European Union Regulatory Compliance Exhibit

Last Updated: 23 October 2024

Erratum correction: 06 November 2024

This Exhibit applies only to any of Customer and/or its Affiliates Entities that satisfy the requirements of Section 13.2 of the Main Services Agreement between the Customer and Notabene (“Agreement”). Capitalized terms that are not defined in this Exhibit have the definitions set forth in the Agreement. In event of a conflict between this Exhibit, if applicable, and the Agreement, this Exhibit will prevail.

The Parties expressly accept and acknowledge that Customer and/or its Affiliates Entities, as applicable pursuant to the previous paragraph, are subject to sector specific regulations with impact on the outsourcing relationships and arrangements established by the Customer, including the following, as applicable (collectively, the “Regulatory Requirements”):

- The guidelines on outsourcing arrangements issued by the European Banking Authority (“EBA”) (EBA/GL/2019/02), as applied by any European Union supervisory authority relevant to the Customer’s activities, including the EBA and the European Security and Markets Authority (“Supervisory Authority”);

- Regulation (EU) 2022/2554 of the European Parliament and of the Council, on the Digital Operational Resilience Act (“DORA Regulation”);

- Directive 2014/59/UE of the European Parliament and of the Council, of 15 May 2014 – Bank Recovery and Resolution Directives (BRRD);

- Directives 2001/24/CE, 2002/47/CE, 2004/25/CE, 2005/56/CE, 2007/36/CE, 2011/35/CE, 2012/30/UE and 2013/36/UE; and

- Regulations (UE) 1093/2010 and (UE) 648/2012.

The Parties agree that the access and use of the Services provided by Notabene, an Information and Communication Technology (“ICT”) third party service provider, are governed by the Regulatory Requirements specified in this Exhibit which, if applicable, is an integral part of the Agreement.  ‍

A. GENERAL REQUIREMENTS‍

1. Notabene’s Obligations and Warranties.

Notabene warrants the following in relation to the provision of Services:

‍
1.1 The Services provided under the Agreement are governed by the Service Level Agreement (to be provided separately). The Service Level Agreement will be reviewed by Notabene on an annual basis and by Customer, upon written request, to be granted no more than once annually during the Term.

1.2 To the best of its knowledge, Notabene has not been subject to any declaration of insolvency.

1.3 Notabene will respond to any inquiries or requests for clarification from the Customer concerning the provision of Services, particularly regarding information security.

1.4 Notabene conducts regular penetration testing on the technological infrastructure supporting the Services and will provide the Customer with its penetration testing reports upon written request during the Term.

1.5 Notabene agrees to notify the Customer of any current or anticipated issues that may affect its ability to fulfill the obligations outlined in the Agreement as soon as it becomes aware of such situations. This includes Notabene’s ability to efficiently provide the Services in compliance with the Agreement, applicable laws and regulations, and Regulatory Requirements. The Parties also agree that for certain events, notifications may be posted on the website www.notabene.id (or any successor website) during the Term.

2. Customer’s Obligations and Warranties.

Customer warrants the following in relation to the provision of Services:

2.1 The Customer will provide all necessary and reasonable cooperation to enable Notabene to fulfill its obligations under the Agreement, which includes supplying essential information and resources for the provision of the contracted Services.

2.2 The Customer will grant access upon written request to its digital premises, including systems, platforms, and relevant digital resources, to Notabene’s personnel or authorised sub-subcontractors, as necessary, to facilitate the performance of the Services while ensuring compliance with security protocols and regulatory obligations.

2.3 The Customer will ensure compliance with all applicable laws and regulations related to its operations, including obtaining all necessary authorisations, certifications, and licenses required for its business activities.‍

B. REGULATORY REQUIREMENTS‍

The Parties acknowledge that the Services under this Agreement, due to their features, qualify as critical outsourcing pursuant to the Regulatory Requirements. As a result, the EBA Guidelines, DORA requirements, and all other applicable laws and regulations governing banking, financial, and insurance activities shall govern accordingly.

1. Service. The Services shall be provided as described in the Order Form(s) executed by the Parties.

2. Compliance with Applicable Law and Regulations. ‍

2.1 Notabene assures and warrants that it is currently in compliance with and will continue to comply with all laws and regulations relevant to its activities, as well as those applicable to the scope of the Services under the Agreement. Furthermore, it guarantees that all necessary permits, licenses, and approvals required by these laws and regulations are, and will remain, in its possession to lawfully conduct its activities and fulfill its obligations under the Agreement.

