EX-10.31

EX-10.31 19 d180840dex1031.htm EX-10.31 EX-10.31

Exhibit 10.31

Execution Version

CERTAIN IDENTIFIED INFORMATION HAS BEEN EXCLUDED FROM THIS EXHIBIT BECAUSE IT IS BOTH (I) NOT MATERIAL AND (II) WOULD BE COMPETITIVELY HARMFUL IF PUBLICLY DISCLOSED. THE REDACTED TERMS HAVE BEEN MARKED WITH THREE ASTERISKS [***].

ADVANCED WALLET SERVICES AGREEMENT

This Advanced Wallet Services Agreement governs the products and services described herein and comprises the entire agreement (this “Agreement”) entered into and effective as of 09 July 2021 (“Effective Date”) by and between: (1) BitGo, Inc., duly organized in the State of Delaware and having a place of business at 2443 Ash Street, Palo Alto, California 94306 (“BitGo”) , and (2) Bullish (GI) Limited, duly organized in Gibraltar and having a place of business at Suite 23, Portland House, Glacis Road, Gibraltar (“Customer”).

1.	*Definitions*

“Account” means all digital asset wallets (the “Wallets”) established by Customer according to terms herein this Agreement.

“Advanced Wallet” means a [***].

“Applicable Law” means applicable federal, state and other laws, rules, regulations, regulatory guidance, regulatory requirements and any form of secondary legislation, resolution, policy guideline, concession or case law from time to time, including any changes to the foregoing.

“Authorized Person” means an employee or officer of the Customer who has been designated by the Customer to be an authorized party of Recipient to access and use the Account. Such persons will continue to be Authorized Persons of Recipient until such time as BitGo receives Instruction (defined herein) from the Customer that any such person is no longer an Authorized Person.

[***]

“BC/DR Plan” has the meaning given to it in Clause 8(a).

“BitGo Forks Policy” has the meaning given to it in Clause 14(a).

“BitGo Materials” has the meaning given to it in Clause 24(a).

“Business Day” means a day from Monday through Friday, except for holidays as observed by the Federal Reserve System.

“Change Request” has the meaning given to it in Clause 7(d)(i).

“Compliance Audit” has the meaning given to it in Clause 22(i).

“Confidential Information” has the meaning given to it in Clause 21(a).

Execution Version

“Critical Functions” means any activity related to management of keys, including storage, transactions signing and transport of keys used in connection with the Services.

“Customer Change” has the meaning given to it in Clause 7(d).

“Customer Data” means all data relating to the business of the Customer and its affiliates, including information relating to their clients, suppliers, staff, financials and operations, information concerning transactions processed by means of the Licensed Technology and the Services and information concerning financial holdings of the Customer and its clients.

“Customer Materials” has the meaning given to it in Clause 24(a).

“Customer Termination Event” has the meaning given to it in Clause 19(c).

“Disaster” means any incident, interruption, disruption, accident or catastrophe (whether of information processing and communication facilities, or caused by inaccessibility or unavailability of buildings or unavailability of resources or similar unavailability or failure issues) which restricts, prevents or hinders the ability of BitGo to perform the Services (and shall include Force Majeure Events).

“Disclosing Party” has the meaning given to it in Clause 21(b).

“Fees Agreement” means the agreement of that title between BitGo Trust Company, Inc. and Bullish Global to be entered on or around the date of this Agreement.

“Force Majeure Event” means an unforeseeable and insurmountable act or event affecting the performance by a party of its obligations under this Agreement, arising from events beyond its reasonable control, provided in all cases that the party whose performance is affected has taken all steps which could reasonably be expected to have been taken in order to prevent such act or event occurring or minimize the effects thereof, and includes strikes, lock-outs and labor disputes (but excluding strikes, lock-outs and labor disputes involving BitGo’ s staff), acts of God, war, acts of any military authority, riots, civil commotion, fires, floods, earthquakes, epidemics and pandemics, telecommunications outage, and storms.

“Initial Term” has the meaning given to it in Clause 2(a).

“Instruction” means an instruction that has been verified in accordance with BitGo’s security procedure in place when such Instruction is received, which BitGo believes in good faith to have been given by an Authorized Person.

“Launch Date” means the date on which the Customer commercially launches its crypto exchange business, being the date notified by the Customer to BitGo.

“Licensed Technology” means software described in Attachment C including new versions and releases of the same.

Execution Version

“Migration Event” has the meaning given to it in Clause 14(b).

aa.

“Platform” means the hardware, software and other products and services described in Attachment A and provided by BitGo to Customer under this Agreement.

bb.

[***]

cc.

“Receiving Party” has the meaning given to it in Clause 21(b).

dd.

“Regulator” means any regulatory authority in any jurisdiction with oversight or other regulatory functions over the Customer.

ee.

“Regulatory Change” has the meaning given to it in Clause 7(d).

ff.

“Renewal Term” has the meaning given to it in Clause 2(b).

gg.

“Replacement Supplier” has the meaning given to it in Attachment D.

hh.

“Self-Custodial Coins” means any digital assets held by Customer in an Advanced Wallet.

ii.

“Service Credits” means an amount calculated in accordance with Attachment B, if BitGo failed to meet the Service Levels.

jj.

“Service Levels” means the service levels applicable to the Services, as set out in Attachment B.

kk.

“Services” means the services to be performed by BitGo under this Agreement, as described in Attachment A.

ll.

“Term” means the term of this Agreement, including the Initial term and all Renewal Terms.

mm.

“Tokens” has the meaning given to it in Clause 14(b).

nn.

[***]

2.	*Commencement, Duration, Extensions*

(a)

This Agreement commences on the Effective Date and, unless terminated earlier in accordance with its terms or extended as provided for below, will expire on the first (1st) anniversary of the Effective Date (the “Initial Term”).

(b)

On the expiry of the Initial Term or any then-current Renewal Term, this Agreement shall be renewed on the same terms and conditions for a further period of one (1) year each (each, a “Renewal Term”), unless:

Execution Version

Customer has given written notice to BitGo, no less than ninety (90) calendar days prior to the expiry of the Initial Term or then-current Renewal Term, that it does not wish the Agreement to be renewed; or

ii.

BitGo has given written notice to Customer, no less than six (6) months prior to the expiry of the Initial Term or then-current Renewal Term, that it does not wish the Agreement to be renewed.

(c)

If Customer or BitGo has given written notice pursuant to Clause 2(b), the parties shall have the rights and obligations given to them in Clause 20.

3.	*[Not Used]*

4.	*Provision of the Services, Service Levels and Service Credits*

(a)

BitGo shall provide the Services to Customer from the Effective Date and for the duration of the Term.

(b)

BitGo shall ensure that the Services are performed, and all of its other obligations under this Agreement are carried out: (i) promptly and otherwise in accordance with any timetables or service standards set out under this Agreement; (ii) using the skill and care of a diligent, suitably qualified, well managed, trustworthy, experienced and leading professional provider of services similar to the Services; (iii) in accordance with best prevailing industry practices and standards applicable to the Services from time to time; and (iv) in accordance with all Applicable Laws from time to time.

(c)

BitGo will have in force all required policies and procedures to ensure that the Services are provided in accordance with the requirements of this Agreement, and shall ensure that all systems, platforms and other resources used by it to support or provide the Services are maintained in good working order, regularly inspected and kept up to date by amending or replacing such technology and/or systems to reflect the most recent developments that are consistent with best business practice and available market developments, including applying updates and patches provided by, and complying with any instructions issued by, third party technology providers. BitGo will ensure that its own technology and systems are kept up to date by amending or replacing such technology and systems to reflect the most recent developments that are consistent with best business practice and available market development and will (i) apply any relevant updates as soon as practicable and (ii) issue updates and/or workarounds to the Customer as soon as practicable following the identification of any weaknesses in BitGo’s technology or systems (including the Licensed Technology).

(d)

BitGo shall ensure that the Services meet or exceed all applicable Service Levels, with effect from the Effective Date and thereafter for the duration of the Term.

Execution Version

(e)

BitGo shall monitor its performance against the Service Levels [***]. Each report shall set out the actual Service Levels achieved compared against the expected Service Levels. At the Customer’s request, BitGo shall provide the Customer with access to the underlying data used by BitGo to assess its performance and compliance against the Service Level.

(f)

Where Service Levels are not met, Service Credits may arise, if provided for in Attachment B. Where Service Credits become payable, BitGo shall deduct them from the next invoice due under the Fees Agreement and clearly show the deduction as a separate line item.

(g)

Service Credits are not a sole remedy and shall be without prejudice to any other rights or remedies that the Customer may have. However, where both Service Credits and other damages are claimed by the Customer arising from the same Service failure, the Customer shall not be compensated more than once for the same breach.

(h)

BitGo is not granted any exclusivity in relation to the Services and the Customer may at any time request or contract other persons to provide services to it that are the same as or similar to the Services. Customer is not granted any exclusivity in relation to the Services and BitGo may at any time provide services that are the same as or similar to the Services to third parties.

(i)

BitGo is responsible for ensuring that all staff used by it in connection with the Services will (i) have all necessary skills and expertise for the tasks given to them; (ii) have been adequately trained in the provision of the Services; (iii) have and hold all authorisations, licences, permits, visas and/or consents of whatever nature required for proper and lawful performance of their duties; (iv) have been duly informed, to the extent relevant to their roles, of BitGo’s obligations under this Agreement; and (v) have had their identity confirmed in accordance with any Applicable Laws and have been properly screened.

(j)

As between the parties, all tokens, coins and other assets managed by means of the Services shall belong absolutely to the Customer (acting for itself and as agent or trustee for its clients, who may be the beneficial owner of those tokens, coins or assets). BitGo shall not hold itself out as owner of any such tokens, coins or assets and shall at the Customer’s request take all steps necessary to ensure ownership of those tokens, coins or assets vest in the Customer or its nominee(s).

