables, tracks milestones and incurred expenses versus planned expenses, schedules roles and resources, evaluates risks and recommends contingency plans · Manages the development of the technical strategy · Assigns resources and tasks, and manages quality assurance, resolution of issues, status reviews and reporting, development of standards, change control, customer support, and compliance with all policies and procedure · Possesses familiarity with Method/1documentation	A minimum of 5 years of project management experience in all phases of systems development from concept through installation and maintenance, a minimum of 3-5 years of experience in required technology
Technical Lead / Project Lead	· Structures the technical work of a portion of a project or a small project · Provides technical leadership to team members · Develops or assists in the development of technical strategy · Creates or assists in the creation of project plans · Assists in the design of the systems and application programs · Manages the execution of a project plan, including quality and completion of own work while simultaneously monitoring the work of team members	Requires experience in at least one team leader assignment. 6+ years experience	· Project Lead “er” · Offshore Project Coordinator
Senior Developer	Besides the technical expertise of Programmer (Developer): · Provides technical direction to programmers · Shows capabilities of performing team leader functions · Develops and/or leads the development of prototypes	At least 3 years of experience as a Programmer in the required technology	· Developer · Senior Developer · Senior Programmer · Associate Programmer · Master Programmer · Software Engineer

266

Role	Function Performed	Required Experience	Other Included Roles
Developer	· Develops program specifications/detail design documents · Codes, tests and debugs complex applications programs · Has participated in the application design of systems, including use of analytical techniques · Has participated in the development of functional specifications · Works under the direction of a team leader, senior technical leader or analyst · Develops prototypes from functional specifications · Designs application sub-systems and small systems · Assists users in testing, training, and preparation for operations · Demonstrates an understanding of object-oriented development tools and techniques, has worked on multiple platforms and/or with multiple methodologies	Up to 3 years of experience in required technology	· Junior Developer · Associate Programmer · Junior Software Engineer
Senior Database Administrator (DBA)	Assumes leadership responsibilities for the following: · Manages database servers in all environments to ensure optimal performance · Possesses Technical knowledge spanning multiple RDMS · Establishes administration and process standards for environments · Mitigates risks in accordance with business requirements · Takes leadership role in new projects	A minimum of 5 years DBA experience
Database Administrator (DBA)	· Administers database servers · Follows and adheres to standard database architecture, configuration, and performance · Mitigates risks in accordance with business requirements · Follows standards set by senior DBA	A minimum of 2-3 years experience
Business Analyst	· Leads analysis and testing effort for complex projects spanning multiple business or technology areas · Provides analytical perspectives to the business throughout the SDLC process	A minimum of 3 years of experience	· IT analyst

267

Role	Function Performed	Required Experience	Other Included Roles
Senior Architect	· Responsible for all aspects of architecture for applications and projects for an organization · Includes architecture strategy, data technology, re-use, components, etc.	A minimum of 5 years of system architecture experience	· Sector Architect · Channel Architect · Chief Architect · Chief Strategist · Regional Architect
Architect	Responsible for applications and projects that he/she is assigned: · Includes strategy, data, technology, re-use, components · In general, the architect will be assigned as the architect for all projects that are associated with applications that he/she is responsible for		· Core Architect - Data Architect · Core Architect - Process Architect · Core Architect - System Architect · Application Architect
Sr. Systems Engineer	Besides the technical expertise of the Systems Engineer: · Provides technical direction to Systems Engineers · Performs team leader functions · Develops and/or leads the development of prototypes	Up to 3 years of experience in testing in related technology/business domain	· System Specialist - Application/Technology/ Solution SME · Engineer - Application Performance Engineering · Capacity / Demand Manager
Systems Engineer	· Provides engineering solutions with responsibility for the systems and/or network environment · Provides design and configuration solutions in addition to the day-to-day upgrades and administration · Responsible for capacity planning, disaster recovery, and security, where necessary · Possesses extensive experience with operating systems, network protocols, systems programming and configurations and/or hubs, switches and routers · Validates and tests architecture and design solutions to produce detailed engineering specifications with recommended design and technologies · Possesses extensive experience with large-scale enterprise environments and the related software/hardware issues		· Engineer - Deployment Assistance · Engineer - Product Maintenance

