SOFTWARE AND SERVICES
AGREEMENT
between Andesa Services, Inc. and Delaware Life Insurance
Company
TABLE OF CONTENTS
|1.
|DEFINITIONS
|2
|2.
|USE OF ANDESA SYSTEM
|7
|3.
|OWNERSHIP
|9
|4.
|RESTRICTIONS ON USE OF ANDESA SYSTEM
|10
|5.
|PERSONNEL
|10
|6.
|OUTSOURCE SUBCONTRACTORS
|11
|7.
|REPRESENTATIONS AND WARRANTIES
|11
|8.
|CONFIDENTIAL INFORMATION
|12
|9.
|AUDIT
|14
|11.
|INDEMNITY
|18
|12.
|INSURANCE
|20
|13.
|TERM AND TERMINATION
|21
|14.
|SOFTWARE ESCROW
|23
|15.
|DISPUTE RESOLUTION
|23
|16.
|GENERAL
|24
|EXHIBIT A
|A-l
|EXHIBIT B
|B-l
|EXHIBIT C
|C-l
|EXHIBIT D
|D-l
|EXHIBIT E
|E-l
1
SOFTWARE AND SERVICES AGREEMENT
This SOFTWARE AND SERVICES AGREEMENT (“Agreement”) effective as of the 1st, day of January, 2015 (the “Effective Date”) by and between ANDESA SERVICES, INC. (“Andesa”), a Pennsylvania corporation and DELAWARE LIFE INSURANCE COMPANY (“Client”), a Delaware insurance company.
WITNESSETH
WHEREAS, Client sells a variety of insurance and other financial products and services; and
WHEREAS, Andesa provides certain services related to the sales, issuance, management and administration of insurance and other financial products and is also the developer, owner and provider of certain software applications, programs, processes, methods and tools which allow Andesa to provide clients with outsourced business processes on a “software as a service” basis; and
WHEREAS, Andesa and Client desire that Andesa provide Client with access to such services, applications, process, methods and tools of Andesa on the terms hereof;
NOW, THEREFORE, in consideration of the promises, mutual covenants and agreements set forth herein, Andesa and Client do hereby contract and agree as follows:
|1.
|
DEFINITIONS
The terms listed below have the following meanings:
1.1 “Access Credentials” means a user ID, password, challenge word or phrase, biometric attribute or other unique identifier used by the Andesa System to determine a specific person’s identity and to determine what parts of the Andesa System he or she is authorized to access.
1.2 “Affiliate” means any company which (i) controls, (ii) is controlled by, or (iii) is under common control with another person or entity at any time during the Term. A person or entity shall be deemed to control another if the first person or entity has the power to direct or cause the direction of management or policies of the other, whether through the ownership of voting securities by contract, or otherwise.
1.3 “Agreement” collectively means this Software and Services Agreement and the Exhibits appended hereto (all of which are incorporated herein by this reference) as the same may be modified, amended or supplemented from time to time.”
1.4 “Aggregated Data” means aggregated or statistical information derived from Personal Information, Client Records or from any other source, which has been purged of information which would specifically identify any individual person.
2
1.5 “Andesa IP” means, collectively, the Andesa System, all Confidential Information of Andesa, and all other intellectual property, trade secrets and other confidential and proprietary information and rights of Andesa, whether or not patentable, including but not limited to the trademarks, trade names, copyrights, software, any technical design documents concerning the internal operation of the Andesa System, user manuals or Documentation, methodology of using or accessing the Andesa System, help screens, help interfaces, computer screen shots, user interfaces, input screens and methods of data entry, tables, statistical methodologies, reports, Aggregated Data generated by Andesa, Source Code and architecture of the Andesa System, information concerning data or systems flow (such as flow charts and process flows) and other information about the internal design of the Andesa System, any information that could be obtained by reverse engineering, all business methods, and any and all papers and documents, in whatever form, whether developed before the Effective Date or developed by Andesa in the course of performing hereunder, but excluding Client Proprietary Materials.
1.6 “Andesa System” collectively means the software applications, programs, processes, methods and tools provided by Andesa as defined by Exhibit A appended to this Agreement. The Andesa System shall also include Custom Enhancements and Releases provided by Andesa to Client and any New Features contracted by Client.
1.7 “Applicable Laws” means all Federal and State laws, regulations and rules of any governmental body applicable to Andesa or Client, as the case may be, and its business and operations, including GLB, as such laws and regulations may be amended from time to time.
1.8 “Authorized User” means any person or entity (including Client’s brokers and sales agents) who wishes to process the business of Client (or Client’s Affiliates), to whom Client grants access to the Andesa System and to whom Access Credentials have been assigned in accordance with the terms set forth herein.
1.9 “Business Days” means any day other than a Saturday, Sunday, a day on which banking institutions in the City of New York are permitted or required by Applicable Law to be closed, or a day on which the New York Stock Exchange is closed for trading, and the term “day” alone means a calendar day.
1.10 “Claims and Liabilities” means all claims, demands, actions, causes of actions, losses, damages, costs, expenses, judgments and other liabilities, including reasonable attorneys’ fees and court costs, taxes, fines, penalties, interest or other awards.
1.11 “Client Records” is defined as all data and records provided by or developed for and maintained on behalf of Client as a result of any of the Service Options.
1.12 “Confidential Information” means all information and documentation of a Party that:
(a) has been marked “confidential” or with words of similar meaning, at the time of disclosure by such Party;
3
(b) if disclosed orally or not marked “confidential” or with words of similar meaning, was subsequently summarized in writing by the disclosing entity and marked “confidential” or with words of similar meaning;
(c) whether marked “confidential” or not, consists of a Party’s information and documentation regarding the following: (i) business plans (strategic and tactical) and operations (including performance); (ii) administrative, financial, or marketing activities; (iii) pricing; (iv) supplier and/or contractor lists; (v) products and/or services offerings (including specifications and designs); or, (vi) technology, including designs, processes, procedures, formulas, inventions, know-how or improvements, trade secrets, ideas, concepts, data, documents, reports, methods, techniques, drawings, flow charts, code, apparatus, statistics, programs, research, development, information technology, network designs, databases, computer software programs, passwords, and usage data; or
(d) consists of Policyholder information including any Personal Information of the Policyholders, employees, or agents of Client; and
(e) any Confidential Information derived from information disclosed by a Party.
The Andesa System and all Andesa IP shall constitute Andesa’s Confidential Information. Personal Information disclosed by one Party to the other shall constitute Confidential Information of the disclosing Party.
The term Confidential Information does not include any information or documentation other than Personal Information that was: (1) already in the possession of the Recipient without an obligation of confidentiality; (2) developed independently by the recipient without violating the Disclosing Party’s proprietary rights; (3) obtained from a source other than the Disclosing Party without an obligation of confidentiality; (4) publicly available when received, or thereafter became publicly available (other than through any unauthorized disclosure by, through or on behalf of, the Recipient). “Disclosing Party” and “Recipient” are defined in Section 8.1.
1.13 “Custom Enhancements” means changes and/or additions to the Andesa System which are requested by Client and agreed to by Andesa and designed specifically to satisfy the functionality requirements of Client and are created pursuant to the Professional Services Agreement.
1.14 “Customers” means Client’s current or prospective customers with respect to Policies or Products.
1.15 “Documentation” means any user manuals, operator instructions and other documentation and materials provided by Andesa from time to time which describe the features, functions and performance capabilities of the Andesa System.
1.16 “Effective Date” means the date stated in the first paragraph of this Agreement.
4
1.17 “Equipment” means the computer hardware and software which Client must have for the proper and effective use of the Andesa System, including that necessary to comply with Andesa’s internet and security policies and protocols as may be modified from time to time by Andesa, as applicable.
1.18 “Escrow Agreement” is defined in Section 14.2.
1.19 “Force Majeure Event” is defined in Section 16.4.
1.20 “GLB” means the Gramm-Leach-Bliley Act, 15 U.S.C. Sections 6801-6809, and regulations adopted thereunder, as the same may have been and may be amended from time-to-time.
1.21 “Indemnitee” is defined in Section 11.4.
1.22 “Indemnitor” is defined in Section 11.4.
1.23 “Initial Acceptance Date” means the first date Client uses the Andesa System in a production environment.
1.24 “Monthly Fee” means any rate or fee designated as a Monthly Fee in Exhibit B appended to this Agreement.
1.25 “New Features” means any new functionality (other than Custom Enhancements and Releases) that Andesa may, at its option, develop and add to the Andesa System or Service Options subsequent to the Effective Date, that Andesa deems beyond the scope of this Agreement.
1.26 “Obsolete Records” is defined in Section 10.7(b).
1.27 “Outsource Subcontractors” is defined in Section 6.1.
1.28 “Party” means Andesa or Client, as applicable.
1.29 “Permitted Affiliates” means all subsidiaries of Client’s parent company Delaware Life Holdings, LLC.
1.30 “Personal Information” means personally identifiable information or data concerning or relating to Customers that Andesa collects or derives from interactions with Client or Customers, and any non-public personal information under GLB.
1.31 “Policy” means an individual in-force contract evidencing a Product that has been issued by Client.
1.32 “Policyholder” means the owner of the Policy.
5
1.33 “Products” means life insurance products or any other financial products issued by Client and serviced using the Andesa System, which as of the Effective Date are those set forth on Exhibit B.
1.34 “Professional Services Agreement” means the Professional Services Agreement between the Parties by which Andesa provides development, customization, configuration, or other similar services to Client.
1.35 “Release” means a modification or new copy of the Andesa System that incorporates one or more system corrections and/or incremental changes, but does not necessarily include additional capability or functionality or New Features.
1.36 “Remote Access” means access by telecommunication, cable, wireless or other remote access to the Andesa System, including via the internet in any manner whatsoever.
1.37 “Representatives” is defined in Section 8.2.
1.38 “Security Incident” means any breach of security of Client’s Personal Information, whether by internal or external source, and whether such Personal Information is in electronic, paper or any other format, which creates a material risk of identity theft, fraud or other financial harm to Client, its Affiliates, or an individual Customer.
1.39 “Service Options” means those services for which Client has contracted with Andesa under Article 2 and Exhibit D appended to this Agreement.
1.40 “SLC” means the service level commitments referred to in Section 7.3(a).
1.41 “Source Code” means a copy of the computer programs included in the Andesa System consisting of instructions to be executed upon a computer in the language used by its programmers (i.e., prior to compilation or assembly) in a form in which the program logic of the Andesa System is deducible by a human being.
1.42 “SOX Laws” means the Sarbanes-Oxley Act of 2002, applicable rules and regulations issued thereunder by the U.S. Securities and Exchange Commission and applicable rules and regulations of the Public Company Accounting Oversight Board thereunder, including, without limitation, provisions relating to internal controls over financial reporting, as any of the foregoing may have been and/or may be amended from time to time.
1.43 “Specifications” means detailed actuarial and technical definitions describing the calculations and administrative behavior of Products, the business rules describing how Products may be sold and administered, the detailed definition of any functionality added as New Features or Custom Enhancements to the Andesa System, and the definition of any and all interfaces to Client’s systems, as provided by Client to Andesa.