5.	*Advance Wallet Services – Storage of Keys*

[***]

Execution Version

[***]

6.	*Service Failures and Remediation*

(a)

If a Service does not meet the requirements of this Agreement in any material respect (including where the Service Levels are not met), BitGo shall promptly notify the Customer and (without prejudice to the Customer’s other rights and remedies):

take all steps reasonably necessary to minimize the impact of the failure on the Customer’s business;

ii.

if it is possible to do so, repeat that part or those parts of the Services that gave rise to the failure;

iii.

investigate the failure (including, as applicable, performing a root cause analysis to identify the cause of such failure);

iv.

provide the Customer with a written report identifying the cause of the failure, the consequences of the failure and BitGo’s procedures for correcting the failure and ensuring that it will not be repeated;

as soon as practicable correct any fault or defect in the delivery platforms (including the Platform) or other resources used to provide the Services which gave rise to the failure; and

vi.

resume performance of the Services in accordance with the requirements of this Agreement as soon as practicable.

(b)

If the BitGo fails to provide the Services as required under this Agreement and that breach causes, or is likely to cause, the Customer to incur a material loss, liability, cost or business disruption, whether direct or indirect, the Customer may, by notice to BitGo at any time before the breach is remedied in full, require BitGo to engage in enhanced co-operation as described in Clause 6(c).

(c)

If the Customer gives notice requiring enhanced co-operation under Clause 6(b), BitGo shall, in addition to its other obligations under this Agreement:

remedy the breach as soon as possible, including devoting all reasonable resources to the resolution of the breach;

Execution Version

ii.

promptly provide the Customer with such information (in addition to any information required to be provided under the other provisions of this Agreement) as the Customer may reasonably request to enable the Customer fully to understand the nature and causes of the breach and the steps being taken and/or considered by BitGo to remedy the breach;

iii.

work with the Customer and use best efforts to agree, as soon as practicable, on a plan or set of plans for the resolution of the breach; and

iv.

report to the Customer in a timely manner on progress against that plan or those plans and reasonably consult with the Customer in relation to, and promptly keep the Customer informed of, changes to that plan or those plans from time to time.

(d)

Unless prohibited by Applicable Law, BitGo shall provide prompt notice to the Customer of any events, developments or circumstances (including any litigation, arbitration or disputes) which have or may have an adverse impact on BitGo’s ability to perform either the Services or any of its other obligations under this Agreement in any material way, and shall:

as appropriate, keep the Customer updated of the status of those events, developments or circumstances and their impact on BitGo’s ability to perform the Services or any of its other obligations under this Agreement in any material way; and

ii.

take such steps as the Customer may reasonably require to guard against any material adverse impact on BitGo’s ability to perform the Services or any of its other obligations under this Agreement.

(e)

Where BitGo needs to carry out maintenance in respect of the Services or any of the systems, platforms or other resources that support the Services, BitGo shall:

inform the Customer of any upcoming maintenance, including the window during which maintenance will be carried out and the impact that this will have on the Services;

ii.

[***] Customer with as much advance notice as is possible in the circumstances);

iii.

use commercially reasonable efforts to schedule maintenance windows at times that will cause the least amount of adverse impact to the Customer and its business;

iv.

keep maintenance windows as short as possible;

inform the Customer if maintenance will overrun the scheduled maintenance window; and

vi.

use commercially reasonable efforts to provide the Services on an uninterrupted basis, despite maintenance taking place.

Execution Version

7.	*Changes to the Services and Licensed Technology*

(a)

The Customer acknowledges that BitGo will continuously improve the Services and the Licensed Technology, and that these improvements may result in changes to the Services and/or the Licensed Technology. All such changes shall be made by BitGo at its own cost and expense, except as provided for herein or as agreed upon by the parties. BitGo acknowledges that changes to the Services or Licensed Technology may cause unintended consequences for the Customer or its business, or may adversely affect the interoperability of the systems used by both parties in connection with the provision and receipt of the Services. Accordingly, the parties agree as follows:

BitGo shall provide the Customer with reasonable advance notice of all planned changes to the Services and the Licensed Technology including roadmap and product enhancement briefings as part of quarterly business reviews. In the case of significant changes which are within BitGo’s reasonable control, [***];

ii.

BitGo shall not reduce or remove any material functionality within the Services or the Licensed Technology, unless replaced by different and improved functionality or unless the Customer otherwise agrees. Except to the extent (i) agreed upon by the Parties, (ii) necessary for material security purposes, or (iii) necessary to comply with Applicable Law, BitGo shall ensure that the Services and the Licensed Technology shall continue to support all cryptocurrencies and tokens supported by the Services and the Licensed Technology as at the Effective Date;

iii.

at the Customer’s request, BitGo will provide reasonable assistance to the Customer to enable the Customer to understand the impact (if any) that changes to the Services or the Licensed Technology may have on any systems, processes, interfaces or other resources used by the Customer, or the continued interoperability of the Customer’s systems with those operated by BitGo; and

iv.

if the Customer identifies any material concern with respect to a planned change, the parties shall cooperate to resolve the matter as quickly as practicable in the circumstances, provided that where BitGo, in the reasonable opinion of the Customer, [***].

(b)

Before making any changes Services or the Licensed Technology, BitGo shall first carry out sufficient testing in relation to the proposed changes to confirm that those changes will not have any adverse impact to the Services, the Licensed Technology or the Service Levels, or the Customer’s ability to continue to receive the Services and use the Licensed Technology, or any interoperability issues.

Execution Version

(c)

Where BitGo does not offer Services in relation to a specified cryptocurrency, digital currency and/or token, the Customer may request in writing that BitGo implements support for that cryptocurrency, digital currency and/or token. On receipt of such a request from the Customer, BitGo shall (acting reasonably) work with the Customer to determine whether it is possible for BitGo to build support for any such cryptocurrency, digital currency and/or token, provided that any such cryptocurrency, digital currency and/or token shall comply with BitGo’s Asset Vetting Policy and regulatory requirements. Where BitGo determines that it is possible to build such support, BitGo shall (acting reasonably) confirm the timeline for implementation. Any costs incurred in implementing such a request outside of BitGo’s planned implementation schedule are to be shared equally between the Customer and BitGo (or unless otherwise mutually agreed upon by the parties).

(d)

BitGo acknowledges that the Customer may, from time to time, request changes to be made to the Services or the Licensed Technology (a “Customer Change”), including where the Customer Change is required to enable the Customer to comply with Applicable Law or regulation (a “Regulatory Change”). If the Customer identifies a requirement for a Customer Change, the Customer may request BitGo make the appropriate change to the Services through the following process:

The Customer may submit a written request (a “Change Request”) that will include reasonable detail for BitGo to evaluate such request. The Change Request shall also identify if the Customer Change is a Regulatory Change or not.

ii.

[***]

iii.

If the Customer wishes to make any changes to BitGo’s proposal, the parties shall negotiate the same in good faith.

iv.

Once the parties have agreed the scope of the Customer Change, BitGo shall implement that change in accordance with the timetable agreed upon by the parties (and BitGo shall use commercially reasonable efforts to complete the Customer Change as soon as may be reasonably practicable).

The Customer shall bear the reasonable costs incurred by BitGo in making each Customer Change, however in the case of all Regulatory Changes, BitGo may charge the Customer only a pro rata amount of the cost of making such Regulatory Changes (in proportion to the benefit to the Customer compared to the benefit that BitGo’s other customers will receive), which BitGo will allocate in its reasonable discretion.

Execution Version

8.	*Business Continuity and Disaster Recovery*

(a)

BitGo shall at all times during the Term maintain business continuity and disaster recovery plans and procedures (the “BC/DR Plans”) to enable BitGo to continue to provide the Services in the event of a Disaster, or to recover the Services with the minimum amount of disruption, in the event that the adverse impact of a Disaster could not be avoided. The BC/DR Plans shall, at a minimum, address crisis management, business recovery, pandemic and IT disaster recovery.

(b)

BitGo shall:

test its BC/DR Plans [***] (and, upon request, shall share the outcome of each such test with the Customer in the form of a reasonably detailed written report and, at the Customer’s reasonable request and with sufficient notice, attend such meetings as the Customer may require to address any questions or concerns that the Customer may have in relation to such written report);

ii.

review its BC/DR Plans from time to time to take into account any new threats or improvements that may be required to ensure the BC/DR Plans meets the requirements of prevailing best industry practice;

iii.

update its BC/DR Plans to take into account any deficiencies or areas of improvement identified by a test of the BC/DR Plans, or by a review conducted of its BC/DR Plans;

iv.

provide a copy of its latest BC/DR Plans to the Customer at the Customer’s reasonable request. If requested by a governmental authority or Regulator, the Customer may provide BitGo’s BC/DR Plans to such governmental authority or Regulator;

implement the BC/DR Plans in the event of a Disaster; and

vi.

[***]

9.	*Systems and Information Security*

(a)

BitGo shall at all times during the Term comply with the security requirements set out in this Clause and in Attachment E in all material respects.

(b)

BitGo shall maintain and enforce, at each site from which the Services are provided, safety and physical and information security procedures that are in all material aspects at least equal to each of the following:

the standard required by Applicable Law for that site;

Execution Version

ii.

the specific information security requirements set out elsewhere in this Agreement; and

iii.

prevailing commercial industry standard for providers of services similar to the Services.