268

Role	Function Performed	Required Experience	Other Included Roles
Quality Assurance Test Lead	· Assumes leadership responsibilities for the creation and execution of detailed test plans and scripts to verify software functionality and adherence to business requirements · Execution of scripts include progress reporting, defect tracking, and risk assessments · Works across multiple cross-functional teams to roll-up all unit and integration tests to execute full system, interface, and end-to-end testing · Test lead will also be involved in shift management for projects involving shifts and also mentoring of Support analysts	Up to 3 years of experience in testing in related technology/business domain
Quality Assurance Tester	· Responsible for the execution of detailed test plans and scripts to verify software functionality and adherence to business requirements · Execution of scripts will include progress reporting, defect tracking, and risk assessments · Works across multiple cross-functional teams to roll-up all unit and integration tests to execute full system, interface, and end-to-end testing	At least 3 years of experience as a Tester in the required technology/business domain
Operations Support	· Responsible for a variety of supporting roles		· Production Support Analyst - L1, L2, L3 · Trader Support Analyst · Batch/Monitoring Support · Command Center Operator · Datacenter Operator · Tape Operator · Mainframe Operator

269

Appendix 11.2.7 — Legacy Resources

Supplier
Resource
EMP ID

Citi
SOEID

Resource Name

Work
Country

Supplier
ProjectID

Project Name

Daily Rate
($)

Citi LOB

[****]

270

Supplier
Resource
EMP ID

Citi
SOEID

Resource Name

Work
Country

Supplier
ProjectID

Project Name

Daily Rate
($)

Citi LOB

[****]

271

Supplier
Resource
EMP ID

Citi
SOEID

Resource Name

Work
Country

Supplier
ProjectID

Project Name

Daily Rate
($)

Citi LOB

[****]

272

Supplier
Resource
EMP ID

Citi
SOEID

Resource Name

Work
Country

Supplier
ProjectID

Project Name

Daily Rate
($)

Citi LOB

[****]

273

Supplier
Resource
EMP ID

Citi
SOEID

Resource Name

Work
Country

Supplier
ProjectID

Project Name

Daily Rate
($)

Citi LOB

[****]

274

Supplier
Resource
EMP ID

Citi
SOEID

Resource Name

Work
Country

Supplier
ProjectID

Project Name

Daily Rate
($)

Citi LOB

[****]

275

Supplier
Resource
EMP ID

Citi
SOEID

Resource Name

Work
Country

Supplier
ProjectID

Project Name

Daily Rate
($)

Citi LOB

[****]

276

Appendix 12.6.2 — Form of Work Authorization Attestation

Supplier:

Name of Personnel	Location of Personnel Providing Services	Anticipated Start Date

The Supplier referenced above hereby delivers this attestation pursuant to the provisions of the Master Services Agreement dated as of (INSERT DATE OF MSA), by and between Supplier and (INSERT CITI ENTITY THAT SIGNED AGREEMENT) (the “Agreement”). All capitalized terms will have the meaning ascribed to them in the Agreement. Supplier certifies, represents and warrants that each of the above-named Personnel is authorized to work pursuant to the requirements outlined in Section 12.6 (Supplier’s Personnel Policies) of the Agreement. This attestation is with respect to Supplier Personnel resources being assigned to provide Services under Work Order No. [INSERT #], dated [INSERT DATE], by and between Supplier and (INSERT CITI ENTITY THAT SIGNED THE WORK ORDER) (the “Work Order”). Supplier acknowledges and agrees that this attestation does not apply to any other work order except the Work Order identified on this form.

Supplier, through its duly authorized officer, has signed this Form of Work Authorization Attestation to the Agreement as of the date indicated below with respect to the Work Order.