6
1.44 “SSAE 16” means the American Institute of Certified Public Accountants Statement on Standards for Attestation Engagements No. 16, Reporting on Controls at a Service Organization, and any replacement or successor standard.
1.45 “SSAE 16 SOC 1 Type II Audit” means an examination of the design and operating effectiveness of controls at Andesa that are relevant to user entities’ internal control over financial reporting which scope covers relative aspects of information technology and related processes.
1.46 “Term” is defined in Section 13.1.
1.47 “Terms of Use” means the terms of use, user agreement, end user license agreement, or other agreement promulgated by Andesa from time to time, which individual Authorized Users must accept or adopt as a condition of gaining access to the Andesa System.
1.48 “Transfer Agent” means the role performed by Andesa acting as an intermediary on behalf of Client for the sole purpose of calculating and providing information used by Client to buy and sell financial units of the Products.
1.49 “Transition Services” is defined in Section 13.4.
1.50 “Unneeded Records” is defined in Section 10.7(b).
When a defined term is used, the singular includes the plural, and vice versa, as the context indicates (e.g., “Party,” “Parties,” “Product” and “Products”).
|2.
|
USE OF ANDESA SYSTEM
2.1 Scope of Use; Service Options. In consideration of the payment of Andesa’s fees and expenses required herein and subject to the terms and conditions hereof, Andesa grants to Client and Client accepts, a non-transferable, non-exclusive right to use the Andesa System by Remote Access during the Term and will provide the services set forth in this Agreement to Client and Client’s Affiliates with respect to the Products. Any additional Service Options included in this Agreement are listed in Exhibit A.
2.2 Insurance Coverage Documents and Policy Records. Andesa, on behalf of Client and upon its instruction, will maintain records of Policy transactions (including, but not limited to, Policy issue, premium payments, loans, surrenders, funds transfers, and death claims) as set forth in the latest version of the Specifications approved by Client and Andesa. Andesa will only use forms which have been pre-approved by Client in administering the Policies.
2.3 Authority. Andesa will have no authority or duty to underwrite, approve or effect insurance on behalf of Client or to collect premium payments or any other funds due to Client, or to adjudicate claims unless otherwise specifically agreed to in writing by Client and Andesa.
7
2.4 Response to Inquiries. Andesa will respond to routine Client inquiries (e.g., Policy values, billing inquiries) as set forth in the then current version of the Specifications agreed to by Client and Andesa. For variable Products, Client will be responsible for providing Andesa with instructions as to how to respond to inquiries in compliance with requirements of the Securities and Exchange Commission for a Transfer Agent. Andesa will promptly refer all inquiries by Policyholders to Client with respect to the purchase of Products.
2.5 Client Records; Storage. Andesa shall provide storage for Client Records during the Term, subject to the limitations and fees set forth in Exhibit B, and will assist Client in complying with any regulator’s request for records.
2.6 Client Records; Location. All Client Records shall be housed in physical environments administered by Andesa or its Outsource Subcontractors. Client will receive a 30-day advance notice from Andesa for any changes to the physical location of Client Records by Andesa or its agents. Such relocation shall be without additional expense to Client and without disruption of service.
2.7 Authorized Users; Terms of Use. Client may designate Authorized Users to use the Andesa System, provided every Authorized User’s use of the Andesa System is subject to this Agreement and to the Terms of Use. Client agrees that its Authorized Users will comply with the terms of this Agreement and the Terms of Use. Client shall not permit any person or entity to use or have access to the Andesa System or Andesa IP unless Andesa has issued that person or entity appropriate Access Credentials. Client will be responsible for all use or misuse of the Andesa System by its Authorized Users, anyone purporting to be an Authorized User, and anyone accessing or attempting to access the Andesa System by or through Client’s portals, networks or systems, or anyone using or misusing a User ID or password assigned to one of Client’s Authorized Users.
2.8 Training. Andesa shall provide Client personnel with training and instruction concerning the operation and use of the Andesa System and any contracted Service Options. Training shall be conducted at mutually agreed-upon times and locations, at a cost determined as provided by Exhibit B.
2.9 Information Security, Business Continuity and Disaster Recovery. Andesa will provide Client Record security, backup and recovery functions for the Andesa System according to Andesa’s Information Security Program. The Information Security Program, as currently in effect, is attached as Exhibit E and hereby incorporated into this Agreement.
2.10 User Materials. Andesa may, from time to time hereafter as amendments or supplements are available, furnish Client with Documentation relating to training for the use and operation of the Andesa System. Andesa grants Client the right to duplicate such materials for Client’s internal training purposes only. Andesa reserves all right, title, and interest in any such materials, including associated intellectual property rights, and Client shall use commercially reasonable efforts to destroy or return such materials as directed by Andesa upon any termination of this Agreement.
8
2.11 Releases. Andesa may, from time to time, provide Releases to the Andesa System as part of the Andesa System at no cost to Client.
2.12 New Features. Client may, at its discretion, contract for the use of New Features offered by Andesa, for additional fees to be negotiated by the Parties or at published rates determined by Andesa. Client may, at its option, decline use of a New Feature.
2.13 Custom Enhancements.
(a) Client may, from time to time, request Andesa to customize the Andesa System to provide additional functionality by developing Custom Enhancements. Andesa will provide the Custom Enhancements in accordance with the terms set forth in the Professional Services Agreement and a mutually agreeable statement of work thereunder. All Custom Enhancements necessary due to legal or regulatory changes will be completed as soon as reasonably possible in order for Client to comply with such legal and/or regulatory changes. Such legal regulatory changes shall be made at a price and schedule to be agreed to by the Parties in writing, as per the Professional Services Agreement and a mutually agreeable statement of work there under.
(b) Andesa may refuse to make any Custom Enhancement that, in Andesa’s good faith judgment, would not be commercially or technologically feasible, or would materially impair the operation of the Andesa System for other clients. If Andesa declines to make a Custom Enhancement that would be necessary for Client or Andesa to comply with Applicable Laws, Client shall have the right to terminate this Agreement as of the date on which the change in Applicable Laws would have required the Custom Enhancement to be implemented.
|3.
|
OWNERSHIP.
3.1 Andesa’s Ownership. Andesa is the sole owner of all copyright and other rights in and to the Andesa System, all other Andesa IP, and all related Documentation. This Agreement is not a sale or license of any Andesa IP or any copy thereof. Client acknowledges that its rights in the Andesa System are limited solely to the terms and conditions granted herein and that it shall neither claim nor assert any other interest therein. Client agrees to assign, and hereby assigns, any improvements or modifications to the Andesa System to Andesa, whether or not Client has made the improvements or has contracted with Andesa to make such improvements, and any Custom Enhancements or New Features.
3.2 Client Records. Except as provided herein, all Client Records are the property of Client. Andesa acknowledges that Client has acquired substantial expertise and knowledge in the field in which the Andesa System is used. Client will not be prevented under this Agreement from independently developing or using its own proprietary information, but not New Features. Client shall not reverse engineer or otherwise obtain, use or analyze any portion of the Andesa System or Andesa IP for the use in connection with the design or development of any software, program, product, trade secret or proprietary information.
9
3.3 No Modification, etc. Client shall not, without Andesa’s prior written consent, alter, modify or adapt any of the Andesa System or other Andesa IP, nor attempt to copy, translate, reverse engineer, screen scrape, call, transfer, re-distribute, de-compile, disassemble, or create derivative works of any Andesa IP. Client may not remove or modify any proprietary marking or restrictive legend associated with the Andesa System. Client may not provide framed or deep linked access to the Andesa System to any party or use any other device to prevent any Authorized User from viewing any proprietary messages or symbols of Andesa. No Source Code is licensed herein other than as may occur pursuant to the terms of the Escrow Agreement.
3.4 No License. Nothing contained in this Agreement shall be construed to grant to any person any right or license or other rights under any intellectual property or Confidential Information, except as may be expressly provided herein.
|4.
|
RESTRICTIONS ON USE OF ANDESA SYSTEM.
4.1 Restrictions. The Andesa System shall be used only as expressly permitted hereunder, and only by Authorized Users. The Andesa System is solely for use in support of Client’s and the Permitted Affiliates’ respective business and may not be used to provide services for hire, or in a service bureau, outsourcing, application service provider or third party administrative services mode. Client will be responsible for all actions of its Affiliates under this Agreement.
4.2 Usage Policies. Andesa reserves the right to publish and enforce standard policies for use of the Andesa System and to limit use of the Andesa System or storage of data to the extent Andesa deems such use to be abusive, illegal, excessive, beyond the bounds of normal operation by an Authorized User, or in breach of this Agreement. Andesa agrees to not unreasonably restrict use of the Andesa System by an Authorized User and to notify Client of any actions taken to limit use by an Authorized User.
|5.
|
PERSONNEL.
5.1 Training. Client shall select personnel suitable to train for the operation and use of the Andesa System; such personnel having already received adequate training in the use of the operation of the Equipment and Remote Access.
5.2 Client Contact and Staffing.
(a) Client shall designate a person to act as Andesa’s authorized contact person for each of the Service Options. Client’s designated contact must have a detailed understanding of Client’s business in order to communicate problems and issues with Andesa support staff. Client agrees to designate said personnel within thirty (30) days after execution of this Agreement.
(b) Because the Andesa System depends on skills in personal computers, including use of internet browsers, Client and its Authorized Users must acquire skills necessary for successful implementation and support. Andesa shall not be responsible for failures, delays, or additional services that result from the failure of Authorized Users to comply with such requirement. Additional services required by Client or its Authorized Users for failure to so comply shall result in charges to Client at Andesa’s then-current hourly rates.
10
|6.
|
OUTSOURCE SUBCONTRACTORS.
6.1 Notwithstanding anything in this Agreement, Andesa may outsource portions of the Andesa System to one or more business partners (“Outsource Subcontractors”), including engaging Outsource Subcontractors who will store or process Client Records, so long as:
(a) Andesa identifies the Outsource Subcontractor;
(b) the Outsource Subcontractor signs confidentiality agreements with Andesa covering Client Records in form and substance comparable to Article 8 and Article 9;
(c) the Outsource Subcontractor has provided Andesa with at least the same assurances and rights as Andesa provides to Client hereunder regarding security and integrity of Client Records, audits, backup and business continuity processes and plans, and employee background investigations, as and to the extent applicable to the relevant functions to be performed; and
(d) the Outsource Subcontractor maintains at least the same insurance coverages as Andesa.
|7.
|
REPRESENTATIONS AND WARRANTIES
7.1 Mutual. Each Party represents and warrants for and with respect to itself as follows:
(a) It has all right and authority necessary under Applicable Laws to enter into this Agreement and perform its obligations hereunder without the consent of any other person or entity,
(b) neither Party nor its employees or agents is under any pre-existing obligation inconsistent with the provisions of this Agreement,
(c) there is no litigation pending that would affect its obligations under this Agreement,
(d) it has all licenses, permits, registrations and other governmental approvals necessary for the performance of its obligations under this Agreement,
(e) its business operations have been conducted, are now, and will continue to be in compliance in all material respects with all Applicable Laws, and
11
(f) it has the facilities, equipment and personnel necessary to carry out its duties and obligations under this Agreement.