(c)

In particular, and in addition to any other specific and general security requirements, BitGo shall implement and regularly and thoroughly test arrangements which:

are sufficient to protect the integrity, security and (where applicable) anonymity of the Customer Data;

ii.

are sufficient to ensure that the Customer Data are not lost, destroyed, altered, corrupted, accessed, transferred, or disclosed in an unauthorized way;

iii.

constitute appropriate technical and organizational measures to protect the Customer Data against accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access (in particular, but not only, where the processing of those data involves the transmission of data over a network) and against all other unlawful forms of processing; and

iv.

ensure that only authorized BitGo staff are able to access the Customer Data and only to the extent reasonably necessary for the performance by them of their duties in connection with this Agreement.

(d)

BitGo shall promptly notify the Customer of any breach of security concerning any of the Services (or the systems used by BitGo to provide the Services) or the Licensed Technology and affecting the Customer Data, and shall timely (without prejudice to any other rights of the Customer or any rights of BitGo to protect its interests or the interests of other third parties to which BitGo may have obligations not governed under this Agreement):

provide the Customer with details of the breach and report the potential effect of such breach on the Customer;

ii.

investigate and remedy the breach (to the extent that it is reasonably capable of remedy) and provide the Customer with regular updates during the investigative and remedial phase;

iii.

take reasonably appropriate measures to ensure that the breach does not occur again;

iv.

take such steps as the Customer may reasonably request to assist the Customer in responding to that breach; and

[***]

Execution Version

(e)

BitGo shall take reasonable steps to ensure that none of the systems or software provided or used by it in connection with this Agreement or the performance of its obligations thereunder contains any computer programme code, computer virus, computer worm, trojan horse, authorization key, license control utility or software lock, which may: (i) impair the operation of such systems or software or the Services or the Licensed Technology or any computer systems used by the Authorized Persons; or (ii) cause loss of, or corruption or damage to, any program or data held on such systems, software or other computer systems.

10.

Representations, Warranties and Covenants.

(a)

BitGo represents, warrants and covenants that:

it is duly organized and existing under the laws of Delaware, validly existing and in good standing under the laws of its jurisdiction of incorporation, has all corporate powers required to carry on its business as now conducted, and is duly qualified to do business and is in good standing in each jurisdiction where such qualification is necessary;

ii.

it has full power to execute and deliver this Agreement and to perform all the duties and obligations to be performed by it under this Agreement;

iii.

it has and will maintain all licenses, registrations, authorizations and approvals that it may require to operate its business and engage in the business relating to its provisions of the Services;

iv.

the execution, delivery and performance of this Agreement does not and will not violate any judgment, order, or decree and does not and will not constitute a material breach of BitGo’s existing obligations;

there is no material suit, cause of action, proceeding, application, claim or investigation, whether current, pending, threatened or in prospect against BitGo which might reasonably adversely affect BitGo’s ability to perform its obligations under this Agreement;

vi.

it shall, within a reasonable time frame, give notice of any change in ownership of BitGo, or any of its subcontractors performing a Critical Function or a significant or substantial part of the Services; and

vii.

BitGo has no ownership interest in any asset held in an Advanced Wallet or any Account.

(b)

Customer represents, warrants and covenants that:

it is duly organized and existing under the laws of Gibraltar, validly existing and in good standing under the laws of its jurisdiction of incorporation, has all corporate powers required to carry on its business as now conducted, and is duly qualified to do business and is in good standing in each jurisdiction where such qualification is necessary;

Execution Version

ii.

it has full power to execute and deliver this Agreement and to perform all the duties and obligations to be performed by it under this Agreement;

iii.

to the best of its knowledge after reasonable inquiry, it is not an entity that is, an entity owned in part or in whole or controlled by any person or entity that is, or conducting any activities on behalf of any person or entity that is (A) the subject of any sanctions administered or enforced by the U.S. Department of the Treasury’s Office of Foreign Assets Control, the U.S. Department of State, or any other Governmental Authority with jurisdiction over BitGo or Platform with respect to U.S. sanctions laws; (B) identified on the Denied Persons, Entity, or Unverified Lists of the U.S. Department of Commerce’s Bureau of Industry and Security; or (C) located, organized or resident in a country or territory that is, or whose government is, the subject of U.S. economic sanctions, including, without limitation, Cuba, Iran, North Korea, Sudan, or Syria; and

iv.

it will be properly authorized in respect of the coins stored in an Advanced Wallet as necessary for BitGo to perform its obligations under this Agreement.

(c)

Each party shall immediately notify the other party if, at any time after the date of this Agreement, any of the representations, warranties and covenants made by it under this Agreement fail to be true and correct as if made at and as of such time. Such notice shall describe in reasonable detail the representation, warranty or covenant affected, the circumstances giving rise to such failure and the steps the notifying party has taken or proposes to take to rectify such failure.

11.

[Not Used]

12.

Account Service

(a)

BitGo shall provide to Customer such information as is necessary for Authorized Persons to make deposits to the Account.

(b)

Without prejudice to the Service Levels, the Customer and Authorized Persons shall be able to access the Account via the Platform at substantially all times, in order to check information about the Account, add digital currency to the Account, and withdraw digital currency from the Account;

(c)

Customer shall not resell the Services or Licensed Technology. BitGo acknowledges that the Customer will use the Services and the Licensed Technology to be able to provide services to the Customer’s own clients and to support Customer interfacing with other cryptocurrency custodians and their solutions. Nothing in this Agreement shall operate to prevent the Customer from using the Services or Licensed Technology to provide services to its clients or to interface with other cryptocurrency custodians and their solutions.

Execution Version

13.

Use of Platform

Customer shall:

(a)

[***];

(b)

[***];

(c)

[***];

(d)

solely be responsible for security of the keys, login passwords, two-factor authentication tokens, and developer access tokens to Customer’s Account and Advanced Wallet, as well [***];

Execution Version

(e)

solely be responsible for ensuring that Authorized Persons are adequately informed and trained for securing the Account, including configuration of BitGo Services, general security principles regarding passwords and identifying material, and physical security of computers, keys, and personnel; and

(f)

use reasonable efforts to keep all machines, networks, computer equipment, and phones utilized directly or indirectly to access the BitGo Services free of malware and malicious code and in secure and protected locations.

14.

BitGo Fork, Airdrop Policy and Token Support

(a)

Customer agrees that all Airdrops and Forks will be handled by BitGo pursuant to its Custodial Fork Policy (the “BitGo Forks Policy”). Customer acknowledges that BitGo is under no obligation to support any Airdrops or Forks, or handle them in any manner, except as detailed in the BitGo Forks Policy. Customer further acknowledges that BitGo, at its sole discretion, may update the BitGo Forks Policy from time to time provided that the BitGo shall notify the Customer at least thirty (30) calendar days in advance of any such changes.

(b)

Customer further acknowledges and agrees that BitGo may, from time to time, offer support for select ERC20 tokens or other tokens, metacoins, colored coins, side chains, or coins which enhance or interoperate with coins supported by BitGo (collectively, “Tokens”). Until BitGo notifies Customer and the general public that BitGo supports a particular Token, Customer must not use its account, wallet, or any of the Services in any manner whatsoever for such Token. This means, in particular and without limitation, Customer should not attempt to receive, request, send, store, or engage in any other type of transaction involving any Token unless expressly supported by BitGo. Customer acknowledges that BitGo may, in its sole discretion, amend its list of supported Tokens from time to time provided that BitGo shall notify the Client at least thirty (30) calendar days in advance of any such changes; provided, that BitGo will not exclude Tokens previously supported by BitGo except for the situations described below in this paragraph; and subject always to Clause 7(a)(ii). Customer further acknowledges and agrees that, upon the occurrence of any event outside the control of BitGo resulting in the migration of any ERC20 token from Ethereum to another protocol, including but not limited to a “mainnet launch” (a “Migration Event”) BitGo may immediately cease any and all support for such ERC20 token, and that BitGo will be under no obligation to provide support for any Token related to or resulting from such a Migration Event. Where BitGo excludes a Token in accordance with this Clause 14(b), Customer will take all reasonable steps to allow Customer or Account Holder to make alternative custody arrangements for such token(s). BITGO WILL HAVE NO RESPONSIBILITY OR LIABILITY IF CUSTOMER LOSES, BURNS, OR OTHERWISE CANNOT ACCESS OR CONTROL ANY TOKEN THAT BITGO DOES NOT SUPPORT.

Execution Version

15.

Prohibited Activities

(a)

Customer agrees that the Platform will not knowingly be used by it to perform any type of illegal activity of any sort. Customer may not engage in any of the following activities via Platform, nor may Customer help a third party in any such activity:

attempt to gain unauthorized access to Platform or another user’s account;

ii.

make any attempt to bypass or circumvent any security features;

iii.

knowingly violate any law, statute, ordinance, or regulation;

iv.

reproduce, duplicate, copy, sell or resell Platform for any purpose except as authorized in this Agreement; or

engage in any activity that is abusive or interferes with or disrupts Platform.

(b)

Use of Platform in connection with any transaction involving illegal products or services is prohibited.

(c)

Subject to Clause 13(a), Customer shall remain fully responsible for any acts or omissions of its Authorized Persons and shall ensure that Authorized Persons comply with the terms of this Agreement, and BitGo shall bear no responsibility for any transactions in Account, or resultant losses or damages to Customer, caused by any acts or omissions of Authorized Persons.

16.

Certification to Compliance with Anti- Money Laundering Laws.