Supplier:


By:

Name:

Title:

Date:

277

Appendix 13 — Confidentiality

1. Supplier’s Confidential Information. Supplier’s “Confidential Information” means and refers to all materials provided by Supplier pursuant to any business, or in contemplation of any potential business, under this Agreement, a Work Order or otherwise involving Supplier’s provision of services, software or products to Citi or its Affiliates that are expressly identified or marked by Supplier as “confidential”. If Supplier intends to supply Confidential Information for use by Citi in connection with any particular services, software or products, then Supplier will provide Citi with a written summary of all of Supplier’s Confidential Information prior to Supplier’s disclosure to Citi.

2. Citi’s Confidential Information. Citi’s “Confidential Information” means and refers to all tangible or intangible information and materials, in any form or medium (and without regard to whether the information or materials are owned by Citi or by a third party), whether provided or disclosed to Supplier by Citi or its Affiliate, or accessed, observed or otherwise obtained by Supplier from Citi or its Affiliates (pursuant to any business, or in contemplation of any potential business, under this Agreement, a Work Order or otherwise involving Supplier’s provision of services, software or products to Citi or its Affiliates), that satisfies at least one of the following criteria:

2.1 Information or materials related to Citi’s, a Citi Affiliate’s, or any of their respective customers’ business, trade secrets, customers (including identities, characteristics and activities), business plans, strategies, forecasts or forecast assumptions, operations, methods of doing business, records, finances, assets, technology (including software, data bases, data processing or communications networking systems), data or information or materials that reveal research, technology, practices, procedures, processes, methodologies, know how, or other systems or controls by which Citi’s or a Citi Affiliate’s products, services, applications and methods of operations or doing business are developed, conducted or operated, and all information or materials derived there from or based thereon;

2.2 Information or materials designated or identified as confidential by Citi or a Citi Affiliate, whether by letter or by an appropriate proprietary stamp or legend, prior to or at the time the information or materials are disclosed by Citi or a Citi Affiliate to Supplier;

2.3 Information disclosed orally or visually, or written or other form of tangible information or materials without an appropriate letter, proprietary stamp or legend, if it would be apparent to a reasonable person, familiar with the financial services industry, that the information or materials are of a confidential or proprietary nature; or,

2.4 Any information that relates to a person and that could be used, either directly or indirectly, to identify any person, whether a natural person or a legal entity (“Personal Information”).

3. Duty of Care and Use Restrictions. The Party receiving Confidential Information (“Receiving Party”) of the other Party (“Disclosing Party”) will exercise at least the same degree of care with respect to the Disclosing Party’s Confidential Information that the Receiving Party exercises to protect its own Confidential Information; and, at a minimum, the Receiving Party will adopt, maintain and follow security practices and procedures that are sufficient to safeguard the Disclosing Party’s Confidential Information from any: (i) unauthorized disclosure, access, use or

278

modification; (ii) misappropriation, theft, destruction, or loss; or (iii) inability to account for Confidential Information. Without limiting the generality of the foregoing, the Receiving Party will only use or reproduce the Disclosing Party’s Confidential Information to the extent necessary to enable the Receiving Party to fulfill its obligations under the Agreement to which this Appendix is attached, or in the case of Citi, to exercise its rights as contemplated by the Agreement to which this Appendix is attached. In addition, the Receiving Party will disclose the Disclosing Party’s Confidential Information only to those of the Receiving Party’s (or in the case of Citi, also to its Affiliates’) Personnel who have a “need to know” Confidential Information (and only to the extent necessary) in order to fulfill the purposes contemplated by the Agreement. Supplier will ensure that each of its Personnel is bound to uphold Supplier’s obligations of confidentiality. Supplier further acknowledges that Citi and its Affiliates are subject to policies (copies of which are made available to Supplier upon request) and Applicable Law which governs and restricts the collection, storage, processing, dissemination and use of Personal Information, including any Personal Information relating to Citi’s and its Affiliates’ respective customers, suppliers and Personnel. Supplier agrees to collect, store, process, disseminate or use any Personal Information obtained from Citi or a Citi Affiliate: (a) only as expressly directed by Citi or a Citi Affiliate in writing (either within the provisions of the Agreement to which this Appendix is attached or otherwise), (b) in accordance with any Applicable Law, and (c) in accordance with the provisions of Citi’s and its Affiliates’ policies where relevant to the Services. Where Citi is subject to specific obligations in respect of the processing of Personal Information, Supplier will execute all documents and do all acts as Citi may reasonably require in order for it to comply with Citi’s or a Citi Affiliate’s data protection obligations.