7.2 By Andesa. Andesa represents and warrants as follows:
(a) All Service Options under this Agreement shall perform in all material respects in compliance with this Agreement, the Documentation and the SLCs.
(b) It has registered and will maintain its registration as a Transfer Agent under Applicable Law if required for any of the Service Options specified in this Agreement; that it is empowered under Applicable Laws and by its charter and bylaws to enter and perform this Agreement; and that it has and will continue to have access to the necessary facilities, equipment and personnel to perform its duties and obligations under this Agreement.
(c) Andesa will continue to meet all requirements of Applicable Laws to act as a third party administrator if required for any of the Service Options specified in this Agreement, including being licensed in the applicable states, as necessary. During the Term Andesa will remain in good standing in each jurisdiction in which it conducts business and shall promptly report to Client any threatened or actual suspension or revocation of any authority to do business in any capacity.
7.3 Service Level Commitments.
(a) The Andesa System will perform in accordance with the service level commitments attached hereto as Exhibit C (“SLCs”). The SLCs shall include any agreed upon fee credits (the “SLC Credits”), which shall constitute liquidated damages and, unless otherwise set forth in the SLC, shall be Client’s sole remedy for Andesa’s failure to meet the standards set forth in the SLC.
(b) Any failure by Andesa to meet any SLC shall be excused if and to the extent (i) such failure by Andesa resulted from a material failure by Client to perform its obligations in respect to the SLC or (ii) such failure is a result of an event of a Force Majeure Event. If delay was caused by Client’s failure to perform its obligations in respect of such SLC, any failure by Andesa pursuant to the preceding provision shall be excused for a reasonable number of days as mutually determined by the Parties based upon factors related to the number of days Client failed to perform its obligations in respect to such SLC. Client shall be entitled to deduct from any invoice the amount of any SLC Credits.
|8.
|
CONFIDENTIAL INFORMATION
8.1 Protection.
(a) Each Party (the “Recipient”) receiving Confidential Information of the other Party (the “Disclosing Party”) shall keep such information confidential to the same extent that the Recipient maintains its own Confidential Information and trade secrets, but using not less than a reasonable standard of care. In no event shall any of the Disclosing Party’s Confidential
12
Information be used by the Recipient for any purpose whatsoever (including, without limitation, the marketing of other products or services) other than to perform the Recipient’s obligations under this Agreement. Each Recipient agrees that the Disclosing Party’s Confidential Information shall not be disclosed, given, bartered, sold, traded, transferred, or exchanged in any way to other companies or entities for any uses; and if this were to occur it would cause irreparable harm to the Disclosing Party and be a material breach of this Agreement. Notwithstanding anything else in this Agreement, Andesa may generate, use, disclose, share and transfer Aggregated Data for any purpose not prohibited by Applicable Laws.
(b) In particular, Andesa acknowledges that Client may be subject to certain laws and regulations regarding the privacy and protection of Personal Information and that any receipt or use of Personal Information by Andesa may also be subject to compliance with such laws and regulations. Andesa agrees that any Client Records and Personal Information provided by Client shall be used solely for the purpose of carrying out Andesa’s obligations to Client, and that Andesa will comply with all such applicable laws and regulations applicable to Andesa, the violation of which would have a material adverse effect on Client or Andesa.
8.2 Dissemination; Need to Know. The Recipient agrees to restrict access to the Disclosing Party’s Confidential Information to those employees, contractors, advisors and business partners (“Representatives”) who need to know that information in order to enable the Recipient to perform its obligations to the Disclosing Party. The Recipient shall take reasonable action by instruction, agreement or otherwise, to bind its Representatives to comply fully with the Recipient’s obligations hereunder with respect to the use, disclosure, copying, protection and security of the Disclosing Party’s Confidential Information.
8.3 Required Disclosures. A Recipient may disclose or use a Disclosing Party’s Confidential Information if and to the extent required for the following purposes:
(a) to comply with Applicable Laws;
(b) to comply with a properly authorized civil, criminal, or regulatory investigation subpoena or summons by federal, state or local authorities; or
(c) as specifically directed by the Disclosing Party, unless the information in question is also the Recipient’s Confidential Information, in which case the proposed use shall require the consent of both parties.
(d) If a Recipient believes it is required to disclose Confidential information pursuant to Section 8.3(a) or Section 8.3(b), it shall give the Disclosing Party such advance notice of the intended disclosure as is legally allowed and practicable in the circumstances so as to give the Disclosing Party an opportunity to review and object thereto if appropriate, including seeking appropriate protective orders.
13
8.4 Sharing Information with Affiliates and Representatives. Should a Recipient wish to share any of the Disclosing Party’s Confidential Information with the Recipient’s Affiliate or Representative for the purpose of carrying out the Recipient’s obligations under this Agreement, the Recipient shall (a) obtain the advance written approval of the Disclosing Party, which shall not be unreasonably withheld, and (b) obtain the written agreement of any such Affiliate or third party not to re-disclose the Personal Information or to use the Personal Information other than as set forth in this Section.
8.5 Return of Confidential Information. Except as necessary to perform any services under this Agreement within the timeframe set forth in Section 13.4 or as required by Applicable Laws, upon the expiration or termination of this Agreement each Recipient will return all Confidential Information of the Disclosing Party, in whatever form or media the Recipient then stores it or in mutually agreeable form, retaining no copies of the same in any form whatsoever, or else destroy such Confidential Information and certify in writing to the Disclosing Party that it has done so; provided that Confidential Information stored in electronic form may be retained on back-up servers or other backup media if it is not intentionally made available to any person and is deleted in accordance with the Recipient’s policies with respect to the retention of electronic records. The obligations of the Parties herein regarding Confidential Information shall survive the return or destruction of such Confidential Information or termination of this Agreement.
|9.
|
AUDIT
9.1 SSAE 16 SOC 1.
(a) At Andesa’s sole cost and expense, Andesa shall cause a reputable independent auditor to conduct an annual SSAE 16 SOC 1 Type II Audit of significant controls relevant to user entities’ internal control over financial reporting, and to prepare and deliver to Client full and complete copies of written reports prepared following such audit. Each year, Andesa shall prepare and deliver a communication detailing any material changes in the control environment, if any, for the period between the audit report date and the end of the current calendar year that would adversely affect the conclusions reached in the most recent SSAE 16 SOC 1 Type II audit.
(b) Client shall have the right to perform audits of significant controls relevant to user entities’ internal control over financial reporting more frequently (i) if necessary for Client to meet or respond to any regulatory requirement or inquiry; or (ii) as deemed reasonably necessary by Client as a result of Client’s good faith belief that Andesa has breached any of its obligations hereunder. Andesa and its Outsource Subcontractors shall provide commercially reasonable access to subscribed systems that does not create any security or confidential information disclosure risk to Andesa or its other Clients systems, data or information operations, procedures, personnel, and manuals and any other documents or materials as are necessary to reasonably confirm compliance with Andesa’s obligations provided under this Article 9. As a condition to such audits, Client’s third party representatives shall sign a confidentiality agreement with Client and Client shall be responsible to Andesa for the acts or omissions of any third party representatives. Each notice shall state the nature, purpose and scope of the audit. Andesa and its Outsource Subcontractors shall only be required to provide such items and assistance as shall be consistent with the scope set forth in the notice. Should Client request an audit not specifically required by Section 9.1(a), Andesa may charge Client for the time and materials used by Andesa for such additional audits at Andesa’s then current rates. Andesa shall incorporate the requirements of this Section into any agreement into which it enters with any Outsource Subcontractor having access to Client Records.
14
(c) If any SSAE 16 SOC 1 Type II Audit report prepared by an independent auditor reveals that Andesa’s internal controls, in whole or in part, fail to constitute effective controls over financial reporting, Andesa shall prepare and deliver to Client a plan that is reasonably acceptable to Client for promptly addressing such issues, which may consist of correcting specific deficiencies or exceptions or instituting compensating controls, as reasonably determined by Andesa (“Corrective Plan”). Andesa shall deliver the Corrective Plan to Client within ninety (90) calendar days following Andesa’s delivery to Client of the SSAE 16 SOC 1 Type II Audit report containing the deficiencies and/or exceptions. Andesa shall bear all costs and expenses associated with correcting, or instituting compensating controls for, all deficiencies and exceptions identified in the Corrective Plan if such deficiencies and/or exceptions affect Andesa’s customers generally.
(d) All audits and reports under this Article 9 shall be confidential, and Client shall not, without Andesa’s prior consent, disclose or permit any other person to disclose the results of the audit to any person except as required by Applicable Laws.
9.2 Sarbanes-Oxley. Andesa acknowledges that: (a) Client’s management may be required under the SOX Laws to, among other things, assess the effectiveness of its internal control over financial reporting (as defined in Rule 13 a- 15(f) of the Securities Exchange Act of 1934, as amended) and state in its annual report whether such internal controls are effective; (b) Client’s independent auditor may be required to attest to the report of Client’s management containing management’s assessment of the effectiveness of Client’s internal controls over financial reporting and whether such internal controls are effective; and (c) because Client has outsourced certain functions to Andesa, the controls used by Andesa (including, without limitation, controls that restrict unauthorized access to systems, data and programs) are relevant to Client’s evaluation of its internal controls. Having acknowledged the foregoing, Andesa agrees to cooperate with Client and its independent auditor as reasonably necessary to facilitate Client’s ability to comply with its obligations under the SOX Laws including, without limiting the generality of the foregoing, compliance with the further terms of this Article 9.
9.3 Andesa Expenses. If Andesa incurs direct costs associated with compliance with Client’s particular audit requirements that Andesa would not have otherwise undertaken in the course of its business, Andesa may charge such direct, additional costs to Client.
|10.
|
WARRANTY DISCLAIMER AND LIMITATIONS OF LIABILITY
10.1 Disclaimer. EXCEPT AS SPECIFICALLY PROVIDED IN SECTION 7.2(a), ANDESA DISCLAIMS ALL WARRANTIES WITH RESPECT TO THE ANDESA SYSTEM, THIS AGREEMENT AND ANY SERVICES HEREUNDER, INCLUDING ALL WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND ALL IMPLIED WARRANTIES. ANDESA DOES NOT WARRANT THAT THE ANDESA SYSTEM OR ANY SERVICES WILL BE ERROR FREE OR OPERATE WITHOUT INTERRUPTION, OR ARE ABSOLUTELY SECURE AGAINST MISUSE, UNAUTHORIZED USE, OR INTRUSION.
15
10.2 Maximum Liability.
(a) Except as set forth in sections 10.2(b), and 10.2(c), Andesa’s aggregate liability to Client and Client to Andesa under any and all Claims and Liabilities arising in any manner with respect to any Service Option or otherwise in connection with this Agreement and any Exhibits, schedules, or other attachments, addenda, or amendments hereto, shall not exceed an amount (the “Maximum Liability”) equal to the greater of (a) Two Million Dollars ($2,000,000.00) or (b) an amount equal to eighteen (18) times the fees paid under this Agreement for use of the Service Options with respect to the most recent full month preceding the claim. The limitations of liability in this Article 10 are an essential part of the bargain between the parties, have been negotiated as a fair and even allocation of risk in view of the charges being paid by Client, and shall apply even if any term of this Agreement fails of its essential purpose. The foregoing limitations on Client’s liability shall not apply to claims by Andesa for fees due for services performed.