Each party represents to the other party that it (is in compliance with: (i) all applicable provisions of the Bank Secrecy Act; (ii) all applicable provisions of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (Public Law 107-56) (USA PATRIOT Act), as amended and all regulations issued pursuant to it; (iii) Executive Order No. 13224 on Terrorist Financing, effective September 24, 2001, and relating to Blocking Property and Prohibited Transactions with Persons Who Commit, Threaten to Commit, or Support Terrorism; (iv) the International Emergency Economic Power Act (50 U.S.C. 1701 et seq.), and any applicable implementing regulations; (v) the Trading with the Enemies Act (50 U.S.C. 50 et seq.), and any applicable implementing regulations; and (vi) all applicable legal requirements relating to anti-money laundering, anti-terrorism and economic sanctions in the jurisdictions in which it operates or does business. Neither party nor any of its respective directors, officers or affiliates is identified on the United States Treasury Department Office of Foreign Asset Controls (OFAC) list of Specially Designated Nationals and Blocked Persons (the SDN List) or otherwise the target of an economic sanctions program administered by OFAC, and neither party is affiliated in any way with, nor providing financial or material support to, any such persons or entities. Each party agrees that should it, or any of their respective directors, officers or affiliates be named at any time, during the term of this Agreement, on the SDN List, or any other similar list maintained by a governmental authority, it will inform the other party in writing immediately. For the purposes of this Clause 16, Customer includes all Authorized Persons.

Execution Version

17.

Verification; Transactions.

(a)

Customer and BitGo shall comply with any application security procedures mandated by BitGo with respect to the delivery or authentication of Instructions and shall ensure that any codes, passwords or similar devices are safeguarded in keeping with security best practices.

(b)

BitGo cannot and does not guarantee the value of digital currency. Furthermore, BitGo cannot cancel or reverse a transaction involving digital currency. Once a transaction request has been made via Platform, Customer will subsequently not be able to cancel or otherwise modify Customer’s transaction request. BitGo does not ensure that any transaction request Customer submits to a digital currency network via Platform will be completed. Customer acknowledges and agrees that the transaction requests Customer submits via Platform for completion on a digital currency network may not be completed, or may be substantially delayed, by the digital currency network and BitGo is not responsible for any delay or any failure of completion caused by the digital currency network. When Customer completes a transaction request via Platform, Customer authorizes BitGo to submit Customer’s transaction request to the digital currency network in accordance with the Instructions Customer provides via Platform.

18.

Fees and Expenses.

In consideration for providing the Services and licensing the Licensed Technology, the Customer shall pay to BitGo the fees as set out under the Fees Agreement. There shall be no additional fees or payments under this Agreement and BitGo acknowledges it will be fully compensated for the performance of its obligations under this Agreement pursuant to the Fees Agreement.

19.

Termination.

(a)

BitGo may immediately terminate this Agreement by written notice to the Customer, only in the following circumstances:

the Customer has failed to pay any fees and charges properly due to BitGo under the Fees Agreement and the total amount of the overdue and undisputed fees and charges exceeds two months’ worth of fees and charges due under the Fees Agreement, and BitGo has given the Customer written notice requiring payment, referencing the fact that BitGo intends to terminate if payment has not been made within thirty (30) days from the date of the Customer’s receipt of that notice, and the Customer has failed to pay those outstanding amounts within that thirty (30) day period; or

Execution Version

ii.

the Customer is in material breach of Clause 15 or Clause 24(c) and the Customer fails to remedy that breach within ninety (90) days after notice from BitGo requiring it to remedy that breach.

(b)

Acknowledging the reliance that the Customer places on the Services and the Licensed Technology, BitGo’s rights to immediately terminate this Agreement will be limited only to the rights set out in Clause 19(a). BitGo hereby irrevocably waives any right (other than the rights set out in Clause 19(a)) that it may have to immediately terminate this Agreement, and agrees that the foregoing is reasonable having regard to all relevant circumstances at the time of entering into this Agreement. The waiver by BitGo of its right to immediately terminate as set out above shall be without prejudice to any right that it may have to claim damages or exercise other rights and remedies that it may have under this Agreement, except for any right to terminate or rescind this Agreement. Without limitation, BitGo shall have no right to terminate for convenience.

(c)

The Customer may terminate this Agreement by written notice to BitGo in the following circumstances (each, a “Customer Termination Event”), which notice shall be provided by the Customer no later than three months following the date on which the Customer became aware that the Customer Termination Event has arisen:

BitGo is in breach of its obligations under this Agreement and (if the breach can be remedied) BitGo fails to remedy the breach within thirty (30) days after notice from the Customer requiring it to remedy the breach;

ii.

BitGo has committed repeated breaches of this Agreement which, in the aggregate amount to a material breach, and fails within thirty (30) days after receiving notice of such breaches, to cure such breaches and to correct the underlying systemic causes, of such breaches;

iii.

BitGo has suffered a significant deterioration in its financial standing compared to its financial standing as at the Effective Date;

iv.

BitGo: (a) files for bankruptcy; (b) becomes or is declared insolvent, or is the subject of any bona fide proceedings related to its liquidation, administration, provisional liquidation, insolvency or the appointment of a receiver or similar officer for it; (c) passes a resolution for its voluntary liquidation; (d) has a receiver or manager appointed over all or substantially all of its assets; (e) makes an assignment for the benefit of all or substantially all of its creditors; (f) enters into an agreement or arrangement for the composition, extension, or readjustment of substantially all of its obligations or any class of such obligations; or (g) is afforded protection from its creditors (including Chapter 11 proceedings in the United States);

Execution Version

BitGo has agreed to a transaction that results in a change of control, or a change of control of BitGo occurs, which for these purposes shall mean that a person directly or indirectly gains control of BitGo, either through ownership of the majority of the voting rights in BitGo or through otherwise attaining the ability (whether through voting rights, contractual means or otherwise) to direct the affairs of BitGo;

vi.

immediately in the event of a breach of Attachment E;

vii.

immediately if a Regulator requires the Customer to terminate this Agreement; and

viii.

if a Force Majeure Event prevents, hinders or delays the performance of the Services in a material respect for ten (10) consecutive days or more than twenty-one (21) days in any twelve (12) month period.

(d)

In addition, Customer may terminate this Agreement for convenience at any time on two (2) months’ prior written notice to BitGo.

20.

Consequences of Termination and Expiry.

(a)

The parties will have all the rights and obligations given to them in Attachment D, in relation to any actual or potential termination (in whole or in part) or expiry of this Agreement.

(b)

Notwithstanding anything to the contrary in this Agreement, this Agreement will not terminate on notice of termination or expire until the Services and all of BitGo’s obligations under this Agreement have been transferred fully to a replacement supplier nominated by the Customer, after which it shall terminate.

(c)

Expiry or termination of this Agreement does not affect a party’s accrued rights and obligations at the time of expiry or termination.

(d)

The provisions of Clauses 1 (Definitions), 18 (Fees and Expenses), 20 (Consequences of Termination and Expiry), 21 (Confidentiality), 25 (Marketing), 28 (Limitations of Liability), and 30 (Miscellaneous) (other than Clause 30(j) (Subcontractors)) will survive expiry or termination of this Agreement for any reason.

(e)

On termination or expiry of this Agreement:

BitGo shall immediately, to the extent applicable and upon Customer’s order, deliver or assist with the delivery to Customer of all Self-Custodial Coins held or controlled by BitGo as of the effective date of termination or expiry;

ii.

Customer shall pay to BitGo all Fees that have accrued to the date of such termination; and

iii.

the license granted to Customer to use the Licensed Technology and to use the Services shall terminate.

Execution Version

21.

Confidentiality.

(a)

“Confidential Information” shall mean information that is designated by the provider of that information as confidential, or is by its nature understood to be confidential (including, without limitation, any information relating to, or transactions involving, Self-Custodial Coins, trade secrets or other confidential commercial information, information obtained through any audit rights herein this agreement, information with respect to profit margins, product and brand costs and profit and loss information, price lists, unannounced prices, customer and supplier lists and other customer and supplier specific information, customer contracts, purchase orders, statements of work, proposals, new products plans and non-public technology information, strategic alliances, promotional plans and advertising plans).

(b)

A party (“Receiving Party”) who receives Confidential Information from the other party (“Disclosing Party”) shall keep that Confidential Information confidential and shall use the Confidential Information only for the purposes for which it has been made available by the Disclosing Party. Other than as provided herein, the Receiving Party shall prohibit distribution of Confidential Information to other persons. The Receiving Party shall not disclose the Disclosing Party’s Confidential Information to any persons employed or engaged in its business other than those having a legitimate and genuine need-to-know for the fulfilment of the purpose for which it had been disclosed, and then only on the condition that such persons are made aware of the provisions of this Agreement, and that such persons are subject to obligations of confidentiality as part of their contracts of employment or engagement which are substantially similar to those specified in this Agreement. The Receiving Party shall not disclose the Disclosing Party’s Confidential Information to any third party (other than its professional advisors who are bound by duty of confidentiality) without the Disclosing Party’s permission or unless required by law or court order (in which case the Receiving Party shall provide the Disclosing Party as much advance notice as may be practicable in the circumstances prior to such required disclosure).

(c)

Parties will preserve the confidential nature of Confidential Information that they receive pursuant to this Agreement. Parties shall not disclose any of the Confidential Information to any third party.

(d)

Parties reserve all rights to their Confidential Information not expressly granted herein.

(e)

Confidential Information shall not include information which (i) is in the public domain through no unauthorized act or omission on the part of the Receiving Party; (ii) was lawfully in the Receiving Party’s possession without any obligation of confidentiality; or (iii) is independently developed by the Receiving Party without access to the Confidential Information.

Execution Version

(f)

All documents containing Confidential Information furnished by or on behalf of any party to this Agreement that are required to be maintained in confidence as provided in this Agreement shall remain the property of the furnishing party, and all such documents and copies thereof shall be returned to the furnishing party upon request. In the event that this Agreement is terminated, Parties shall promptly return or destroy, at their option, to the extent permitted by law or regulation, all documents containing Confidential Information; provided that (i) each party’s legal department and/or outside counsel may keep one copy of the Confidential Information (in electronic or paper form) if required to comply with Applicable Law and (ii) Parties and their permitted representatives may retain Confidential Information to the extent it is “backed-up” on their electronic information management and communication systems or services, is not available to an end user and cannot be expunged without considerable effort; provided further that Parties agree to keep any Confidential Information so retained strictly confidential in accordance with the terms of this Agreement.