2.2 Notabene commits to cooperate with the competent authorities and the resolution authorities of the Customer, including persons appointed by them.

2.3 Notabene agrees to adopt and adhere to all reasonable measures and instructions issued by Customer, where feasible and applicable, while avoiding any actions that could negatively impact the security of systems, connections to Customer, and the data contained therein, even if such actions are requested by Customer.

2.4 Both Parties assure that they will maintain compliance with applicable legislation and regulation throughout their ongoing contractual relationship.

3. Business Continuity Plan.

3.1 Notabene shall implement, test, and have in place a business continuity and a disaster recovery plan (“Business Continuity Plan”) to allow the uninterrupted provision of the Services (including in emergency situation or force majeure events), which is available to the Customer at https://trust.notabene.id/.

3.2 Notabene commits to follow the guidelines outlined in the Business Continuity Plan which will be kept updated and will be activated as needed to ensure continuous Services to Customer.

3.3 Customer understands that Notabene will periodically update and test the Business Continuity Plan during the duration of the Agreement. Notabene agrees to: (i) test and adhere to its Business Continuity Plan; and (ii) to ensure that any changes to the Business Continuity Plan does not negatively impact the Customer or the delivery of Services and is aligned with good industry practices.

3.4 Notabene is committed to taking appropriate actions to address any deficiencies identified in the Business Continuity Plan based on analyses and testing.

4. Monitoring. Each Party may monitor the other Party’s provision of services and performance of obligations under the Agreement, and each Party will have adequate monitoring processes in place. The Parties will retain the right to request information about the provision of services and the performance of obligations under the Agreement, to the extent reasonably necessary and appropriate to monitor the foregoing and in compliance with applicable laws and regulations.

5. Audits.

5. 1 Notabene will grant Customer, the Supervisory Authorities, and any other person properly appointed by Customer or the Supervisory Authorities the right to access and inspect information, records (including financial records), reports, physical premises, systems, networks, data, and devices of Notabene (and to reasonably interface with relevant personnel), where duly justified and relevant and only to the extent reasonably necessary to monitor Notabene’s performance under the Agreement and its compliance with applicable laws and regulations with respect to the Services. Subject to the provisions in this Exhibit, nothing in the Agreement will limit Customer’s and the Supervisory Authorities’ effective exercise of the access and audit rights. The access and audit rights will continue to apply in the event of insolvency, resolution, or discontinuation of business operations.

5.2. Customer must communicate its intended audit requirements to Notabene, including but not limited to: audit objectives and purpose; scope of the audit; specific location; expected duration; list of required information; specific activities the auditors will undertake and expected timing; and the names of the auditors.

5.3 In the event of on-site visits conducted by Customer or a third party appointed by it, Customer will provide at least seven (7) business days’ prior notice, unless such prior notice is not possible due to an emergency or crisis situation or would result in the audit’s ineffectiveness. Such visits will be conducted only if reasonably required under applicable laws and regulations and, if required, in a manner that has minimal adverse impact on the business and operations of Notabene.

5.4 The Parties acknowledge and agree that any information that Notabene discloses as a result of an audit or monitoring (whether to Customer, a Supervisory Authority, or an authorized third party) constitutes the Confidential Information of Notabene and is subject to confidentiality protections, including but not limited to those set forth in Agreement (in Section 6 and other relevant provisions).

5.5 Notabene will not impede any competent regulatory authority with jurisdiction over Notabene from cooperating with the Supervisory Authorities. Cooperation includes, but is not limited to, receiving information as soon as practicable regarding any breach of applicable laws and regulations.

6. Security measures.

6.1 Notabene shall procure to implement the best market practises regarding the accessibility, availability, integrity, privacy, and safety of relevant data, including, without limitation personal data. Notabene undertakes to implement and to comply with all standards in terms of computer security and to take and maintain all necessary and practicable measures, as timely and reasonably requested by the Customer, to comply with the information security requirements of data and standard systems, as well as the requirements provided for in the Agreement and the Data Processing Agreement in order to safeguard the integrity and security of the data and systems.

6. 2 All security measures under the Data Processing Agreement entered by the Parties are applicable to all systems and devices used by Notabene while providing the Services. During the Term, Notabene shall comply at least with the security measures identified in the “Security Measures” section of the Data Processing Agreement.