(b) In the case of claims by either Party against the other arising on account of a Party’s breaches of its obligations under Article 8, the breaching Party’s Maximum Liability shall be deemed to be Five Million Dollars ($5,000,000.00).
(c) The limitations of Section 10.2(a) and Section 10.3 shall not apply to (i) claims for bodily injury or damage to real property or tangible personal property for which either Party its agents or assigns is legally responsible, (ii) claims arising from a Party’s fraud or other intentional tortious conduct, or (iii) claims for indemnity under Section 11.1(c) or Section 11.2(c).
10.3 Consequential Damages, Etc. IN NO EVENT SHALL EITHER PARTY BE LIABLE, WHETHER IN CONTRACT, TORT, OR OTHERWISE, FOR ANY CONSEQUENTIAL, INDIRECT, PUNITIVE OR INCIDENTAL DAMAGES (INCLUDING DAMAGES FOR LOSS OF BUSINESS OR PROFITS) ARISING OUT OF THIS AGREEMENT, THE ANDESA SYSTEM, THE USE OF OR INABILITY TO USE THE ANDESA SYSTEM OR SERVICE OPTIONS, ANY SECURITY INCIDENT, OR THE CANCELLATION, TERMINATION OR BREACH HEREOF, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
10.4 Limitations Period. Neither Party may bring any claim or action arising out of or related to the Andesa system, this Agreement, or any services hereunder, including any claim of fraud or misrepresentation, more than one year after the discovery of claim or the Party bringing the claim should have discovered it, whichever is sooner. Both Parties agree that any claim not presented within such time is waived.
16
10.5 Other Limitations. Andesa shall have no liability or responsibility for problems with the Andesa System caused by misuse, improper installation, alteration or modification by Client of the Andesa System or its output, or Client’s failure to make timely report to Andesa of any non-conformity, or any use by any person who is not an Authorized User or for problems arising out of the malfunction of Client’s equipment and communications system through which Client obtains Remote Access, or for any use to which Client may put the Andesa System or any report or other output thereof. Client acknowledges that the Andesa System may include features limiting its operability beyond the scope of this Agreement. A Party claiming damages for Claims or Liabilities pursuant to this Agreement shall not assert any claim arising on account of the same events, facts or circumstances pursuant to the Professional Services Agreement, nor vice versa, it being the intention of the Parties that the liability limitations of the two agreements are not cumulative.
10.6 Errors in Use. Client acknowledges that all services and the access to and use of the Andesa System entails the likelihood of some human and machine errors, omissions and delays in which may give rise to loss or damage. Accordingly, Client agrees that Andesa shall not be liable on account of any such errors, omissions or delays, including Security Incidents, unless caused by Andesa’s fraud or other intentional tortious conduct. Andesa may from time to time recommend and Client agrees to adopt such measures as may be appropriate to limit its exposure with respect to such potential losses and damages, including, without limitation, examination and confirmation of the Andesa System, data and data processing information, provision for identification, examination and confirmation of omissions, preparation and storage of backup data, replacement of lost or mutilated documents, and reconstruction of data.
10.7 Obsolete and Unneeded Records.
(a) Recognizing that absolute security of data is impossible to achieve, and that maximizing the efficiency and security of the Andesa System militates in favor of Andesa’s storage and processing of the smallest practical volume of Client Records, Client will not require or request Andesa to store Client Records except as strictly necessary to make the Services Options available and operate the Andesa System. Client will provide Andesa with obfuscated records and data instead of “live” Client Records whenever possible, such as, for example, in connection with development and testing.
(b) Client acknowledges that Andesa may be exposed to certain Personal Information and other Confidential Information by reason of practices followed by Client for Client’s own economic requirements and convenience, and not because Andesa needs access thereto in order to perform its obligations, and that Client could if it so chose withhold such information from Andesa without adverse effect on Andesa’s ability to perform its obligations. Therefore, Client will keep Andesa advised at least once quarterly of any Client Records which must or may be destroyed according to Client’s records retention protocols (“Obsolete Records”). Andesa may (and at Client’s direction shall) return or use commercially reasonable efforts to destroy (i) any and all Obsolete Records; (ii) all Client Records that Andesa has not expressly agreed to store; and (iii) All Client Records that are not needed to provide Andesa’s services hereunder (collectively, “Unneeded Records”).
17
(c) NOTWITHSTANDING ANY OTHER PROVISION HEREOF, AND TO THE EXTENT PERMITTED BY APPLICABLE LAW, CLIENT ASSUMES ALL RISK (AND ANDESA SHALL HAVE NO LIABILITY TO CLIENT OR ANY OTHER PERSON) IN RESPECT TO ANY SECURITY INCIDENT OR OTHER BREACH OF SECURITY OR UNAUTHORIZED ACCESS WITH REGARD TO UNNEEDED RECORDS WHICH CLIENT HAS REQUESTED ANDESA TO USE OR RETAIN OR HAS NOT ADVISED ANDESA TO DESTROY.
|11.
|
INDEMNITY.
11.1 Andesa Right to Indemnification. Subject to the limits provided in Article 10, Client shall indemnify, defend, and hold harmless Andesa, its Affiliates, directors, officers, employees, and agents (“Andesa Indemnitees”) from and against any and all Claims and Liabilities incurred by or asserted against any Andesa Indemnitee, to the extent that they arise out of a claim by a third party alleging:
(a) any breach by Client of any of its obligations under this Agreement;
(b) any negligent or more culpable act or omission of Client, including any violation of Applicable Laws and any injury to persons or property;
(c) any alleged violation of the intellectual property or proprietary rights of a third party, including those of a Client employee, arising from (i) any use by Andesa of Client’s Confidential Information or Client Records, or (ii) any use of the Andesa System by Client in a manner or for a purpose not expressly contemplated by this Agreement, or (iii) any business method or process used by Andesa or embodied in the Andesa System at the request of Client;
(d) compliance by Andesa with Client’s instructions or the Specifications, including in regard to Unneeded Records; and
(e) any Security Incident or other breach of security or unauthorized access with regard to Unneeded Records which client has requested Andesa to use or retain or has not advised Andesa to destroy.
Notwithstanding the foregoing, Client shall not have any obligation to indemnify hereunder with respect to a Claim or Liability to the extent that it arises out of (i) the negligent or more culpable act or omission of Andesa or any Andesa Indemnitee, or (ii) any breach of this Agreement or violation of Applicable Laws by Andesa or any Andesa Indemnitee.
11.2 Client Right to Indemnification. Subject to the limits provided in Article 10, Andesa shall indemnify, defend, and hold harmless Client, its Affiliates, directors, officers, employees, and agents (“Client Indemnitees”) from and against any and all Claims and Liabilities incurred by or asserted against any Client Indemnitee, to the extent that they arise out of a claim by a third party alleging:
(a) any breach by Andesa of any of its obligations under this Agreement;
(b) any negligent or more culpable act or omission of Andesa, including violation of Applicable Laws or injury to persons or property; or
18
(c) any violation by Andesa of patents, copyrights or other proprietary rights of a third party enforceable in the United States, including those of Andesa Personnel.
Notwithstanding the foregoing, Andesa shall not have any obligation to indemnify hereunder with respect to a Claim or Liability to the extent that it arises out of (i) the negligent or more culpable act or omission of Client or any Client Indemnitee, (ii) any breach of this Agreement or violation of Applicable Laws by Client or any Client Indemnitee, (iii) any use by Andesa of Client data or records in the manner contemplated by this Agreement, or (iv) any use of the Andesa System by Client in a manner or for a purpose not expressly contemplated by this Agreement, or (v) any business method or process used by Andesa or embodied in the Andesa System at the request of Client.
11.3 Infringement by Andesa System. If any feature or function of the Andesa System when used as contemplated in the Documentation is alleged or held to infringe a third party’s intellectual property rights, Andesa may at its option either (a) procure for Client the right to continue use of that feature or function, or (b) replace or modify that feature or functions so that it does not infringe without substantially diminishing its capability. If Andesa in its reasonable judgment believes it is not feasible to effectuate options (a) or (b) then Andesa, at its option, shall eliminate the offending feature or function or terminate this Agreement, and the applicable fees for the services hereunder shall be equitably abated.
11.4 Indemnification Procedures. An entity or person that intends to claim indemnification under this Article 11 (the “Indemnitee”) shall promptly notify the Party from whom it seeks indemnification (the “Indemnitor”) in writing of any claim, lawsuit, or other action in respect of which the Indemnitee intends to claim such indemnification. Failure of the Indemnitee to notify the Indemnitor on a timely basis shall not excuse the Indemnitor from its obligations hereunder except to the extent that the Indemnitor has been prejudiced thereby. The indemnitee shall permit the Indemnitor, at its discretion, to settle any such claim, lawsuit or other action and agrees to the complete control of such defense or settlement by the Indemnitor; provided, however, that such settlement does not adversely affect the Indemnitee’s rights hereunder or impose any obligations on the Indemnitee in addition to those set forth herein in order for it to exercise such rights. If the Indemnitor is actively defending the matter and is in compliance with its obligations under this Article 11, no such claim, lawsuit or other action shall be settled without the prior written consent of the Indemnitor, which consent shall not be unreasonably withheld, and the Indemnitor shall not be responsible for any legal fees or other costs incurred other than as provided herein. The Indemnitee shall cooperate fully with the Indemnitor and its legal representatives in the investigation and defense of any claim, lawsuit or other action covered by this indemnification. The Indemnitee shall have the right, but not the obligation, to be represented by counsel of its own selection and at its own expense.
19
|12.
|
INSURANCE
12.1 Coverages. Andesa agrees, at its own expense, to provide and keep in full force and effect during the Term of this Agreement the following kinds and minimum amounts of insurance:
(a) Worker’s Compensation insurance and Employer’s Liability with limits of $500,000 each accident covering all personnel directly or indirectly connected with the performance by Andesa of its services hereunder.
(b) Comprehensive General Liability insurance, including broad form contractual liability, bodily injury, property damage, personal injury, advertising injury and complete operations and products coverage with limits of at least $1,000,000 per occurrence/ $2,000,000 general aggregate.
(c) Professional (errors and omissions) Liability insurance, including technology errors and omissions with limits of $1,000,000 per claim.
(d) Cyber Security Liability insurance, including Privacy Notification coverage, with limits of $1,000,000 per claim.
(e) Umbrella (excess) coverage in the amount of $10,000,000 per claim and $10,000,000 annual aggregate that will provide excess limits of liability over the commercial general liability, automobile liability, and employers’ liability coverage.
(f) Employee Theft and Computer Fraud coverage for loss arising out of or in connection with fraudulent or dishonest acts committed by the employees of Andesa, acting alone or in collusion with others, including coverage for loss of money, in a minimum of $10,000,000.00.