3.1 If Supplier is engaged in any activities relating, directly or indirectly, to the accounts of any customer of Citi or a Citi Affiliate, then Supplier will ensure that it maintains and follows written and comprehensive security practices and procedures that are sufficient to detect patterns, practices or specific forms of activity that indicate the possible existence of an actual or attempted theft or misappropriation of Personal Information. Supplier agrees to immediately report all incidences or suspicious activities to Citi.

3.2 If any business contemplated under this Agreement involves Supplier or its Personnel having access to Personal Information, then Supplier will comply, and will ensure that its Personnel comply, with all information security requirements that apply to Supplier and/or Citi under Applicable Law with respect to the protection and treatment of Personal Information as well as prevailing industry information security standards. At a minimum, Supplier will undertake the following measures with respect to Citi Personal Information received, observed or otherwise accessed by Supplier: (i) develop, implement, maintain, and monitor a comprehensive, written information security program that contains administrative, technical, and physical safeguards to ensure the security and confidentiality of Personal Information in electronic, paper form or other media and protect against: (a) any anticipated threats or hazards to the security or integrity of Personal Information, and (b) unauthorized access to, or use of, Personal Information; (ii) conduct a risk assessment to identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of Personal Information and evaluate and improve, where necessary, the effectiveness of its safeguards; (iii) implement appropriate access controls to limit access to Personal Information; (iv) educate and train Supplier’s Personnel regarding information security practices and procedures, including the requirements of Supplier’s information security program, as well as any special requirements of Citi; (v) appropriately

279

restrict the storage of Personal Information on laptops, portable devices or other portable media and where Personal Information must be stored on devices, encrypt all Personal Information stored on laptops and, where technically feasible, on other portable devices and portable media; (vi) dispose of Personal Information in a way so that it may not be decoded, read or decompiled; and (vii) utilize industry standard passwords, firewalls and anti-malware measures to protect Personal Information stored on computer systems. In addition to the foregoing, with regard to any Special Personal Information, as defined, accessed or managed by Supplier, Supplier will encrypt all Special Personal Information that will travel across public networks or that is transmitted wirelessly. “Special Personal Information” is: (1) an individual’s Social Security number (or the equivalent (if any) for countries outside of the United States); or (2) any combination of any individual’s name (including first or middle initial and last name) and any one or more of the following data relating to the individual: (x) individual taxpayer identification number, driver’s license number, passport number or any other government-issued identification number; (y) account number (including any credit card number, debit card number, or other financial account number, as well as any other customer account number); and/or (z) medical or health information or records.

4. Removal from Premises. Supplier will not remove or transmit Citi’s Confidential Information from Citi’s premises without, in each case, obtaining Citi’s express prior written consent. If any of Citi’s Confidential Information must leave Citi’s premises (through the mail, magnetic tape, line transmission or any other communication media) in order for Supplier to provide any Services, Supplier will use, and will cause its Personnel to use, the highest degree of care to safeguard Confidential Information from intrusion, tampering, theft, loss, and breaches of confidentiality.

5. Off Shore Access and Storage. Supplier will not, without Citi’s express prior written approval, send any Citi Confidential Information that contains Personal Information to, store Citi Confidential Information that contains Personal Information at, or provide access to Citi Confidential Information that contains Personal Information from, any facility or data center outside of the country from which Citi Confidential Information was collected.