(g)

The obligations of confidentiality and non-use related to the Confidential Information received under this Agreement shall be binding and, in the event that this Agreement is terminated, continue in force.

22.

Audit Rights.

(a)

BitGo shall maintain, while the Services are provided and for seven years thereafter, complete and accurate records of: (a) the fees payable by the Customer under the Fees Agreement; and (b) reasonable records of the activities of BitGo in the provision of the Services; and (c) records of all transactions as part of the Services.

(b)

[***]

(c)

[***]

Execution Version

[***]

(d)

Under no circumstances shall BitGo object to a Regulator or independent firm of auditors being appointed by the Customer to conduct audits.

(e)

[***]

(f)

The Customer will use all reasonable efforts to minimise any disruption that the carrying out of its audit rights under this Clause may cause to BitGo.

(g)

[***]

(h)

If an audit reveals that BitGo has failed to comply with its obligations under this Agreement, BitGo shall promptly take all necessary and reasonable steps to correct that failure, without prejudice to the Customer’s other rights and remedies under this Agreement or Applicable Law.

(i)

BitGo shall, once per year, appoint an appropriately qualified, independent, professional services firm, to undertake on an annual basis, a SOC 1 Type II-review and SOC 2 Type II-review of BitGo in accordance with the International Standards for Assurance Engagements (ISAE) No. 3402, or the Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization (or any successor standard to the ISAE 3402 or SSAE 16) (“Compliance Audit”) in respect of

Execution Version

the Services, either in whole or in part. [***]

(j)

[***]

(k)

[***]

23.

Compliance

(a)

Each party shall, in performing its obligations under this Agreement, at all times do so in full compliance with all Applicable Laws to which it is subject, and obtain and keep current all necessary licences, approvals, permits, certifications and authorisations in each relevant jurisdiction in which it performs any activities under or in relation to this Agreement.

(b)

If BitGo is at any time required by any law enforcement agency or regulator with authority over BitGo to disclose any encryption or decryption keys used in connection with the Services or its other obligations under this Agreement, BitGo shall, before complying with that request and to the extent permitted by Applicable Law, discuss the request and options available with the Customer. BitGo shall not comply with such a request unless it is obliged to do so under Applicable Law.

(c)

BitGo shall:

make itself readily available for meetings with representatives or appointees of the Customer’s Regulators as reasonably requested;

ii.

produce to representatives or appointees of those Regulators documents, files, tapes, computer data or other material in its or their possession or control as reasonably requested;

Execution Version

iii.

permit representatives or appointees of those Regulators to copy documents or other material on its or their premises as reasonably requested; and

iv.

respond promptly to any reasonable request by or communication of any of those Regulators.

24.

Intellectual Property.

(a)

As between the parties hereto, BitGo shall retain all right, title, and interest (including all copyright, trademark, patent, trade secrets, and all other intellectual property rights) in Licensed Technology and in all software and systems used by BitGo to provide the Services (collectively, the “BitGo Materials”). As between the parties hereto, the Customer shall retain all right, title, and interest (including all copyright, trademark, patent, trade secrets, and all other intellectual property rights) in all data submitted by or processed for the Customer in connection with the Services or the Licensed Technology, as well as all materials provided by the Customer to BitGo in connection with the Services or this Agreement (collectively, the “Customer Materials”).

(b)

BitGo hereby grants to Customer a non-exclusive, non-transferable, worldwide, royalty-free license during the Term to use the Licensed Technology and the Services, as well as all BitGo Materials provided to the Customer as part of or in connection with the Services. The Customer hereby grants to BitGo a non-exclusive, non-transferable, worldwide, royalty-free license during the Term to use the Customer Materials solely as required by BitGo to provide the Services.

(c)

BitGo expressly reserves its rights to its trademarks, service marks, use of its logo, name, names and descriptions of its product and service offerings and any BitGo Materials. Except as set forth in Clause 24(b) above, nothing in this Agreement shall be construed to confer any licenses, permissions for use or title to Customer over any BitGo Materials. Customer may not display the BitGo Materials in connection with any marketing or promotional activities without the express written consent of BitGo, except that Customer may disclose its relationship with BitGo, the terms of this Agreement or other BitGo Materials to its shareholders or potential investors (including disclosure in investment presentations) and for the purpose of fulfilling its regulatory obligations, including disclosure to shareholders, regulators or any other governmental of fiscal authority (including in regulatory documents or public filings). Any use by Customer of BitGo Materials other than in accordance with terms of this Agreement and without BitGo’s express written consent shall constitute a material breach of this Agreement. BitGo reserves the right to seek all adequate remedies at law, including injunctive relief, to protect its sole and exclusive rights to BitGo Materials.

Execution Version

(d)

BitGo shall indemnify the Customer against all claims, losses and damages of whatever nature arising from or in respect of any claim that the provision or receipt of the Services or the Customer’s use of the Licensed Technology infringes the intellectual property of any third party anywhere in the world. The indemnity in this Clause does not apply to the extent that the claim was caused by the Customer’s use of the Services or Licensed Technology in breach of this Agreement. The Customer will provide BitGo with prompt notice of an indemnifiable claim (provided that the failure to provide prompt notice shall only relieve BitGo of its obligation to indemnify to the extent it is materially prejudiced by such failure). The Customer will not enter into any settlement or compromise of any such claim which would result in any liability to BitGo or constitute any admission of or stipulation to any guilt, fault or wrongdoing, without BitGo’s prior written consent. All content, materials or information relating to Client or its business belongs solely to Customer and may be used by BitGo solely for the purpose of performing its obligations under this Agreement in accordance with the confidentiality provisions of this Agreement.

25.

Marketing.

Neither party may make reference to the other or the other’s services or products in connection with any marketing or promotional efforts, without the express prior written permission of that other party. Notwithstanding the foregoing, the Customer may inform its clients and prospective clients that BitGo provides the Services and licenses the Licensed Technology to it.

26.

Taxation.

Customer shall be liable for all taxes with respect to any digital currency held by Customer or any transaction related thereto, other than taxes on income or corporation or similar taxes levied on BitGo.

27.

Excuse of Performance.

(a)

Notwithstanding anything to the contrary in this Agreement, BitGo shall not be responsible or liable to Customer for failure or inability to perform under this Agreement or for any loss of Self-Custodial Coins to the extent BitGo did not cause or contribute to such loss and such failure, inability or loss is attributable to:

activities BitGo has a good faith belief are reasonably necessary to comply with requirements under Applicable Law, including requirements under any applicable anti-money laundering laws and regulations, except with respect to activities that are not caused or contributed to by Customer’s actions or status;

ii.

the negligence of Customer or any Authorized Persons;

iii.

any material breach of this Agreement by Customer or any Authorized Persons;

Execution Version

iv.

Customer’s or any Authorized Person’s failure to protect the confidentiality or security of the Account login credentials or private keys associated with Self- Custodial Coins; or

an unauthorized party’s access to any computer or device used by Authorized Persons to access the Account.

28.

Limitations of Liability.

(a)

Neither party shall be liable to the other party (whether under contract, tort (including negligence) or otherwise) for any indirect, incidental, special or consequential losses suffered or incurred by the other party (whether or not any such losses were foreseeable or within the contemplation of the parties). The parties agree that the following types of losses are not excluded by the operation of this Clause:

fines, penalties or similar amounts imposed on the Customer by any Regulator, as well as increased compliance costs incurred by the Customer, as a result of a breach by BitGo of its obligations under this Agreement;

ii.

claims made by clients of the Customer who are supported by the Services, that arise as a result of a breach by BitGo of its obligations under this Agreement;

iii.

the cost of any “buy-in” or similar to place the Customer in the same financial position it would have been in, where the Platform does not operate correctly and causes the Customer to suffer an actual loss; and

iv.

the cost of restoring data that has become corrupted or lost as a result of a breach by BitGo or Customer of its obligations under this Agreement.

(b)

[***]

(c)

[***]

(d)

[***]

Execution Version

(e)

The limitations in Clauses 28(b) through (d) shall not apply to: (i) a party’s breach of its confidentiality obligations under this Agreement; (ii) the Customer’s duty to the pay the fees and charges under the Fees Agreement; or (iii) BitGo’s obligation to return all of the Customer’s assets (including all coins stored in Advanced Wallets) on the Customer’s request.

(f)

Nothing in this Agreement (including Clauses 28(a) through (d)) shall limit or exclude a party’s liability for: (i) its intentional breach of this Agreement, its gross negligence or its fraud or fraudulent misrepresentation; (ii) death or bodily injury arising as a result of the negligence of that party; (iii) liability under any indemnity given by that party in this Agreement; or (iv) any loss, liability or cost to the extent that it cannot be excluded or limited by Applicable Law.

(g)

BitGo shall maintain in force, for as long as it can be liable under or in connection with this Agreement, at its own cost and expense, from a reputable and substantial insurance company, adequate and sufficient insurance coverage for the type of business it is engaged in, in compliance with all Applicable Laws and in accordance with the standard expected for a provider of similar activities. This shall include the minimum levels of insurance, as follows:

[***]

29.

Force Majeure

(a)

Neither party shall be liable for any failures caused by a Force Majeure Event, provided that it:

uses all reasonable efforts to perform regardless of the advent of the Force Majeure Event; and

ii.

informs the other party as soon as may be practicable of the occurrence of a Force Majeure Event, its impact on its ability to perform its obligations under this Agreement and the likely duration of the disruption of the relevant obligations.

(b)

BitGo shall not under this Clause be excused from any failure to perform any of its obligations under this Agreement by reason of the occurrence or continuation of a Force Majeure Event, the consequences of which would have been avoided had it complied with its obligations under Clause 8.