At Client’s request, the foregoing insurance coverage shall contain a waiver of cross claim and subrogation; the Client shall be an additional insured under the comprehensive general liability insurance.
12.2 Insurance Carriers, etc. The aforementioned insurance policies shall be maintained with insurers having a minimum A.M. Best rating of “A” or a comparable rating from another insurance rating service. Andesa insurance will be primary for matters in which Andesa is liable. At Client’s request, Andesa shall send Client a certificate of insurance evidencing these coverages; and Andesa shall notify Client in writing at least 30 days prior to any cancellation, interruption or reduction in coverage. Maintenance of insurance as specified in this Agreement shall in no way be interpreted as relieving Andesa of any of its responsibilities under this Agreement, and Andesa may carry, at its own expense, such additional insurance as it deems necessary, including self-insurance. Andesa is responsible for all deductible payments and self-insured retentions.
20
|13.
|
TERM AND TERMINATION
13.1 Term and Termination. The term of this Agreement (the “Term”) shall begin on the Effective Date and continue indefinitely until terminated according to this Section 13.1. Either Client or Andesa may terminate this entire Agreement or any of the individual Service Options associated with this Agreement with respect to Client and all Authorized Users upon:
(a) Election by Client at any time for any reason or no reason upon one hundred eighty (180) days’ notice, provided that any and all fees and costs outstanding under the terms of this Agreement up to the date of termination are paid in full; or
(b) Election by Client, following the bankruptcy, receivership or dissolution of Andesa, or assignment of all or substantially all of Andesa’s assets for the benefit of creditors, and Andesa’s failure to procure the stay or dismissal of such proceeding (if commenced involuntarily against Andesa) within ninety (90) days, but not a dissolution or liquidation incident to a merger, reorganization or consolidation involving Andesa or sale of its assets as a going concern; or
(c) Election by Client upon Andesa’s material breach of the Agreement which has not been cured within sixty (60) days of receipt of a written notice by Client that specifies the nature of the alleged failure to perform; or
(d) Election by Client if the Andesa System is unavailable due to a Force Majeure Event for a period of more than thirty (30) days; or
(e) Election by Andesa for any reason or no reason upon twelve (12) months’ prior written notice to Client, provided that such termination shall not take effect before the third anniversary of the Initial Acceptance Date; or
(f) Election by Andesa, following failure of Client to make any undisputed payments under this Agreement to Andesa within fifteen (15) days of notification by Andesa that the payment is overdue by thirty (30) or more days; or
(g) Election by Andesa, following a material breach of any provision of the Agreement by Client, other than payment, which is governed by Section 13.1(f), if such material breach has not been cured within sixty (60) days of receipt of a written notice to Client by Andesa that specifies the nature of the alleged material breach; or
(h) Election by Andesa, following the bankruptcy, receivership or dissolution of Client, and Client’s failure to procure the stay or dismissal of such proceeding (if commenced involuntarily against Client) within ninety (90) days.
13.2 Effect of Termination. Upon termination of this Agreement or any Service Option contained herein for any reason:
(a) the rights of all Authorized Users associated with the terminated Service Option(s) are terminated immediately upon the effective date of the termination notice;
(b) Client shall have no further right to use, and shall stop using, the Andesa System associated with the terminated Service Option(s) immediately and return to Andesa all tangible Andesa IP or Andesa Confidential Information in its employees’, agents’, or Authorized Users’ possession that relate to the terminated Service Options; and
21
(c) Andesa may without further notice terminate all access by Client or other parties to the Andesa System or such Service Options as have been terminated, as applicable. In such event all provisions of this Agreement, which relate to Andesa IP or Confidential Information shall survive the termination of any portion of this Agreement. Client agrees to cooperate in effecting the termination of Authorized Users. Notwithstanding the forgoing, the provisions of this Section 13.2(c) shall be subject to the provisions of Section 13.4 and Section 13.6 and shall not in any way limit the obligations thereunder.
13.3 Partial Termination. Client may partially terminate certain Service Options or software tools by requesting in writing that Andesa selectively terminate said Service Option or software tools for a given Policy or any of the Products. In the event of a partial termination, Andesa may, in its sole discretion, reduce the Monthly Fees.
13.4 Transition Services. Upon any termination of this Agreement or individual Service Options, Andesa will provide services to Client to enable Client to continue to process the business administered hereunder, either internally or using other vendors, for up to one (1) year following the termination of this Agreement (the “Transition Services”). The Transition Services will consist of technical assistance during the initial, incremental and final backup, restoration and migration of Client Records in accordance with agreed-upon requirements (for which Andesa may charge at mutually agreed rates), and continued provision of services in accordance with the Agreement during the transition period until Client confirms final separation from Andesa. Client shall cooperate in good faith with Andesa in connection with Andesa’s obligations under this Section, and all terms and conditions of this Agreement shall remain in effect during the Transition Services, except as expressly provided herein.
13.5 Payments after Termination. Upon termination of this Agreement or any Service Option contained herein, Client shall continue to pay all fees to Andesa in accordance with this Agreement as long as Client or any of its Authorized Users use any part of the Andesa System, at the rates then in effect.
13.6 Client’s Records.
(a) Upon termination of this Agreement for any reason and upon request by Client, Andesa will transfer Client Records to Client as provided in Section 13.4. Andesa may maintain copies of Client Records as may be required to document the services performed prior to termination and to comply with Applicable Laws or the other provisions of this Agreement, or to the extent necessary for use in the prosecution or defense of any pending or reasonably expected legal action.
(b) For at least six (6) months after last use or 60 days after the Transition Services have been completed, whichever is earlier, Andesa will maintain the records developed and maintained pursuant to this Agreement at Client’s expense. The cost of such efforts will be billed to Client at Andesa’s then current rates. All records may be kept electronically unless Client notifies Andesa that electronic record keeping is inadequate.
22
|14.
|
SOFTWARE ESCROW
14.1 Deposit. Client will have the option, at Client’s sole expense, any time after the Initial Acceptance Date, to have Andesa deposit with a third party escrow agent of Andesa’s choosing one (1) copy of the Source Code and documentation to compile the Source Code for the portions of the Andesa System provided hereunder that consist of software applications developed or owned by Andesa, in the form of Andesa’s most recent general Release and any other Release in production use by Client. Andesa agrees to promptly update the Source Code each time Andesa updates the compiled version of the Andesa System.
14.2 Escrow Agreement. Both Parties and a mutually agreeable escrow agent must execute a written agreement reasonably acceptable to all parties as a condition of establishment of the escrow (the “Escrow Agreement”). The terms of the Escrow Agreement must establish limitations on use and disclosure of the Source Code and other Confidential Information that are consistent with this Agreement. In the event of a conflict in the provisions of the Escrow Agreement and this Agreement, the terms of this Agreement shall prevail.
14.3 Release of Source Code. The terms of the Escrow Agreement shall provide for the release of the Source Code to Client within (a) thirty (30) days of the termination of this Agreement pursuant to Section 13.1(b) or Section 13.1(c) if continued operation of the Andesa System is at such time substantially interrupted or (b) thirty (30) days after termination of this Agreement pursuant to Section 13.1(e).
14.4 Source Code Release Fee. If Client chooses to take possession of the Source Code under Section 14.3, as a condition precedent to the release of the Source Code from the escrow, Client shall pay Andesa, or its successors, the sum of:
(a) One Million Five Hundred Thousand Dollars ($1,500,000.00) for a termination under Section 13.1(b) and Section 13.1(c); or
(b) Seven Million Dollars ($7,000,000.00) for a termination under Section 13.1(e).
14.5 Use of Source Code. Client agrees to use the released Source Code only for the purpose of maintenance of the Andesa System to process the business of Client, subject to all the terms and conditions of this Agreement. Client shall not assign, sell, lease or otherwise allow the use of the Source Code for the benefit of any person other than Client.
|15.
|
DISPUTE RESOLUTION
15.1 Internal Resolution. The Parties shall attempt in good faith to resolve any dispute arising out of this Agreement promptly by negotiation between executives who have authority to settle the controversy and who are at a higher level of management than the persons with direct responsibility for administration of the Agreement. Either Party may give the other Party written notice of any dispute not resolved in the ordinary course of business. All reasonable requests for information made by one Party to the other shall be honored in a timely fashion.
23
15.2 Arbitration.
(a) If a dispute (other than breaches of confidentiality, title or proprietary rights) cannot be resolved through negotiations by the Parties’ respective senior executives, the Parties agree to submit the dispute to a binding arbitration by a sole arbitrator. If the Parties cannot agree on a sole arbitrator, they each shall choose one, and those two shall agree upon a third, who shall serve as the sole arbitrator. The arbitration shall proceed under the AAA Commercial Arbitration Rules, but the Parties shall not use the services of the AAA for the arbitration itself. To the extent practicable, the award shall be made within three (3) months of selection of the arbitrator and may be entered in any court having jurisdiction. Each Party shall bear its own expenses but those related to the compensation of the arbitrator shall be borne equally.
(b) The arbitration shall be held in a mutually agreeable location or if no agreement can be reached then it shall be in Pennsylvania. The arbitrator shall determine the issues to be arbitrated but may not limit, expand or otherwise modify the terms of this Agreement.
(c) The arbitrator shall issue a written decision setting out: (i) each of the findings of fact; (ii) the evidence supporting each finding of fact; (iii) a statement of the applicable law; and (iv) an explanation of how the arbitrator applied the law to those facts. The arbitrator shall not have the power or discretion to include punitive, exemplary, special or consequential damages of any kind, including lost profits and loss of business, or equitable relief in any award or amend this Agreement without the consent of both Parties.
|16.
|
GENERAL
16.1 Modification, Non-Waiver. No modification of this Agreement will be effective unless it is in writing, signed by authorized representatives of both Client and Andesa and attached hereto. Failure to enforce any Agreement term is not a waiver of future enforcement of that or any other term.
16.2 Assignment.
(a) Neither Client nor Andesa may assign this Agreement, the Andesa System, or the rights and obligations under it, without the express written consent of the other which consent shall not be unreasonably withheld or delayed. Notwithstanding the preceding, however, upon written notice to the other Party, either Party may assign its rights and obligations under this Agreement to an Affiliate or to a person acquiring substantially all the business and operations of the assignor, by merger, sale of stock, or otherwise, provided that the acquirer agrees in writing to assume (or assumes by operation of law) all obligations of the assignor hereunder and has adequate resources to meet its obligations hereunder. Any attempted assignment of this Agreement not in accordance with this Section shall be null and void. Notwithstanding the foregoing, the assignor shall remain bound by all obligations hereunder.
(b) For the avoidance of doubt, any change of control of Client, whether by sale of assets or stock, merger, split-up, spin-off, reorganization or similar transaction, whether or not it involves an express assignment, shall be deemed an assignment of this Agreement and if effected without Andesa’s prior written consent, shall entitle Andesa to declare this Agreement in default, terminate this Agreement, or alter the pricing hereunder, or any of the foregoing, in Andesa’s discretion.