6. Legends. The Receiving Party will not remove any copyright nor other proprietary notice of confidentiality contained on or included in the Disclosing Party’s Confidential Information, and will reproduce any notice on any reproduction, modification or translation of the Disclosing Party’s Confidential Information.

7. Notification. If the Receiving Party becomes aware of any threatened or actual violation of the obligations or restrictions agreed to by the Receiving Party with respect to the Disclosing Party’s Confidential Information, the Receiving Party will immediately notify the Disclosing Party and the Receiving Party will, and will assist the Disclosing Party with its efforts to, cure or remedy the violation. The Receiving Party is liable to the Disclosing Party for any non-compliance by its Personnel.

8. Exclusions. The obligations of confidentiality assumed under the Agreement to which this Appendix is attached will not apply to the extent the Receiving Party can demonstrate, by clear and convincing evidence, that the information:

280

8.1 is or has become generally known by persons engaged in the technology or financial services industries, without any breach by the Receiving Party of the provisions of the Agreement to which this Appendix is attached or any other applicable agreement between the Parties;

8.2 was rightfully in the possession of the Receiving Party, without confidentiality restrictions, prior to the Receiving Party’s receipt from the Disclosing Party;

8.3 was rightfully acquired by the Receiving Party from a third party who was entitled to disclose the information, without confidentiality or proprietary restrictions;

8.4 was independently developed by the Receiving Party without using or referring to the Disclosing Party’s Confidential Information; or

8.5 is subject to a written agreement under which the Disclosing Party authorized the Receiving Party to disclose the subject information.

Notwithstanding anything to the contrary as set forth in this Section 8 of this Appendix, the exclusions above will not apply to Personal Information.

9. Legally Required Disclosures. The obligations of confidentiality assumed under the Agreement to which this Appendix is attached will not apply to the extent that the Receiving Party is required to disclose the Disclosing Party’s Confidential Information under any Applicable Law. Notwithstanding the foregoing, in the event that Supplier is served with a request from one of the aforementioned authorities, Supplier will:

9.1 promptly notify Citi of the request or order in order to provide Citi an opportunity to seek a protective order;

9.2 provide Citi with reasonable cooperation in its efforts to resist the disclosure, upon reasonable request by Citi and at Citi’s expense; and

9.3 disclose only the portion of Citi’s Confidential Information that is required to be disclosed under Applicable Law.

10. Supplier Personal Data. Supplier acknowledges that Citi and its Affiliates are global companies and may, from time to time, collect, store, process, disseminate or use information that relates to Supplier, or any person (natural person or legal entity) that Supplier assigns or engages (whether directly or indirectly) that could be used, either directly or indirectly, to identify any person (whether a natural person or a legal entity) (all information collectively “Supplier Personal Data”) to exercise Citi’s and its Affiliates’ rights or fulfill their obligations under the Agreement to which this Appendix is attached. Supplier consents, and will ensure that each person assigned or engaged to interact with Citi or a Citi Affiliate in connection with the subject matter of the Agreement to which this Appendix is attached consents, to the collection, storage, processing, dissemination or use of Supplier Personal Data by Citi and a Citi Affiliate for all purposes relating to business contemplated under the Agreement to which this Appendix is attached.

11. Accounting for Confidential Information. Except as otherwise specified in the

281

Agreement to which this Appendix is attached, upon the request of the Disclosing Party, the Receiving Party will return (or purge its systems and files of, and suitably account for) all Confidential Information supplied to, or otherwise obtained by, the Receiving Party in connection with the Agreement to which this Appendix is attached. The Receiving Party will certify in writing that it has fully complied with its obligations under this Appendix E within seven (7) days following the date it receives a request from the Disclosing Party for certification. For the avoidance of doubt, this Section 11 of this Appendix will not be construed to: (i) require Citi to return the Software, any Documentation, any information or materials provided by Supplier or any of Supplier’s Confidential Information that was provided as part of, or in conjunction with, the Software or Services, or (ii) limit either Party’s right to seek relief for damages that are caused by the other Party’s default.