Execution Version

30.

Miscellaneous.

(a)

Headings. The headings in this Agreement are for reference only and shall not affect the construction or interpretation of any of the provisions herein.

(b)

Counterparts. This Agreement may be signed in any number of counterparts, each of which shall be an original, with the same effect as if the signatures thereto and hereto were upon the same instrument. This Agreement shall become effective when each party hereto shall have received a counterpart hereof signed by all of the other parties hereto. Until and unless each party has received a counterpart hereof signed by the other party hereto, this Agreement shall have no effect and no party shall have any right or obligation hereunder (whether by virtue of any other oral or written agreement or other communication). No provision of this Agreement is intended to confer any rights, benefits, remedies, obligations or liabilities hereunder upon any Person other than the parties hereto and their respective successors and assigns.

(c)

Notices. All notices, requests and other communications to any party hereunder shall be in writing (including facsimile transmission and electronic mail (“e-mail”) transmission, so long as a receipt of such e-mail is requested and received) and shall be given,

if to Customer, to:

Bullish (GI) Limited

Attention Steve Ellis / Alex Erasmus

Suite 23, Portland House

Glacis Road

Gibraltar

if to BitGo, to:

Legal Department

BitGo, Inc.

2443 Ash Street

Palo Alto, CA 94306 USA

or such other address or facsimile number as such party may hereafter specify for the purpose by notice to the other parties hereto. Each of the foregoing addresses shall be effective unless and until notice of a new address is given by the applicable party to the other parties in writing. Notice will not be deemed to be given unless it has been received.

(d)

Relationship of the Parties. Nothing in this Agreement shall be deemed or is intended to be deemed, nor shall it cause, Customer and BitGo to be treated as partners, joint ventures, or otherwise as joint associates for profit.

Execution Version

(e)

Governing Law. This Agreement shall be governed by and construed in accordance with the law of the State of South Dakota, without regard to the conflicts of law rules of such State.

(f)

Dispute Resolution. THE PARTIES HERETO ACKNOWLEDGE AND AGREE THAT:

THEY ARE GIVING UP ANY RIGHT TO COMMENCE ANY SUIT, ACTION OR PROCEEDING AGAINST EACH OTHER IN COURT SEEKING TO ENFORCE ANY PROVISION OF, OR BASED ON ANY MATTER ARISING OUT OF OR IN CONNECTION WITH, THIS AGREEMENT, INCLUDING THE RIGHT TO A TRIAL BY JURY, EXCEPT AS PROVIDED BY THE RULES OF THE ARBITRATION FORUM IN WHICH A CLAIM IS FILED;

ARBITRATION AWARDS ARE GENERALLY FINAL AND BINDING, AND THAT A PARTY’S ABILITY TO HAVE A COURT REVERSE OR MODIFY AN ARBITRATION AWARD IS VERY LIMITED;

THE ABILITY OF THE PARTIES TO OBTAIN DOCUMENTS, WITNESS STATEMENTS AND OTHER DISCOVERY IS GENERALLY MORE LIMITED IN ARBITRATION THAN IN COURT PROCEEDINGS;

THE ARBITRATORS DO NOT HAVE TO EXPLAIN THE REASON(S) FOR THEIR AWARD UNLESS, IN AN ELIGIBLE CASE, A JOINT REQUEST FOR AN EXPLAIN DECISION HAS BEEN SUBMITTED BY ALL PARTIES TO THE PANEL AT LEAST TWENTY (20) DAYS PRIOR TO THE FIRST SCHEDULED HEARING DATE;

THE PANEL OF ARBITRATORS MAY INCLUDE A MINORITY OF ARBITRATORS WHO WERE OR ARE AFFILIATED WITH THE SECURITIES INDUSTRY;

THE RULES OF SOME ARBITRATION FORUMS MAY IMPOSE TIME LIMITS FOR BRINGING A CLAIM IN ARBITRATION, AND IN SOME CASES A CLAIM THAT IS INELIGIBLE FOR ARBITRATION MAY BE BROUGHT IN COURT; AND

THE RULES OF THE ARBITRATION FORUM IN WHICH THE CLAIM IS FILED, AND ANY AMENDMENTS THERETO, SHALL BE INCORPORATED INTO THIS AGREEMENT.

THE PARTIES FURTHER ACKNOWLEDGE AND AGREE THAT ALL CONTROVERSIES ARISING OUT OF OR RELATING TO THIS AGREEMENT OR THE USE OF THE SERVICES, WHETHER ARISING PRIOR, OR, OR SUBSEQUENT TO THE DATE HEREOF, SHALL BE ARBITRATED. ANY ARBITRATION UNDER THIS AGREEMENT SHALL BE CONDUCTED PURSUANT TO THE AMERICAN ARBITRATION ASSOCIATION’S RULES FOR ARBITRATION OF COMMERCIAL RELATED DISPUTES (ACCESSIBLE AT

Execution Version

HTTPS://WWW.ADR.ORG/SITES/DEFAULT/FILES/COMMERCIAL%20RULES. PDF), AND THAT SUCH CONTROVERSIES ARE OTHERWISE SUBJECT TO THIS SECTION 30(F) OF THIS AGREEMENT. THE PARTIES AGREE THAT ARBITRATION FORUM SHALL BE LIMITED TO NEW YORK, NY, SAN FRANCISCO, CA, OR SIOUX FALLS, SD. THE PARTIES AGREE THAT THE AWARD OF THE ARBITRATORS, OR THE MAJORITY THEREOF, SHALL BE FINAL, AND JUDGMENT UPON THE AWARD RENDERED MAY BE ENTERED AND ENFORCED IN ANY COURT, STATE OR FEDERAL, HAVING JURISDICTION.

(g)

Claims. It is the intention of the parties that no third party shall have or assert any rights, claims or remedies against any party in respect of any action, omission, failure or neglect in the performance of any responsibilities referred to in this Agreement.

(h)

Amendments and Waivers.

Any provision of this Agreement may be amended or waived if, but only if, such amendment or waiver is in writing and is signed, in the case of an amendment, by each party to this Agreement, or in the case of a waiver, by the party against whom the waiver is to be effective.

ii.

No failure or delay by any party in exercising any right, power or privilege hereunder shall operate as a waiver thereof nor shall any single or partial exercise thereof preclude any other or further exercise thereof or the exercise of any other right, power or privilege. The rights and remedies herein provided shall be cumulative and not exclusive of any rights or remedies provided by law.

(i)

Successors and Assigns. The provisions of this Agreement shall be binding upon and inure to the benefit of the parties hereto and their respective successors and assigns but the parties agree that no party can assign its rights and obligations under this Agreement without the prior written consent of the other parties, which consent shall not be unreasonably withheld or delayed.

(j)

Subcontractors. BitGo may subcontract and delegate its obligations under this Agreement to any person or persons, however BitGo may not subcontract or delegate any Critical Functions to any third party other than to: (i) its wholly-owned affiliates; (ii) third parties that have been approved by the Customer. Without prejudice to the rights and obligations of the parties under Attachment E, BitGo shall use reasonable endeavours to ensure that all its subcontractors and their personnel comply with this Agreement. BitGo: (a) is responsible and liable for the acts and omissions of its subcontractors as if they were acts or omissions of BitGo; and (b) shall remain solely liable to the Customer for the performance of BitGo’s obligations under this Agreement, notwithstanding any use of subcontractors.

Execution Version

(k)

Severability. If any term, provision, covenant or restriction of this Agreement is held by a court of competent jurisdiction or other authority to be invalid, void or unenforceable, the remainder of the terms, provisions, covenants and restrictions of this Agreement shall remain in full force and effect and shall in no way be affected, impaired or invalidated so long as the economic or legal substance of the services contemplated hereby is not affected in any manner materially adverse to any party. Upon such a determination, the parties shall negotiate in good faith to modify this Agreement so as to effect the original intent of the parties as closely as possible in an acceptable manner in order that the services contemplated hereby be consummated as originally contemplated to the fullest extent possible.

(l)

No Advice. Customer acknowledges that BitGo is not providing any legal, tax, or investment advice in providing the services under this Agreement.

[Remainder of Page Intentionally Left Blank]

[Signature Page to Follow]

Execution Version

IN WITNESS WHEREOF, the parties, by their duly authorized representatives, have executed this Agreement as of the Effective Date.


Customer:

By:		/s/ Russell Eldridge
Name:		Russell Eldridge
Title:		Director

BitGo:

By:		/s/ Mike Belshe
Name:		Mike Belshe
Title:		CEO

Execution Version

ATTACHMENT A - The Services

1. General

BitGo employs a multi-signature architecture for all of its wallets. [***]

[***] BitGo shall notify Customer electronically of such receipt of digital currency and of such credit to the Account.

2. The Services

The following table provides an overview of the Services. Each Service is described in more detail in the relevant paragraph below.

[***]

Execution Version

[***]

a. Hot Wallet Solution Service

BitGo’s hot wallet solution is a hierarchical deterministic multi-sig wallet solution. [***]:

•

[***]

•

[***]

•

[***]

b. Advanced Wallet Services

The Advanced Wallet Services are the provision of a software license which allows the Customer to upload previously generated public key pairs to the Platform, [***] Advanced Wallet Creation may be used to create hot or cold wallet solutions depending on how the Customer chooses to store keys.

Execution Version

c. BitGo API Services

[***]

d. Web Admin Console Services

The Web Admin Console Services concerns the provision of the Web Admin Console, which is a web based interface allowing the Customer’s administrators to manage wallets, users and policies.

3. Components

[***]

Execution Version

[***]

e. BitGoJS Services

[***]

f. Offline Vault Console (OVC) Services

[***]

•

[***]

•

[***]

•

[***]

g. Wallet Recovery Wizard Services

[***]

Execution Version

[***]

4. BitGo Responsibilities.

[***]

5. The Services between Effective Date and the Launch Date

In addition, between the Effective Date and the Launch Date, the Services shall include the following (at no additional cost or charge to the Customer):

The provision of reasonable assistance requested by the Customer from BitGo from time to time to ensure that the Customer’s exchange business is operational by the target Launch Date;

The assignment of a dedicated technical relationship manager by BitGo that can provide prompt and dedicated support to the Customer upon reasonable request; and

Implementing enhancements and fixes as reasonably requested by the Customer which the Customer may inform BitGo of from time to time.

Execution Version

ATTACHMENT B - Service Levels and Service Credits

In the event that BitGo does not achieve the Monthly Uptime Percentage in any monthly billing period, BitGo shall credit the Customer with the applicable Service Credit (as determined by the table set out below).

The “Monthly Uptime Percentage” is calculated by subtracting from one hundred per cent (100%) the percentage of minutes during the monthly billing cycle in which the Platform was unavailable, disrupted, down, failing, malfunctioning, suspended or otherwise degraded (“unavailable”) (as against the total number of minutes during the monthly billing cycle), provided that any unavailability caused by any of the Excluded Events shall be excluded from the calculation. For the purposes of this definition, “unavailable” includes any instance in which the Customer’s systems make a request, within the agreed per-second, per-minute, per-hour request limits, and BitGo’s systems do not respond to such request.

The Service Credit shall be: (i) paid in dollar credits; (ii) credited by BitGo to the relevant eligible account; and (iii) calculated by dividing the total fees for the applicable month by the number of calendar days in the applicable month (and then multiplying the relevant figure by the relevant number of days, given the applicable Level).

[***]

BitGo will issue the Service Credit to the Customer within one billing cycle following the month in which the Monthly Uptime Percentage failure occurred.

BitGo will apply any Service Credits only against future payments for BitGo Platform API otherwise due from the Customer. At its discretion, BitGo may issue the Service Credit to the bank account the Customer used to pay for the billing cycle in which the unavailability occurred. Service Credits will not entitle the Customer to any refund or other payment from BitGo. A Service Credit will be applicable and issued only if the credit amount for the applicable monthly billing cycle is greater than one dollar ($1 USD). Service Credits may not be transferred or applied to any other account.

Execution Version

Exclusions

To the extent any unavailability is caused by any of the following events (each, an “Excluded Event” and together, the “Excluded Events”), such unavailability shall be excluded by the Parties when calculating the Monthly Uptime Percentage:

(a)

unavailability caused by the Customer’s equipment, software or other technology, or any modification to the Platform by the Customer, in each case to the extent not approved by BitGo;

(b)

unavailability caused by penetration testing or performance testing performed by or on behalf of the Customer (except where such penetration testing or performance testing is carried out by or under the direction of BitGo);

(c)

unavailability caused by a failure by the Customer to respond to, within a reasonable period of time, any reasonable source identification or resolution instructions from BitGo;

(d)

unavailability due to a Force Majeure Event; and

(e)

unavailability caused by a breach of this Agreement by the Customer.

Execution Version

ATTACHMENT C – Licensed Technology

BitGoJS

2.	Offline Vault Console (OVC)

3.	Wallet Recovery Wizard

BitGo API

5.	Web Admin Console

Execution Version

ATTACHMENT D – Exit Management

1.	*Transitional Co-Operation And Assistance*

(a)

BitGo shall, from the moment of notice of termination pursuant to Clause 19 or notice of non-renewal pursuant to Clause 2 (“Start of the Exit Phase”) and then for such period as the Customer reasonably requests, up to twenty-four (24) months (“Exit Period”), provide all reasonable cooperation and assistance that the Customer may require to transfer responsibility for the Services to a replacement supplier appointed by the Customer (“Replacement Supplier”).

(b)

The co-operation and assistance referred to above shall include the following:

delivery to the Customer or a Replacement Supplier, by such means, at such time(s) and place(s), and in such format, as the Customer reasonably requests in writing and as related to the Services, of all Customer Data and other documents, data and other information related to the Customer or its operations held by BitGo; and

ii.

reasonable information relating to the terminated Services as the Customer or a Replacement Supplier reasonably requests to facilitate an orderly migration from the provision of the Services to the provision of services by the Replacement Suppliers, provided that BitGo is not required to share any proprietary information with any Replacement Supplier that is a competitor.

2.	*Knowledge Transfer*

(a)

BitGo will support the transfer of knowledge related to the terminated Services, the way in which they are provided and related topics to facilitate the transfer of responsibility to the Replacement Supplier, and to support the Replacement Supplier’s ability to assume responsibility for the terminated Services. This will include:

participating in workshops, meetings, and “hands-on” activities where requested by the Customer;

ii.

providing the Customer and the Replacement Supplier with information about the terminated Services that are necessary to implement exit management, provided that BitGo is not required to share proprietary information with any Replacement Supplier that is a competitor; and

iii.

explaining any relevant standards and procedures to personnel of the Customer and/or the Replacement Supplier.

Execution Version

(b)

The Customer will ensure any Replacement Supplier will cooperate with BitGo in BitGo’s performance of the above responsibilities.

Execution

(a)

BitGo shall, during the Exit Period, ensure that the terminated Services continue to be performed in accordance with the requirements of this Agreement, and that the Services are not affected as a result of exit-related activities.

(b)

At the Customer’s request, the parties shall document BitGo’s responsibilities in relation to exit in an Exit Plan.

Execution Version

ATTACHMENT E – Security

1.1	For the purposes of this Security Schedule and unless the context provides otherwise, capitalized terms used shall have the ascribed meanings below:

“Access” means with respect to BitGo Personnel, actual access to any Customer premises, systems, Customer Data or other information, property or assets of Customer or its Affiliates, whether by physical presence or by any electronic means;

“Applicable Laws” means all applicable laws, regulations, statutes, codes of practice, governmental orders or guidance or orders of any other competent regulatory authority including the GDPR, the UK Data Protection Act 2018, the Gibraltar Data Protection Act 2004 the Applicable US Laws and other relevant data protection regulations;

“Applicable US Laws” means all applicable laws, regulations, statutes, codes of practice, governmental orders or guidance or orders of any competent regulatory authority of the United States or any state, territory or subdivision thereof, including (i) the GLBA; and (ii) state laws regarding protection of data, data breach notification or maintenance of cybersecurity programs and policies, including the New York Cybersecurity Requirements for Financial Services Companies, 23 N.Y.C.R.R. part 500;

“Customer Confidential Information” means the Confidential Information belonging to Customer or its Affiliates;

“Client Data” means all Customer Confidential Information and all other data, records, files, content or information, in any form or format accessed, collected, received, stored or maintained by BitGo or any of its Affiliates from or on behalf of Customer or any of its Affiliates, or otherwise in connection with the Agreement and the provision of the BitGo’s Services, or the parties’ performance of or exercise of rights under or in connection with the Agreement and derived from the foregoing, even if anonymized;

“Data Protection Laws” means all applicable data protection or privacy laws, rules and regulations in force in any jurisdiction under or in connection with this Agreement, including, without limitation (i) the General Data Protection Regulation 2016/679 (“GDPR”), (ii) the GLBA; and (iii) the Gibraltar Data Protection Act 2004. “Data Protection Authority” shall mean any regulatory or supervisory authority having enforcement powers pursuant to the Data Protection Laws;

“GLBA” means the US Gramm-Leach-Bliley Act, Pub. L. No. 106-102, 113 Stat. 1338 (Nov. 12, 1999), as amended, and its implementing regulations, including Regulation P, 12 C.F.R. part 1016, and 16 C.F.R. part 314;

“Multi-Factor Authentication” means authentication through verification of at least two of the following types of authentication factors: (i) knowledge factors, such as a password; (ii) possession factors, such as a token or text message on a mobile phone; and (iii) inherence factors, such as a biometric characteristic;

Execution Version

“Permitted Sub-Contractor” means any subcontractor (including an Affiliate of BitGo) to whom BitGo is permitted to subcontract any part of the BitGo’s Services in accordance with clause 30(j) of the Agreement;

“Security Incident” shall mean any actual, suspected or threatened incident of accidental, unauthorized or unlawful access to, acquisition, processing, use or disclosure of or any theft, loss of or damage to or alteration or destruction of Client Data or other information belonging to any other person in connection with the Agreement;

“BitGo Group” means BitGo together with its Affiliates;

“BitGo Personnel” means all officers, employees, staff, other workers, agents, contractors and consultants of BitGo or any Permitted Sub-Contractor who are engaged in the provision of the BitGo’s Services from time to time.

1.2	The terms “controller”, “processor”, “personal data”, “process”, and “processing” have the meanings given to them in the Data Protection Laws (with references to “personal data” in the context of the GLBA being to “non-public personal information”, as defined in the GLBA);

2.	PERMITTED PURPOSE & GENERAL SECURITY OBLIGATIONS

2.1

BitGo has implemented and shall maintain a written information security program that includes policies and procedures that contain administrative, technical, and physical safeguards that are appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of Client Data and shall otherwise comply in all respects with the Customer’s information security requirements set forth in this Schedule (the “Security Schedule”). Such safeguards shall be reasonably designed to (i) ensure the security and confidentiality of Client Data; (ii) protect against any anticipated threats or hazards to the security or integrity of Client Data; and (iii) protect against unauthorized access to or use of Client Data that could result in substantial harm to any person. Except as expressly authorized under the Agreement, BitGo shall only Access, collect, use, store, and transmit Client Data as permitted under Applicable Law for the purpose of providing the BitGo’s Services (“Permitted Purpose”).

2.2

At all times, BitGo shall, and shall cause BitGo Personnel to, perform the BitGo’s Services and operate and maintain the BitGo’s service delivery facilities and systems with the highest level of care, skill and diligence in each case in accordance with the highest of the following: (i) industry best practices; (ii) all Applicable Laws; (iii) the terms of the Agreement including the security requirements set out or referred to in this Schedule; and (iv) (a) applicable security standards such as the Federal Financial Institutions Examination Council) (“FFIEC”) security standards or any other applicable security standards (b) the controls set forth in the applicable Statement on Standards for Attestation Engagements (SSAE) No. 18 audit reports for Reporting on Controls at a Service Organization, (c) at the date of execution of this Agreement, the controls set forth in a SOC 2 Type 1 report and (d) within 12 months from the date of this Agreement and while the Agreement remains in force thereafter, the controls set forth in a SOC 2 Type II audit report (together the “Security Standards”).

Execution Version

3.	SECURITY REVIEW PROCESS

Upon the Customer’s request, to confirm BitGo’s compliance with the Agreement and Security Standards, BitGo shall timely and accurately complete a written information security questionnaire provided by the Customer, or a third party on the Customer’s behalf, regarding BitGo’s business practices and information technology environment in relation to the BitGo’s Services being provided by BitGo pursuant to the Agreement and BitGo shall fully cooperate with such inquiries. To the extent that such inquiries require BitGo to devote a substantial amount of human resources that would materially impact BitGo’s operations, Customer shall pay BitGo the reasonably incurred expenses required for fully cooperating with such inquiries. BitGo shall provide evidence of an industry standard review process satisfactory to the Customer (such as the SFG Shared Assessment SIG, Cloud Security Alliance CAIQ, SSAE 18 SOC).

4.	SYSTEM, INFRASTRUCTURE & PHYSICAL SECURITY

4.1	BitGo shall provide and shall procure that any Permitted Sub-Contractors shall provide a secure environment implementing security measures meeting or exceeding the Security Standards.

4.2

BitGo and any Permitted Sub-Contractor must ensure and demonstrate that, where required by the Customer (acting reasonably), the Client Data can be separated and extracted from data belonging to other customers of BitGo (or the Permitted Subcontractor, as the case may be). BitGo shall encrypt all stored and transmitted material Client Data.

5.	ACCESS CONTROLS; AUTHENTICATION & ENCRYPTION

5.1

BitGo shall restrict Access to only BitGo Personnel with a “need-to-know” for a Permitted Purpose and shall not, and shall ensure that the BitGo Personnel do not, Access, use, modify, copy, delete, distribute, publish, communicate, restore or store Client Data in BitGo’s possession or control (or in possession of any BitGo Group member or any BitGo Personnel), or attempt to do or allow any entity or individual to do any of the foregoing, except as authorized. BitGo will regularly review (at least once every quarter) the list of BitGo Personnel with Access and remove accounts for which Access is no longer necessary.

5.2	BitGo shall prohibit and reasonably prevent any person who does not have the specific authorization by Customer from carrying out any of the acts specified in paragraph 5.1.

5.3

[***]

Execution Version

5.4

BitGo shall implement such controls, including encryption, as the Customer may suggest from time to time in order to protect Client Data held or transmitted by BitGo both in transit over external networks and at rest, provided that BitGo shall have no obligation to implement such controls where it can demonstrate the controls suggested by the Client are disproportionate or otherwise not reasonable in the circumstances.

6.	BITGO PERSONNEL; SECURITY AWARENESS TRAINING

6.1	BitGo Personnel shall be qualified to perform their duties and to oversee BitGo’s compliance with the Security Standards and other obligations set forth in this Security Schedule.

6.2	BitGo shall have designated a qualified individual responsible for overseeing and implementing its information security program and enforcing its policies and procedures thereunder.

6.3

BitGo shall ensure that all BitGo Personnel receive up to date security awareness training appropriate to their job function and that annual security awareness training is performed requiring BitGo Personnel to acknowledge that they have read and understood BitGo’s security standards and procedures.

7.	REQUIRED BACKGROUND CHECKS

7.1	BitGo shall ensure that all BitGo Personnel, who are employed or otherwise engaged as at the date of this Agreement or following the date of this Agreement, have passed appropriate background verification checks, [***].

7.2

[***]

7.3	BitGo shall ensure, in respect of any Permitted Sub-Contractor personnel, it has obtained certification from the Permitted Sub-Contractor that, for each such personnel who will have Access, either:

(a)

where the Permitted Sub-Contractor is engaged at the date of this Agreement or following the date of this Agreement, the Background Verification Checks have been satisfactorily completed; or

(b)

[***]

Execution Version

[***]

8.	EXCHANGE OF INFORMATION

8.1	BitGo shall have policies, procedures and controls in place to protect Client Data and information exchanged through any communication channel controlled or used by BitGo to ensure compliance with the Security Standards.

8.2	BitGo shall exchange Client Data and information securely using an industry grade encryption cipher, or such other encryption as is required by BitGo to comply, or enable Customer to comply, with the Security Standards.

8.3	Without prejudice to paragraph 8.2, BitGo shall ensure that all electronic messaging systems enforce adequate safeguards to protect emails in transit and storage. Cryptographic solutions must be in place to guarantee the confidentiality and integrity of data sent by email.

8.4

For the avoidance of doubt, any communication channel proposed or utilized by the Customer for the exchange of information with the BitGo will be deemed to meet the requirements under this Section in particular and this Agreement in general, actual policies, procedures or control in place notwithstanding.

9.	RISK ASSESSMENT; TESTING

9.1

[***]

Execution Version

[***]

9.2

[***]

9.3

[***]

9.4

[***]

9.5

[***]

9.6

BitGo shall have systems and procedures in place to ensure that the Customer, or a third party on behalf of the Customer, can conduct continuous external monitoring (to the extent reasonable) of BitGo’s performance of its obligations under this Security Schedule. For the avoidance of doubt, Customer shall not be given access to internal systems or logs for the purpose of carrying out the monitoring set forth in this Section 9.6. To the extent that the Customer identifies any potential breach by BitGo of its obligations under this Security Schedule, BitGo shall (without prejudice to the other rights of the Customer under this Security Schedule and the Agreement) immediately address such breach to the reasonable satisfaction of the Customer.

10.	MEDIA STORAGE & INFORMATION BACK-UP

10.1

Client Data may not be stored on portable devices including laptops, Personal Digital Assistants, smartphones, MP3 devices, and USB devices unless the portable device is encrypted and secured from unauthorized access. Client Data, if stored in non-electronic formats, must be stored in locked cabinets with appropriate physical security access controls.

10.2	BitGo shall regularly and securely back-up Client Data in accordance with a defined back-up policy and shall store all back-ups of Client Data and information in a secure offsite location with suitable environmental controls including fire and flood protection .

Execution Version

11.	MONITORING

11.1

BitGo shall have procedures in place for monitoring the processing of Client Data and information at BitGo’s service delivery facilities and systems and shall report all suspicious activity affecting the Client’s Data to the Customer promptly including through the use of automated reporting processes, as set forth in the Security Standards.

11.2

Without prejudice to the generality of paragraph 11.1, BitGo shall implement detection, prevention, and recovery controls to protect against malicious software, which is no less than current industry best practice and perform appropriate BitGo Personnel training on the prevention and detection of malicious software.

12.	SECURITY INCIDENTS

12.1	BitGo shall have documented procedures in place for the management of a Security Incident. [***]

12.2	BitGo’s notice in accordance with paragraph 12.1 shall be given to the Customer by [***].

12.3

BitGo shall remain solely liable to the Customer for any and all losses, damages, costs, fines, or other monetary sanctions or expenses and other liabilities (including reasonable legal fees) incurred by, or awarded against, or agreed to be paid by the Customer arising out of, or in relation to, a Security Incident.

13.

AUDIT

13.1

On at least an annual basis, BitGo shall conduct reviews of the information technology and information security controls for all facilities and systems used in complying with its obligations under the Agreement, including obtaining a network-level vulnerability assessment performed by a recognized third-party audit firm based on recognized industry standards. Upon Customer’s written request, BitGo shall make available to Customer for review all of the following, as applicable: Service Organization Controls (SOC) Type 1 or 2 audit reports, and any other reports relating to either (as applicable) (i) its FFIEC certification or (ii) its certification which is equal to FFIEC. BitGo will timely address any exceptions noted on the SOC reports, or other audit reports, with the development and implementation of a corrective action plan by BitGo’s management.

Execution Version

13.2

[***]

14.	RETENTION & DISPOSAL

14.1

BitGo shall retain Client Data only for the purpose of, and only as long as is necessary for, the Permitted Purpose. BitGo shall promptly (but within no more than five (5) business days after the Customer’s request) return to the Customer and permanently and securely delete all Client Data upon and in accordance with the Customer’s notice requiring return and/or deletion of Client Data.

14.2	Client Data contained in BitGo’s archival back-up storage shall be explicitly excluded from the obligation under paragraph 14.1. Client Data will be encrypted where the system hosting or storing the encrypted file(s) does not have access to a copy of the key(s) used for encryption.

15.	SUBCONTRACTING

[***]

16.	PERSONAL DATA

16.1	BitGo shall at all times process any personal data in accordance with the applicable Data Protection Laws.

16.2

In the event that either BitGo or the Customer becomes aware that BitGo is processing any personal data on behalf of the Customer that is subject to the European Data Protection Laws, such as the General Data Protection Regulation, such Party will immediately notify the other Party in accordance with the provisions of the Agreement. The parties agree that BitGo is a data processor and Customer is a data controller in relation to the processing of such personal data and the parties will enter into any agreements as may be required in order to comply with such laws including, but not limited a data processing agreement (a “Data Processing Agreement” or “DPA”) and shall implement safeguards that are required under the Data Protection Laws).