24
16.3 Notices. Any notices required or permitted hereunder shall be deemed given if hand delivered or, if mailed, postage prepaid, by certified mail, return receipt requested, to either Party at the address listed above, or at such other address which either Party may so notify the other. Unless modified as set forth above the addresses are as follows:
|Andesa
|Client
|Andesa Services Inc.
|Delaware Life Insurance Company
|6575 Snowdrift Road
|96 Worcester Street
|Suite 108
|Wellesley Hills, MA 02481
|Allentown, PA 18106
|Attn: President
|Attn: Chris Lombardi
16.4 Force Majeure. Neither Party shall be liable for failing to fulfill its obligations (other than payment of moneys due) due to acts of God, civil or military authority, war, riots, strikes, fire, epidemic, breakdowns, outages, delays, or limitations of capacity of telecommunications or data networks or other service providers contracted by Client or Andesa, or other similar causes beyond its reasonable control and not involving such Party’s negligence (a “Force Majeure Event”) provided such Party immediately gives the other Party written notice thereof and undertakes commercially reasonable efforts to circumvent the cause of the delay or minimize the extent of the delay. In the event a Party hereto is prevented from meeting its obligations by such unforeseen circumstances, and such Party is unable to provide assurances that recovery will occur within thirty (30) days, or recovery fails to occur within thirty (30) days, the other Party hereto shall have the right to terminate this Agreement, effective upon delivery of written notice of the same to the other Party, and no Party shall be liable to any other arising out of such termination, except for obligations existing prior to such termination. The terms of this Section 16.4 shall not relieve Andesa of its obligation to perform disaster recovery pursuant to Section 2.9.
16.5 Choice of Law. This Agreement shall be governed by the laws of the Commonwealth of Pennsylvania. Except for any Arbitration pursuant to Section 15.2, venue and jurisdiction shall lie exclusively in the state and federal courts sitting in the Commonwealth of Pennsylvania.
16.6 Exclusivity/Severability. This Agreement, together with any attachments, sets forth the complete and exhaustive statement of the agreement between Client and Andesa which supersedes all proposals, oral or written, and all other communications between Client and Andesa with respect to the substance of this Agreement, all of which are merged into this Agreement. If any provision of this Agreement is for any reason found to be unenforceable, the remainder of this Agreement shall continue in full force and effect.
16.7 Prohibited Contact With Staff. Client (for itself and its Permitted Affiliates), and Andesa (for itself and its Affiliates), agree that they will not hire, or solicit to hire, any individual person who is an employee, contractor, subcontractor or agent of the other Party during the Term of this Agreement and one year thereafter, without the written consent of the other Party; provided that the restriction on solicitation shall not apply to a general solicitation not specifically directed to employees of the other party. In the event of a breach of this provision the hiring Party shall pay the other Party an amount equal to one year’s salary or compensation of the employee or agent as liquidated damages for such breach.
25
16.8 Independent Contractor Status.
(a) Andesa at all times will be an independent contractor. The employees of Andesa will in no event and for no purpose whatsoever be considered employees of Client or vice versa. No agency relationship between the Parties, except as expressly provided herein, will exist from the execution of this Agreement or the performance of duties by the Parties hereunder.
(b) Each Party will be responsible for the performance of its employees, agents and. subcontractors performing services hereunder on its behalf and all acts and omissions of its Affiliates relating hereto.
16.9 Complaint Reporting, In accordance with the procedures and guidelines provided by Client, Andesa shall immediately report to Client all complaints and notices of litigation from any party or regulatory agencies in any way related to Client. Andesa shall attach to such report any and all information from its records to assist Client in its response.
16.10 Taxes. If Andesa is required to pay any sales, use, property, value-added, or other federal, state or local taxes as a result of this Agreement, such taxes will be billed to and paid by Client; this shall not apply to Andesa’s income taxes, corporate franchise taxes, or similar taxes. If Client is specifically exempt from such levies by virtue of its status as defined in the Internal Revenue Code, Client shall provide Andesa with such tax-exempt certificate.
16.11 Additional Fees. Should any additional services, programming, consulting, or technical assistance outside the scope of the Agreement as set forth herein be required, or should Client purchase or subscribe to Custom Enhancements, products or services not described herein or specified on the Exhibits or Schedules attached hereto, such Custom Enhancements, products and services shall be provided to Client at a rate mutually agreed to by the Parties. Any new products or services so provided may require payment of a deposit in advance.
16.12 Invoicing and Payment. Andesa shall submit invoices to Client Accounts Payable at the address given in Section 16.3, or such other address as Client may direct. Unless otherwise provided, invoice(s) will be issued by Andesa monthly during the Term. Each invoice shall clearly state the period to which it relates and a detailed description of the services invoiced. Client will pay the undisputed amount of the invoice in full within thirty (30) days of billing. Overdue invoices will be payable in the amount of the invoice plus 1.5% for each month or partial month overdue.
16.13 Invoice Disputes. Notwithstanding Section 16.12, Client may, in good faith, dispute any amount invoiced under this Agreement. Any dispute regarding amounts due, whether for billing errors or otherwise, must be raised in writing within ten (10) days of Client’s receipt of Andesa’s invoice, including sufficient details to advise Andesa as to the nature and extent of the dispute or shall be deemed waived. If Client gives such notice when required and pays all undisputed amounts, and so long as Client is attempting in faith by appropriate means to resolve the dispute with Andesa, Client may withhold the disputed amount for up to ninety (90) days and Andesa will continue to make the Andesa System available. Client and Andesa will use
26
their good faith efforts to reconcile the dispute within sixty (60) days of the invoice date and shall exchange any documentation that may assist in such resolution. Such dispute may be submitted to resolution in accordance with Article 15 at any time by either Party. Acceptance of any partial payment by Andesa shall not waive any rights of Andesa with respect to unpaid amounts.
16.14 Trademarks; Publicity.
(a) Neither Party may use the trademarks, logos, names, or other likenesses of the other Party or its Affiliates in advertising, marketing, press releases or other communications except with the prior written permission of the other Party.
(b) The Parties will cooperate from time to time to issue mutually agreeable announcements and press releases concerning the execution of this Agreement, their relationship and similar matters.
16.15 Survival. All provisions of this Agreement that by their terms or nature should be or construed as surviving termination of the Agreement shall survive the termination of the Agreement including, by way of illustration only and not limitation, Articles 3, 4, 8, 9, 10, 11, and 15 and Sections 13.2, 13.4, 13.5, 13.6, 14.4, 14.5, 16.3, 16.5, 16.7, 16.9, 16.10, 16.11, 16.12, 16.14, and this Section 16.15.
16.16 Headings. The headings at the beginning of the paragraphs of this Agreement are for convenience only and shall be ignored in construing this document. The Parties acknowledge that each has had an opportunity to negotiate the terms of this Agreement and therefore in any interpretation of this Agreement neither Party shall have the burden of overcoming any presumption or implication related to it having drafted this Agreement.
THE UNDERSIGNED UNDERSTAND AND AGREE TO THE TERMS OF THIS AGREEMENT.
|ANDESA SERVICES, INC.
|DELAWARE LIFE INSURANCE COMPANY
|By:
|By:
|Authorized Signature
|Authorized Signature
|Printed Name
|Printed Name
|Title:
|Title:
|Date:
|Date:
27
Exhibits
|Exhibit A
|Andesa System
|Exhibit B
|Fees for Andesa System
|Exhibit C
|Service Level Commitment
|Exhibit D
|Service Options
|Exhibit E
|Information Security Program
28
EXHIBIT A
ANDESA SYSTEM
Andesa has the following software applications and functions available to Client and Client’s Affiliates for the Products commencing on the Initial Acceptance Date.
|
Software Service
|AFAS
|Andesa Financial Administration System supports product configuration, Policy issue and Policy administration processing. AFAS provides calculation and retention of all Policy values with unlimited retroactive event processing, compliance monitoring and electronic interfaces with Client processing systems.
|ITM
|Internet Transaction Manager is a web enabled user interface to the Policy administration system that enables secure, online entry of case and Policy transactions.
|DM
|DataMart is a web enabled user interface to the Policy administration system that provides easy access to reports at the case, division or Policy level.
|PSS
|Policy Snapshot is an internet-based Policy inquiry tool that provides the ability to view individual Policy-level detail, including financial transaction history.
|FRW
|Flex Report Writer is an internet-based reporting service which provides ad-hoc Policy administration search and report generation capability.
|ADASTAR
|ADASTAR™ is an internet-based illustration system that provides both pre- sale and in-force illustrations. The system uses the same calculation engine as the AFAS system to perform calculations.
|ADASTAR Q+
|
ADASTAR Q+™ provides the ability to administer the following plan types within the constraints that exist in the system as of the Effective Date of this Agreement:
• Death Benefit Only
• Split-Dollar
• Bank Owned Life Insurance
• Salary Continuation
• Supplemental Life Insurance
• Fixed and Variable Deferred Compensation
• Sponsor Access
|PVS
|Product Validation Service provides the ability for a Client to validate Policy system changes by running illustrations against a prototype engine before changes are implemented.
|NEW BUSINESS PORTAL
|New Business Portal is an internet-based service that provides the ability to manage forms, do automatic prefill of enrollment data from illustrations for Andesa Clients using ADASTAR™, do online enrollment, capture electronic signatures on the enrollment forms and automate new business submission from online enrollment.
|POLICYHOLDER SELF SERVICE
|Policyholder Self Service Portal is an internet-based Policy maintenance tool that provides an individual Policyholder the ability to access, view and maintain their own Policy information within the constraints set by the insurance company with which the Policy is written.
A-1
|
DELAWARE LIFE PRODUCTS
|UL
|Universal Life Policies – (includes Variable)
|LCP
|Large Case Private Placement VUL
|FCVUL
|Futurity VUL
|CVUL
|Corporate VUL
|LCVUL
|Large Case VUL
|PPVUL
|Corporate Private Placement
|SVL
|Executive VUL
|SULNY
|Sun Executive Universal Life – New York
|PPG
|Private Placement Policies
|PPVA
|Private Placement Variable Annuity
|PPVAIAC
|Private Placement Variable Annuity (Offshore-DLIAC)
|PPVANY
|Private Placement Variable Annuity (NY-DLNY)
|PPVUL
|Private Placement Variable Universal Life
|PPVULIAC
|Private Placement Variable Universal Life (Offshore-DLIAC)
In addition to the products listed above, Andesa agrees to service and Client agrees to pay fees for the implementation and ongoing service of any new products that the parties have agreed to subsequent to the date of this Agreement.