12. Information Security Assessment. Supplier will permit representatives of Citi, upon prior notice and at reasonable times, to examine and verify compliance with Supplier’s obligations under the Agreement to which this Appendix is attached with respect: (i) to the safeguarding and use of Citi’s Confidential Information, and (ii) the detection, prevention, and mitigation of an actual or attempted theft or misappropriation of Personal Information of customers of Citi or a Citi Affiliate. Each examination and verification may include conducting information security assessments (“ISA”) of Supplier and of Supplier’s practices and procedures. ISAs may consist of: (a) security questionnaires requiring responses from Supplier or its Personnel, (b) visits to locations where (or from where) Citi’s Confidential Information may be stored, processed, administered or otherwise accessed, and (c) review of all records and files in Supplier’s or its Personnel’s possession relating to the purposes above. Citi will endeavor to have ISAs conducted in a manner that does not unreasonably interfere with Supplier’s business operations. Should the findings of an ISA disclose or indicate security problems or concerns, Citi will detail all findings in a notice to Supplier, and work with Supplier to identify means for correcting the problems and addressing the concerns to Citi’s reasonable satisfaction. Supplier’s failure to correct the problems or adequately address the concerns expeditiously will constitute a material breach of the Agreement to which this Appendix is attached. Citi acknowledges that the findings of any ISA is deemed to be Supplier’s Confidential Information. Notwithstanding the foregoing, Supplier grants Citi the right to distribute and use the findings of any ISA with any Citi Affiliate, auditor or Regulator as may be necessary to transact business with Supplier or to fulfill any compliance or information security process or policy of Citi or its Affiliates.

13. Security Incident Reporting Process. In order to: (i) ensure that both Parties have the immediate ability to address, contain and mitigate any possible risk stemming from any actual, alleged or potential unauthorized access, disclosure, compromise or theft of Citi’s Confidential Information (including but not limited to, the unauthorized use of or access to Citi’s Systems, Personal Information, Special Personal Information or any other data of Citi and its Affiliates, improper handling or disposal of data, theft of information or technology assets, and/or the inadvertent or intentional disclosure of Citi’s Confidential Information), and (ii) ensure a consistent process for identifying, reporting, investigating and closing information security incidents, Supplier will develop, implement, document and maintain an information security incident reporting process (a “SIRP”). The SIRP will: (a) provide an accurate and up-to-date list of Supplier and Citi Personnel to be contacted in the event of an actual or suspected information security incident, (b) detail incident severity definitions consistent with Citi’s policies, standards and processes, and (c) set specific escalation procedures and timeframes for same based upon the breach severity level of the actual or suspected information security incident. At a minimum, the SIRP must: (1) mandate

282

that all of Supplier’s Personnel notify their management in the event that any of Supplier’s Personnel become aware of any action which indicates that there has been or may be an information security incident, and (2) mandate that an officer of Citi must be contacted immediately in the event of any actual or likely disclosure of Citi Confidential Information, in accordance with the aforementioned escalation procedure.

14. Identity Theft Red Flags. Supplier acknowledges that various United States Regulators have issued rules and guidelines (sometimes referred to as Red Flag Guidelines and Regulations, and including those implementing section 114 of the Fair and Accurate Credit Transactions Act of 2003), requiring financial institutions and creditors to develop and implement policies and procedures to detect, prevent, and mitigate patterns, practices and specific forms of activity that indicate the possible existence of an actual or attempted theft or misappropriation of Personal Information. Supplier will comply with Applicable Law and will assist Citi and Citi’s Affiliates` in every reasonable manner in their efforts to fulfill their respective obligations under Applicable Law.