7. Localization of the Services.

7.1 The Services will be performed using servers based in the EEA (or in jurisdictions where an adequacy decision by the European Commission has been granted) for Customer’s or its client’s data, both at rest and in transit.

7.2 Notabene will not change the localization of the Services, although in case of any change related to the location of Services, Notabene will promptly notify the Customer to obtain prior authorisation in writing from the Customer. In that event, Notabene will provide to Customer all information reasonably required to assure the Customer about the adequate guarantees of moving the Services to a non-EEA country.

8. Sub-Outsourcing. Customer acknowledges and authorizes Notabene to subcontract part of the Services to Notabene’s affiliates or third parties contracted by Notabene, as described in the list of subcontractors available in Appendix 1 below. Customer hereby gives general authorization to current, new, or replacement subcontractors, provided that Notabene follows the following procedure:

8.1 Notabene remains responsible for the actions and omissions of all subcontractors performing Services on its behalf, provided that they are not caused by events outside of the subcontractor’s reasonable control.

8.2 Notabene agrees to provide Customer with notice at least thirty (30) days in advance of engaging any new or replacement subcontractor which will be involved in the provision of Services to Customer, such that Customer has the opportunity to object.

8.3 If Customer has a reasonable belief that such new subcontractor cannot comply with applicable laws or may lead the Customer to not comply with applicable laws, Customer may provide written notice to Notabene within twenty (20) days of being informed of the engagement of the new subcontractor, and the parties agree to work together in good faith to resolve such issues.

8.4 If such issues cannot be resolved, Customer may object to any new subcontractor by terminating the Order Form with respect only to those Services that cannot be provided by Notabene without the use of the new subcontractor to which Customer has objected. Such termination will be made by providing written notice to Notabene. This termination right is Customer’s sole and exclusive remedy if Customer objects to any new subcontractor. In the event of such termination, Notabene will not refund any prepaid fees for the remaining term of those Order Form(s), nor impose a penalty for the termination.

8.5 Notabene may replace a subcontractor without advance notice where the reason for the change is outside of Notabene’s reasonable control and prompt replacement is required for security or other urgent reasons. In this case, Notabene will inform Customer of the replacement subcontractor as soon as possible following its appointment.

9. Material Impact Incident. Notabene will immediately notify the Customer of any development likely to have a material impact on Notabene's ability to efficiently perform the Services, in line with the agreed service levels and in accordance with legislation and applicable Regulatory Requirements. If an ICT incident occurs that is related to the Services provided to the Customer, Notabene will provide assistance to Customer at a cost of 400 USD per hour worked by each professional.

10. Transition of Services. In the event of the termination or expiration of the Agreement, for whatever reason, the Parties agree as follows:

10.1 If requested by Customer, Notabene will continue to provide Services under the Agreement for a maximum duration of six months after the effective date of termination or expiration (“Transition Period”); provided that Customer will pay any outstanding and due amounts without delay, including any outstanding and due amounts for Services or other work provided to Customer during the Transition Period. The terms of the Agreement will continue to apply during the Transition Period. Notabene shall use commercially reasonable efforts to provide Customer with assistance in timely migrating Customer’s data to the Customer’s or another service provider’s system, and thereafter as provided in Section 13 below (“Return of Customer’s Data”). Notabene will charge fees related to any transitional work, including but not limited to data migration, in accordance with its regular hourly assistance rates.

10.2 If requested by Customer, the Parties will cooperate, acting reasonably and in good faith in accordance with industry standards, as reasonably necessary, appropriate, and practicable, to facilitate (i) an orderly wind down of the Services or (ii) an orderly transition of the Services to a successor (whether Customer or a third party). The foregoing will be done, if requested, without any significant disruption to, and without any significant detrimental effect on the continuity and quality of, the provision of Services and without limiting compliance with applicable laws and regulations with respect to the Services.

11. Bank Resolution and Recovery.

11.1 Notabene acknowledges that the Customer may be subject to the application of a recovery or resolution measure, in accordance with the European recovery and resolution framework for credit institutions and investment firms, and that, in such event, the resolution authority has the authority to apply such measure.