Andesa will provide the following software applications and functions to Client and Client’s Affiliates for the Products commencing on the Initial Acceptance Date.
|USE OF SOFTWARE SERVICE BY PRODUCT
|AFAS
|ITM
|DM
|PSS
|ADASTAR
|
LCP
|X
|X
|X
|X
|X
|
FCVUL
|X
|X
|X
|X
|X
|
CVUL
|X
|X
|X
|X
|X
|
LCVUL
|X
|X
|X
|X
|X
|
PPVUL
|X
|X
|X
|X
|
SVL
|X
|X
|X
|X
|
SULNY
|X
|X
|
PPVA
|X
|X
|
PPVAIAC
|X
|X
|
PPVANY
|X
|X
|
PPVUL
|X
|X
|
PPVULIAC
|X
|X
A-2
EXHIBIT B
FEES FOR ANDESA SYSTEM
Monthly Fees
|Base Fee*
|$
|See breakdown below:
|AFAS
|$
|PSS
|$
|ITM
|ADASTAR
|DM
|Archive Fees
|Product Fee*
|$
|See breakdown below:
|UL
|$
|PPG
|$
|Active Policy Fees*
|Quantity
|AFAS for UL
|AFAS for PPG
|DM
|ADASTAR
|PSS
|1 - 5,000
|
|
|5,001 - 20,000
|
|
|
|20,001 - 35,000
|
|
|
|35,000+
|
|
|
|From
|To
|Per Policy
|
Assets Fees (ADASTAR)*
|$1
|$
|$
|$
|unlimited
|$
|Authorized Users (ADASTAR & PSS)*
|$
|per User Count 26-50
|
|per User count>50
|Interface File Fees*
|$
|1 to 12 times/year
|additional for 12+ times/year
All Monthly Fees above marked with “*” are adjusted annually for inflation/deflation based upon the CPI.
“CPI” means the Consumer Price Index—All Urban Consumers, U.S. City Average, All Items -Unadjusted. The CPI adjustment will be calculated by comparing the change from October to October of each year using the then current CPI and will be effective on January 1 of the following year for a period of 12 months. The CPI will be applied to the Monthly Fees the first January after the Effective Date and each subsequent January during the Term of this Agreement.
B-1
For example, if the CPI for the current year is 220 and the new CPI in October of the current year is 224 (a 1.8% increase), then, effective January 1 of the next year, the Monthly Fees noted above that are subject to the CPI adjustment will be increased by 1.8%.
Authorized User Fee is only charged once per user regardless of the number of software services to which the user has access.
Andesa shall submit an invoice for the initial Monthly Fee at the end of the month during which Initial Acceptance Date occurs. Thereafter, invoices shall be issued in arrears dated the last day of the month in which services are provided.
Travel
Client agrees to pay all actual reasonable travel and out-of-pocket travel expenses of Andesa personnel incurred on Client’s behalf (with Client’s prior written approval for any expense or related expenses in excess of $250). As used herein, travel and out-of-pocket expenses shall mean travel to and from Client’s site, an alternate site designated by Client or a site of any of its Authorized Users, including lodging, meals, telephone and shipping and other reasonable expenses related to such travel. Upon the request of Client, reasonable backup documentation in the form of receipts or other written proof shall be provided by Andesa.
Training Included in Base Fee
1 Initial Training: 1 Week (5 Days)
2. Annual Training: Two days annually.
Additional training will be provided upon request of Client and will be scheduled at the mutual convenience of Andesa and Client. Client agrees to pay Andesa for all costs associated with the additional training at a cost determined on the basis of the rate cards attached hereto, provided that such rates may adjusted annually based on the CPI.
B-2
EXHIBIT C
SERVICE LEVEL COMMITMENTS
The following identifies service level obligations and responsibilities being provided pursuant to the Agreement.
A. Additional Definitions:
The following capitalized terms shall apply to this Exhibit.
“Application(s)” means the Andesa System.
“Application Availability” means the applications are available and have updated information by 8 AM ET the day following a Business Day.
“Batch Cycle File Transmission” means the transmission of carrier specified reports and interfaces created from AFAS after a batch cycle is completed.
“Actual Late Minutes” for a given month means the actual minutes late for either Application Availability or Batch Cycle File Transmission.
“Adjusted Late Minutes” for a given month means Actual Late Minutes adjusted for any late fund unit values.
“Available Late Minutes” for a given month means the sum of 5 minutes per Business Day.
“Excess Late Minutes” for a given month means the excess (if any) of Adjusted Late Minutes over Available Late Minutes.
“Business Day(s)” means any days that the NYSE is open.
“Peak Hours” means 8:00 a.m. to 6:00 p.m. ET on Business Days.
“Non-Peak Hours” means 6:00 p.m. to 8:00 a.m. ET on Business Days and all times on other days.
“Emergency Outage” means the minutes a file or an Application is unavailable due to circumstances beyond Andesa’s control, including but not limited to, network connectivity issues at Client, internet outages, disaster recovery situations and Force Majeure events.
C-1
B. Data Transmissions. Andesa is not responsible for loss of data resulting from (i) transmissions from Client or any third party to Andesa, (ii) improper transmission by Client or any third party or (iii) failure by Client or any third party to act on any communication transmission to or by Client through Andesa Services. In the event of improper transmissions or loss of data during transmission, then, in addition to and not in derogation of any other remedies available to Client, Andesa will use its best efforts to promptly recreate such transmission. Notwithstanding the foregoing, Andesa shall be responsible for resolution of any data integrity problems caused solely by Andesa.
C. Transaction Processing. Automated transaction submissions received at the designated FTP site by 5:30 PM ET and in good order will be processed in that evening’s batch cycle. If received after 5:30 PM ET, it will be processed in the next day’s batch cycle. Andesa will notify Client within 2 hours of a transaction submission if it is not in good order. Emailed transaction submissions received in the designated Email box by 5:30 PM ET and in good order will be processed in that evening’s batch cycle. If received after 5:30 PM ET, it will be processed in the next day’s batch cycle. Andesa will notify Client within 2 hours of a transaction submission if it is not in good order.
D. Planned Outages. Andesa shall notify Client by email notice of any planned outages for maintenance purposes three days prior to the planned outage; provided such planned outage shall occur during Non-Peak Hours. This notification does not apply to Andesa’s weekly scheduled maintenance window or to Andesa’s weekly scheduled deployment windows.
Table 1: Outages
|
Outage
|
Notice
|Planned outages during standard weekly maintenance window (12:00 PM ET Saturday until 12:00 PM ET on Sunday) and weekly deployment windows
|No notice required.
|Planned outages, Non-Peak hours
|72 hour prior Email notification to Client’s email distribution list.
|Emergency outages*, Non-Peak Hours
|Email notification to Client’s email distribution list.
|Emergency outages*, Peak Hours
|Email notification and a phone call within 15 minutes to Client’s defined primary and backup contact, if primary contact is unavailable.
|*
|
Emergency outages include all unplanned outages.
E. Service Level Commitments.
Application Availability - Applications will be held to a 97.5% uptime.
C-2
Batch Cycle File Transmission—All carrier specified batch cycle files will be uploaded to secure FTP site by 4:30 AM ET 97.5% of the time.
F. Impacts on Service Levels. The service level expectations set forth in Section E may be impacted by certain events or require certain performance on the part of the Client. Those service level impacts are defined as follows:
|1.
|
In order to achieve the above defined service levels, it is necessary that Andesa receive updated fund unit values from the appropriate fund manager / custodian by 9:00 PM ET.
Should fund value information be delayed, the start of Andesa’s nightly cycle will be delayed; thus all SLCs shall adjust by 60 minutes plus a minute-for-minute basis for the time of the delay.
|2.
|
Any downtime that occurs during a disaster recovery or Force Majeure Event at Andesa or the Client location which prevents the transmission, receipt or processing of data shall be excluded from the percentage available measures.
G. SLC Credits. Service levels in Section E will be measured monthly. Andesa will provide Client a monthly report identifying the service level achieved.
Application Availability:
|1.
|
Andesa tracks Actual Late Minutes, Adjusted Late Minutes, Available Late Minutes and Excess Late Minutes.
|2.
|
Should there be Excess Late Minutes as measured on a monthly basis, Andesa agrees to issue an SLC Credit against future Monthly Fees. The credit shall be calculated against the monthly service fees and shall be issued according to the following table:
|
Availability %
|100-97.5%
|97.5-90%
|Below 90%
|
Service Fee Credit %
|%
|%
|%
Batch Cycle File Transmission:
|1.
|
SLC credits are not applicable to delivery of files and extracts unless such failures are the result of actions of Andesa staff or systems, including the improper or incomplete implementation of such files or extracts to the applicable agreed upon Specifications.
C-3
|2.
|
Should the % of Interfaces being delivered according to Interface requirements not exceed specified levels, as indicated below, Andesa agrees to issue an SLC Credit against future Monthly Fees. The credit shall be calculated against the monthly service fees and shall be issued according to the following table:
|
Batch Cycle File Transmission %
|100-97.5%
|97.5-90%
|Below 90%
|
Service Fee Credit %
|%
|%
|%
H. Changes to Service Levels. The SLCs shall be reviewed periodically and each Party shall cooperate in good faith to adapt the Services provided and this SLC Exhibit as quantities increase or change in any way.
C-4
EXHIBIT D
SERVICE OPTIONS
In addition to Services identified in Article 2 of the Agreement, Andesa will provide the following services to Client and Client’s Affiliates for the Products, commencing on Initial Acceptance Date.
Transaction Support. Andesa provides transactional data entry support for the entire life cycle of a Policy, from issue through termination. Andesa acts solely at the discretion and direction of and based explicitly on the written product Specifications and administrative requirements of Client.
The Andesa Financial Administration System allows the flexibility of entering and changing of historical transactions. Job scheduling of applications is programmed within each Client-specific environment to provide logical processing of application programs.
Transaction Input: Transactions (received by fax, email, or electronic data file transfer) are entered into Andesa Financial Administration System (AFAS) utilizing our transaction editor. A log is maintained of all transactions received by fax. A test calculation process ensures the transaction passes validation checks. The Client’s instruction and the editor output are compared to the original request for accuracy and quality assurance by a separate Client Service Representative.
All transactions entered are recorded on a Client-specific log. The log is used to ensure all transactions have been accounted for in the daily processing cycle. A Senior Client Services Representative verifies all transactions requiring input by Andesa personnel have been entered and processed each day.
Transaction Processing Cut-off: Andesa requires all financial transactions (fund transfers, premium allocations, partial surrenders, surrenders, cancellations, loans, loan repayments, deaths, market value adjustments, etc.) that are received by Client in accordance with the Service Level Commitments to be processed same-day. Non-financial transactions are processed within one Business Day of receipt.
Transaction Processing: Processing of transactions occurs during evening hours. Prior to the commencement of any processing, fund unit values must be received from Client’s fund managers. The unit values must be received in accordance with the Service Level Commitments. The unit values are received in a text format via: 1) email, 2) download from Client’s website, 3) download from Client’s server or mainframe, or 4) via FTP to Andesa’s secure FTP server. Andesa has a written Client-specific contingency plan to ensure unit value information is received in a timely manner; and, if not, to ensure that all parties to the transactions are aware of the remedy.
Transaction Output: Andesa personnel verify that processing is complete and accurate. Controls are programmed into Client applications to ensure complete processing of data.
D-1
Problem Resolution: Andesa personnel assigned to Client perform problem tracking and resolution. All issues requiring research or support, and their subsequent resolution, are logged into Andesa’s Issue Resolution (AIRS) database. Issues affecting processing are resolved prior to daily processing by the CSR with technology staff support, as needed. Client Services Group staff is involved in the resolution as appropriate and as documented in Client-specific contingency plan.