283

Appendix 22.2 — Assurance of Compliance — (Export Control Laws)

I hereby acknowledge that as a condition for me being engaged by Citigroup, Inc. or one of its subsidiaries (collectively “Citigroup”), I must agree, and I do hereby agree, to comply with the laws and regulations of all of countries in which Citigroup conducts operations, and with the corporate policies and procedures promulgated by Citigroup that are designed to adhere to all such laws and regulations. Without limiting the generality of the foregoing, I specifically agree to comply with all laws and regulations that regulate the importation or exportation of goods and technologies, and in particular, to comply with the Export Administration Regulations of the United States as they pertain to any technical data, computer software, or any product (or any part thereof), process, or service that is the direct product of any such technical data or computer software (hereinafter referred to collectively or individually without distinction as “Export Controlled Products”) to which I have access while engaged by Citigroup. In order to ensure my compliance, I shall not disclose, export, re-export or otherwise transfer (directly or indirectly) any Export Controlled Products without having first verified that Citigroup has received such prior written authorization from the U.S. Department of Commerce or other appropriate agencies as may be required by applicable law or regulations. In addition, if I have any questions about any restrictions established by any applicable export control laws of any country, I will contact a Citigroup Export License Coordinator.

I acknowledge that the Export Administration Regulations of the United States prohibit the disclosure, exportation or re-exportation (directly or indirectly) of any Export Controlled Products: (i) to any country, or to any citizens or residents of any country, that is included within Country Group E:1 on Supplement No.1 to 15 CFR chapter VII, subchapter C, part 740, as such Supplement No. 1 currently exists or may hereafter be amended from time to time (hereinafter, Supplement No.1”), or (ii) to any country, or to any citizens or residents of any country, that is included within Country Group D:1 on Supplement No.1, if the Export Controlled Product is destined to a military end user or intended for any military use. I have been advised that a current version of Supplement 1 may be viewed by: (i) accessing the web site located at http://www.access.gpo.gov/bis/ear/ear_data.html, (ii) scrolling down to “Part 740Spir - Supplement No. 1 to Part 740, Country Groups”, and (iii) clicking on the Download Format preferred.

I also acknowledge that certain computer software to which I may have access while engaged by Citigroup may contain encryption functionality controlled for “EI” purposed by the U.S. Department of Commerce, and that such computer software is subject to additional export control restrictions. Accordingly, in addition to the other obligations assumed above with regard to the disclosure, exportation or re-exportation of Export Controlled Products, I specifically agree (i) not to use any computer software containing encryption functionality for any purpose other than for Citigroup’s internal use (which may include the development of new computer software products), and (ii) not to disclose, export, re-export or otherwise transfer any computer software containing encryption functionality outside Citigroup or to any other destination or end user outside the United States or Canada without first verifying that such an export is legally authorized by regulation or by license.

I further acknowledge and agree that the obligations assumed under this Assurance of Compliance shall be binding upon me during my term of engagement with Citigroup and shall continue to bind me thereafter, and that my failure to comply with the requirements and restrictions set forth herein may expose me and Citigroup to severe criminal and administrative penalties and

284

sanctions. In addition, I understand that any such failure by me shall constitute grounds for disciplinary action by Citigroup, including immediate termination of my Citigroup engagement.

I understand that the personal information requested below is required to assist Citigroup comply with U.S. export control laws.

Nationality and/or Residency Status (Check one):

Citizen of the United States

Permanent Resident of the United States

Designate type of visa.

Foreign National performing services within the United States (includes each individual who is neither a Citizen nor a Permanent Resident of the United States)

Designate: a) Country of birth

b) Country of citizenship

c) Country of residence

Citizen or permanent resident of a country other than the United States who performs services in a country other than the United States

Designate: a) Country of birth

b) Country of citizenship

c) Country of residence

d) Country where services are performed

[U.S.-based Personnel are also required to complete and sign the form attached as Attachment A]




Print Name:

Date:

285

Appendix 22.2 Attachment A - Work-Authorization Attestation [For U.S.-based Personnel]

[To be printed on Supplier Letterhead]

Work-Authorization Attestation [For U.S.-based Personnel]

Supplier:

Name of Personnel:

If Personnel is employed by a Subcontractor, specify Subcontractor:

Address of Citi office in the U.S. where Personnel provides Services:

Supplier and Citi have entered into a Master Professional Services Agreement for the provision of Services to Citi by Supplier effective as of (the “Agreement”). All capitalized terms shall have the meaning ascribed to them in the Agreement.