11.2 Notabene acknowledges that it cannot resolve, suspend, amend, restate, or terminate by any way this Agreement following or on the grounds of the application of any recovery or resolution measure or on any fact and/or act connected thereto. Notabene further acknowledges that, in such event, subject to Customer’s payment of Notabene’s then-current Fees and expenses, the Services shall be provided to the Customer as agreed.

11.3 Notabene acknowledges and accepts that the application of a recovery or resolution measure to the Customer, or a restructuring scheme thereafter, may entail, under the law, an assignment or transfer of the Customer’s position under this Agreement to a new legal entity, pursuant to a decision of the Customer or resolution authority and irrespective of Notabene’s prior consent.

11.4 In the event of transfer or assignment as set forth in Section 8.3, Customer agrees to notify Notabene of the assignment, in writing, no later than five (5) days prior to such assignment or transfer, and acknowledges that the provision of the Services to the transferee may incur additional costs related to Services, such as implementation services, as necessary to ensure a smooth transition. These costs must be mutually agreed upon between Notabene and the transferee.

11.5 If the contractual position is transferred to a new entity in conformance with the terms of this Section 11, Notabene will make reasonable efforts to facilitate an orderly and non-disruptive transition, while ensuring, to the extent practicable under the circumstances, that Services are provided under substantially the same or similar terms and conditions as previously offered to Customer.

11. 6 If an assignment or transfer of Customer’s position in this Agreement occurs in accordance with Section 11.3 or if this Agreement is to be terminated during the resolution period with any legal ground other than the application of a recovery or resolution measure (e.g., due to contract expiration or otherwise), Notabene shall make reasonable efforts to effect the orderly transition of the Services by performing those for the new legal entity, under substantially the same or similar terms and conditions, until a reasonable period of time has elapsed.

12 Termination Rights. In accordance with the Regulatory Requirements, the Customer may immediately terminate the Agreement by delivery of written notice if: (i) Notabene is in a breach of applicable law, regulations or contractual provisions; (ii) impediments capable of altering the performance of the outsourced function are identified in a way that cannot be remedied by Notabene within a reasonable time for the Customer; (iii) there are material changes significantly affecting the Services; (iv) there are deficiencies regarding the management and security of confidential or otherwise sensitive information or data; (v) Customer’s inability to meet obligations imposed by a Supervisory Authority due to actions or omissions  directly attributable to Notabene; (vi) Customer receives a final and non-appealable decision from the Supervisory Authority requiring the termination of the Agreement due to the Supervisory Authority’s inability to effectively supervise the Customer under this Agreement; or (vi) serious or repeated breaches of confidentiality, bank secrecy, intellectual property, personal data processing, privacy provisions, or loss of Customer data.

13. Return of Customer’s Data. At the request of the Customer during the Term and after the termination of the Agreement, including, without limitation, in the event of Notabene’s insolvency, resolution, or discontinuation of operations, Notabene shall (i) allow immediate access to, or return to the Customer, all of the Customer’s data, in the format used to provide the Services, or (ii) at the Customer’s request, erase or destroy Customer’s data held by Notabene. Notabene shall provide proof of delivery to the Customer, confirming the complete transfer of data, or/and provide a certificate of data erasure or destruction to the Customer, confirming the complete and secure removal of data.

14. Insurance. Notabene has entered into adequate and market practice insurance agreements in order to cover its risks resulting from its business activity. This insurance includes, but is not limited to, the following types of coverage: (i) Commercial General Liability insurance; (ii) Errors and Omissions insurance; and (iii) Cyber insurance to cover damages resulting from violations of personal data protection laws. Notabene shall promptly inform the Customer of any situation affecting the accuracy, completeness, or validity of the previous sentence.

15 ICT Security Training. Where relevant due to the Services to be provided, and upon Customer’s reasonable advance written notice, Notabene shall allocate its employees providing Services to the Customer into Customer’s internal training programs, including those related to security awareness and digital resilience. Notabene shall do so as necessary or convenient for Customer and for Notabene and its employees to fulfill their duties under this Agreement and the Regulatory Requirements. Notwithstanding the foregoing, such training programs shall not occur more than once per year, unless the Parties mutually agree otherwise. The Parties will determine the eligibility criteria for the participation of Notabene and its employees in the above training programs and make these criteria available prior to the scheduled start date. The Customer will provide Notabene with access to training materials, modules, and related resources. Notabene undertakes to have its employees participate in the training sessions, as appropriate, and to acknowledge the training materials provided by the Customer as confidential.

Appendix 1