D-2
Exhibit E
INFORMATION SECURITY PROGRAM
|1.
|
Overview. This Exhibit describes the Information Security Program that Andesa maintains and the Subscriber requirements as applicable to protect the confidentiality, integrity and availability of Client and Andesa Records. This Exhibit describes the Information Security Program as of the executed Service Agreement date therein and may be updated from time to time. Andesa agrees to provide and take security precautions utilizing technologies and techniques in accordance with commercially reasonable security practices used in Andesa’s industry. Andesa may revise such security procedures from time to time. Client understands that such practices and techniques cannot be in full use 100% of the time for legitimate reasons such as system maintenance or implementation of new or changed technology. Regardless of anything else contained in this Agreement or otherwise, Andesa does not guarantee that its information security program or measures will ever be 100% safe against a party having sufficient technology, resources and determination.
|2.
|
Definitions. For the purposes of this Exhibit, the terms defined below have the following meaning:
|a.
|
“Agent” means anyone who, through either an agency or contractual relationship, has authority to view, host, store, process, transmit, print, back-up or destroy Client Records.
|b.
|
“Information Security” is defined as the protection against the loss of Client Record confidentiality, integrity or availability.
|c.
|
“Information Security Program” is defined as the policies, practices and controls designed to protect the confidentiality, integrity, and availability of Client Records.
|d.
|
“Physical Security” or “Physically Secured” is defined as the protection of information in hardcopy form, information technology hardware, infrastructure and facilities used in data processing operations, against loss or unauthorized acquisition, access or disclosure, or damage during its production, storage, distribution, use or destruction.
|3.
|
Organizational Roles and Responsibilities. Andesa’s organizational roles and responsibilities include an information security officer, or comparable role assigned to one of Andesa’s officers or senior management, to be responsible for the establishment, administration, and maintenance of a comprehensive written Information Security Program. The Information Security Program includes, at a minimum, the practices described in this Exhibit.
E-1
|4.
|
Information Security Program Framework and Right to Audit.
|a.
|
Andesa reasonably aligns its Information Security Program as applicable to the framework set forth by the International Standards Organization’s (“ISO”) Code of Practice for Information Security Management (“ISO/IEC 27002:2005,” as amended from time to time). Andesa reserves the right to adopt all or part of this or other industry accepted Information Security management frameworks.
|b.
|
Andesa management reviews all or part of the Information Security Program annually.
|c.
|
Andesa will grant Client or an independent third-party auditor appointed by Client with reasonable notice, within a mutually agreeable time-frame and at Clients expense, permission to perform an on-site audit or assessment of Andesa’s Information Security Program, excluding direct access to Andesa applications, networks or systems, provided that Client or assigned third party who Client desires to make such assessment shall have entered into a written confidentiality and nondisclosure agreement reasonably satisfactory to Andesa, which includes a prohibition on any disclosure of information regarding Andesa’s Information Security Program or any deficiencies therein or regarding any Breach of Security, except as is expressly required by applicable law or with Andesa’s prior written consent.
|5.
|
General Information Security Requirements.
|a.
|
Andesa takes reasonable measures, where possible to segregate job functions and roles performed by its employees or Agents such that no individual, internal or external to Andesa, has conflicting duties that could jeopardize the confidentiality, integrity or availability of Client Records. Such measures may include, but are not limited to, permitting only Andesa employees or Agents with a business “need to know” to access and manage Client Records, providing the minimal level of access needed to perform a given job function (the “principle of least privilege”). Where segregation of job functions and roles are not possible, mitigating monitoring controls are implemented.
|b.
|
Andesa maintains a policy prohibiting the unauthorized installation of software on Andesa Records by its employees or Agents.
|c.
|
Andesa and Client agree to configure Industry Standard access control mechanisms and encryption technology with the view to protect Confidential Information in transit over the internet, including email through the use of Client enforced TLS encryption, and Confidential Information on mobile devices such as, laptops, tablets, smart phones, portable memory drives and other similar mobile devices.
|6.
|
Media Destruction. Media destruction will be performed in a secure manner such that the information cannot be reasonably recreated or read after disposal.
|7.
|
Human Resources Management.
|a.
|
Andesa performs generally accepted state and federal criminal background checks prior to employment.
E-2
|b.
|
Andesa provides Information Security awareness training to its employees and Agents annually. Andesa may impose disciplinary measures on those employees or Agents who violate the Information Security Program.
|8.
|
Physical Security. Andesa maintains administrative and physical safeguards to control physical access to Client Records. Such measures may include, but are not limited to, securing access to Andesa premises, timely disabling of lost facilities access cards, securing storage containers and destroying Records in a secured environment.
|9.
|
Data Backup.
|a.
|
Andesa maintains or contracts for backup capabilities reasonably designed to support the recovery of Client Records in accordance with Client and Andesa agreed upon disaster recovery requirements. Andesa utilizes back-up facilities that are designed to be physically and logically secured.
|b.
|
Andesa shall not be responsible for any loss, damage, claims, or destruction of data due to Client’s failure or the failure of a third party, to properly backup data at Client’s site or the sites of their respective Authorized Users
|c.
|
Andesa encrypts backups with industry standard encryption technology and methods.
|10.
|
Network Security.
|a.
|
Andesa and Client agree that Client or Andesa may terminate any Client network or Client remote connection (“connection”) with Andesa at any time, without warning, if Client or Andesa suspects or confirms that any such connection is not secure. Client and Andesa will make all reasonable efforts to provide timely notification of each affected party of such termination. SLAs will be suspended for the duration of time that network and remote connections are terminated by Client or Andesa.
|b.
|
Andesa and Client agree to utilize Industry Standard practices with respect to establishing and maintaining appropriate controls for its electronic interfaces and connections between its own systems and those of others.
|c.
|
Andesa and Client agree to reasonably employ and maintain information system hardening practices for systems that view, store, process or transmit Personal Information, including, but not limited to, turning off inessential system services and ports, employing anti-virus and malware controls, and software patches and security updates.
|d.
|
Andesa and Client agree to utilize appropriate firewall or similar technology to disallow unauthorized in-bound and out-bound connections to Andesa or Client information systems that view, store, process or transmit Andesa or Client Records. Moreover, Andesa and Client further agree to employ intrusion detection systems or intrusion prevention systems to guard against malicious network activity and configure such systems to alert appropriate personnel.
E-3
|e.
|
Andesa restricts wireless network access points, with access to Andesa’s internal network, to authorized devices only. Furthermore, Andesa utilized Industry Standard practices for encryption and other appropriate safeguards for wireless network access points to protect against unauthorized access and use.
|11.
|
System Event Logging and Monitoring. Where feasible, Andesa and Client agree to log significant access events for information systems used to provide services to Client or Andesa that store, process or transmit Confidential Information. A significant event includes, but is not limited to: logon, logoff and lock-out events of network and systems. Moreover, Andesa and Client agree to establish procedures to monitor such logs.
|12.
|
Logical Access.
|a.
|
Andesa and Client agree to establish and maintain written procedures to govern the creation, modification, disabling or deletion of user accounts that access Confidential Information, which at minimum, address employee or Agent termination, prolonged leave of absence or changes in job duties. Moreover, Client agrees to promptly communicate to Andesa, via email [webmaster@Andesaservices.com], of the reassignment or termination of Client’s employees or agents, allowing Andesa to remove identified former Client employee or Agent from accessing Andesa’s network or systems.
|b.
|
Andesa and Client agree to employ reasonable Industry Standard logical access safeguards on all systems that store or transmit Confidential Information. Andesa and Client agree, at minimum, to issue users a personally identifiable unique user account, configure strong passwords and set reasonable password expiration timeframes. Moreover, accounts with access to Confidential Information must be configured, where technically possible, to disallow login capability after a maximum of ten (10) consecutive unsuccessful login attempts.
|c.
|
Andesa and Client agree to store user password text in encrypted form in the user identity database and such password text must be rendered unreadable during transmission over public networks and storage where feasible. System passwords embedded within batch files or automatic scripts that cannot be technically or reasonably encrypted are to be restricted to authorized individuals, requiring an extended password length.
|13.
|
Application and System Development and Security.
|a.
|
Andesa maintains a written systems development life cycle (“SDLC”) plan that provides for the preliminary review of information security requirements, which includes: establishment of separate physical or logical environments for development, testing and production, controlled utilization of data and logical access, reasonable segregation of employee duties, and a change management process.
|b.
|
Andesa conducts an annual web application vulnerability assessment by an independent third party organization on Andesa’s web applications associated with processing, storage or transmission of the Client Records. Andesa will provide Client with an executive report of the results of such vulnerability assessment when requested by Client, which Client will treat as Andesa Confidential Information.
E-4
|14.
|
Information Security Incident Management.
|a.
|
Andesa maintains a written information Security Incident response plan;
|b.
|
Andesa will promptly notify Client of a Security Incident involving Client’s Personal Information, investigate the incident, and use commercially reasonable efforts to mitigate its effects. Client shall use all commercially reasonable efforts of its own to do the same, and shall cooperate fully with Andesa in such regard.
|15.
|
Vendor Management. Andesa will take reasonable steps to select and retain third-party service providers that are capable of, and contractually bound to maintain appropriate security measures to safeguard Client Records.
|16.
|
Business Continuity and Disaster Recovery.
|a.
|
Andesa maintains written business continuity and disaster recovery plans (respectively, “BCP” and “DR”), which include, but are not limited to, implementation of BCP/DR procedures and resources to recover Client Records and maintain critical business functions following a disaster event.
|b.
|
Andesa will promptly notify Client of any event that triggers the full implementation of Andesa’s Business Continuity Plan and use commercially reasonable efforts to provide regular reports to Client regarding the status of Andesa’s response to, and recovery from, the disaster event.
|c.
|
Andesa performs Business Continuity Plan testing in whole or part annually and will provide Client, upon request with an executive report of the test affecting Client Records or workforce.
|d.
|
Client may participate in business continuity tests conducted by or on behalf of Andesa affecting Client Records and or Andesa workforce recovery affecting Client. Client shall bear all of its own costs of participating in such test, along with any incremental cost incurred by Andesa as a result of permitting Client to participate.
|e.
|
Any test of the Business Continuity Plan requested by Client outside of Andesa’s normally scheduled testing process will be conducted on behalf of Client at Andesa’s then current rates within a mutually agreeable time-frame.
|f.
|
Andesa will permit Client to review on-site at Andesa facilities, Andesa’s BCP and DR materials affecting Client Records with reasonable notice and at Clients expense, annually. Andesa will, at Client’s request, provide information satisfactory to Client’s auditors relating to the BCP and DR process.
|17.
|
Compliance. Andesa and Client agree to comply with applicable state and federal statutory requirements applicable to the secure storage, processing and transmission of Confidential Information.
|18.
|
Andesa Expenses. If Andesa incurs direct costs associated with compliance with the Client’s particular security requirements that Andesa would not have otherwise undertaken in the course of its business, Andesa may charge such direct, additional costs to Client.
E-5