Supplier certifies, represents and warrants that the above-named Personnel is authorized to work in the U.S. pursuant to the applicable Section of the Agreement.


Signature of Supplier-Authorized Representative

Name/Title

Date

286

Appendix 22.7.1 — Data Privacy Agreement by Country

Data Privacy Agreement

Standard Contractual Clauses (processors)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

Name of the data exporting organisation:

Address:

Tel.: ; fax: ; e-mail:

Other information needed to identify the organisation


(the data exporter)

And

Name of the data importing organisation:

Address:

Tel.: ; fax: ; e-mail:

Other information needed to identify the organisation:


(the data importer)

each a “party”; together “the parties”,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Exhibit 1.

287

Clause 1

Definitions

For the purposes of the Clauses:

(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(5);

(b) ‘the data exporter’ means the controller who transfers the personal data;

(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Exhibit 1 which forms an integral part of the Clauses.

(5) Parties may reproduce definitions and meanings contained in Directive 95/46/EC within this Clause if they considered it better for the contract to stand alone.

288

Clause 3

Third-party beneficiary clause

1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Exhibit 2 to this contract;

(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks

289

presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with the security measures;

(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Exhibit 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer(6)

The data importer agrees and warrants:

(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(6) Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC, that is, if they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements which do not go beyond what is necessary in a democratic society are, inter alia, internationally recognised sanctions, tax-reporting requirements or anti-money-laundering reporting requirements.

290

(c) that it has implemented the technical and organisational security measures specified in Exhibit 2 before processing the personal data transferred;

(d) that it will promptly notify the data exporter about:

(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,

(ii) any accidental or unauthorised access, and

(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Exhibit 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;

(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;

(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.

2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.

291

The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.

3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(b) to refer the dispute to the courts in the Member State in which the data exporter is established.

2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

292

Clause 9

Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established, namely [ ]

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Subprocessing

1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses(7). Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.

2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established, namely [ ]

4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

(7) This requirement may be satisfied by the subprocessor co-signing the contract entered into between the data exporter and the data importer under this Decision.

293

Clause 12

Obligation after the termination of personal data processing services

1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

On behalf of the data exporter:

Name (written out in full):

Position:

Address:

Other information necessary in order for the contract to be binding (if any):

Signature

(stamp of organisation)

On behalf of the data importer:

Name (written out in full):

Position:

Address:

Other information necessary in order for the contract to be binding (if any):

Signature

(stamp of organisation)

294

EXHIBIT 1 TO THE STANDARD CONTRACTUAL CLAUSES

This Exhibit forms part of the Clauses and must be completed and signed by the parties.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Exhibit

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

Data importer

The data importer is (please specify briefly activities relevant to the transfer):

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

Categories of data

The personal data transferred concern the following categories of data (please specify):

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

DATA EXPORTER
Name:
Authorised Signature

DATA IMPORTER
Name:
Authorised Signature

295

EXHIBIT 2 TO THE STANDARD CONTRACTUAL CLAUSES

This Exhibit forms part of the Clauses and must be completed and signed by the parties

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

ILLUSTRATIVE INDEMNIFICATION CLAUSE (OPTIONAL)

Liability

The parties agree that if one party is held liable for a violation of the clauses committed by the other party, the latter will, to the extent to which it is liable, indemnify the first party for any cost, charge, damages, expenses or loss it has incurred.

Indemnification is contingent upon:

(a) the data exporter promptly notifying the data importer of a claim; and

(b) the data importer being given the possibility to cooperate with the data exporter in the defence and settlement of the claim(8).

(8) Paragraph on liabilities is optional.

296

Supplier Project
Manager (“PM”)

Citi PM

Citi Resource &
Location Strategy
Relationship Manager

Address:

Phone:

e-mail: