Exhibit 10.44
CERTAIN IDENTIFIED INFORMATION HAS BEEN EXCLUDED FROM THIS EXHIBIT BECAUSE IT IS BOTH (I) NOT MATERIAL AND (II) WOULD BE COMPETITIVELY HARMFUL IF PUBLICLY DISCLOSED. THE REDACTED TERMS HAVE BEEN MARKED WITH THREE ASTERISKS [***]
MASTER SERVICES AGREEMENT
This Master Services Agreement (this "MSA") is hereby entered into by Athena Bitcoin Global, a corporation organized and existing under the laws of Nevada, USA, Athena Bitcoin Inc., a corporation organized and existing under the laws of Delaware, USA, and Athena Bitcoin Holdings of El Salvador SA DE CV, a Salvadorian corporation (Athena Bitcoin Global, Athena Bitcoin Inc., and Athena Bitcoin Holdings of El Salvador SA DE CV collectively referred to as the "Company"), Chivo, Sociedad Anonima de Capital Variable ("Republic") and, solely for the purposes of Sections 10 and 11.15, Matias A. Goldenhorn ("Authorized Representative"), and is effective as of July 1, 2022 ("MSA Effective Date"). In this MSA, Company and Republic are each referred to as a "Party" or collectively as the "Parties". Capitalized terms that are not defined in the body or exhibits of this MSA have the meanings set forth in Exhibit A (Definitions).
|1.
|MSA.
1.1Service Level Agreements. The Republic and/or any of its Entities may procure services from Company and/or any of its Affiliates by executing a service level agreement, in addition to this MSA, in the form attached hereto as Exhibit C (an "SLA"), which will describe specific services that the Company Entities will provide to the Republic Entities (the "Services") and will set forth terms applicable to such Services. The SLA shall form an independent agreement binding on each of the Republic Entities and Company Entities that execute it. By executing an SLA, the applicable Republic Entities and Company Entities agree to the terms of the SLA and the terms in this MSA.
1.2Application ofMSA to SLA. When interpreting the terms of this MSA with respect to the SLA, (i) references to "Company", "Republic", and "Party" will be construed as references to the Company Entities and the Republic Entities that signed the SLA, except where the context indicates otherwise, (ii) references to "Services" will be construed as references to the Services described in the SLA, and (iii) references to an "SLA" will refer to the terms of both the SLA and the terms of this MSA as applicable to the SLA. If there is a conflict between the terms of the SLA and this MSA, the SLA will control.
1.3Responsibility for Entities. Company will be jointly and severally liable for all the acts and omissions of each Party that is part of the Company.
|2.
|SERVICES.
With respect to the Services set forth in the SLA, Company will provide the Services and perform as follows:
2.1Provision of Services. Company will provide the Services in accordance with (i) the terms of the SLA and (ii) Applicable Law. The Services will include all ancillary services required for Company to provide the Services to Republic, including all those that are inherent, necessary, or customary to provide the Services. Company will only use personnel who are suitably skilled, experienced, and qualified to provide the Services.
2.2Development and Integration. Company will provide (i) continuous maintenance and necessary repairs for the Republic's automated teller machines that accept and distribute Bitcoin cryptocurrency (any such machine, the "Republic ATM''), and (ii) maintenance, support, and software updates and corrections in relation to the Republic ATMs, in accordance with the SLA and the other requirements that Republic may provide to Company from time to time. Company will provide Republic with the Technology required for Republic to use or make available the Services for the Republic ATMs as contemplated in the SLA. Company will provide a dedicated integration and development team and all development resources necessary to fully integrate and develop the Services.
2.3Performance Standards. Company will use its best efforts to perform the Services. All Services will be performed by Company in a workmanlike manner and, in any event, no less than with that degree of skill and care that Company uses when performing the same or similar services to its other customers (e.g., at least the same degree of accuracy, quality, completeness, timeliness, and responsiveness).
2.4Reporting and Monthly Deposits. Company will provide Republic with accurate and complete reports, in a form and format specified by Republic, at the end of each calendar month. [***]
CERTAIN IDENTIFIED INFORMATION HAS BEEN EXCLUDED FROM THIS EXHIBIT BECAUSE IT IS BOTH (I) NOT MATERIAL AND (II) WOULD BE COMPETITIVELY HARMFUL IF PUBLICLY DISCLOSED. THE REDACTED TERMS HAVE BEEN MARKED WITH THREE ASTERISKS [***]
|1
|2.5
|Relationship Management.
2.5.1As part of the Services, Company will make available personnel (the "Republic RM Team") who will provide Republic with support services and other administrative, operational, technical, and partner support, as reasonably requested by Republic. The Republic RM Team will be dedicated to Republic and adequate in number. The Republic RM Team will be available for regular, periodic meetings as reasonably determined by Republic to discuss the Services generally. [***]
2.5.2Republic may request weekly reconciliation and reporting reviews and business and operations reviews to discuss any specific issues that arise in connection with the Services. The regular, periodic meetings may be held in person, by videoconference, or other format reasonably agreed by the Parties. Company may replace any member of the Republic RM Team by providing Republic with written notice (including via email) of such replacement. From time to time, Republic may raise concerns or issues regarding the Services to Company, and Company will make available its executives who have the decision making power to address the concerns or issues raised.
2.6Service Providers. Company will obtain Republic's prior written consent, or a waiver of such consent in writing, before using a Service Provider in connection with the SLA. [***]
2.7User Communications. Company will not, and will cause its Affiliates to not, communicate or otherwise contact any User in connection with the Services without Republic's prior written consent (including via email).
2.8Continued Performance. Company acknowledges that the timely and complete performance of its obligations under this MSA and the SLA is critical to the business and operations of Republic and that time is of the essence, and Company will provide the Services and perform its obligations accordingly. Except if prohibited by Applicable Law, during any dispute resolution proceedings involving the SLA, whether informal or formal, Company will continue to provide the Services in accordance with the SLA (and waives any right to suspend, delay, or otherwise diminish performance), and Republic may continue to exercise its rights in accordance with the SLA. [***]
2.9Company Policies and Procedures. If the SLA requires Company to perform the Services in accordance with Company's policies or procedures, Company will ensure that such policies or procedures do not conflict with its obligations under the SLA. If there is a conflict between any Company policy or procedure, and the SLA, the SLA will control.
CERTAIN IDENTIFIED INFORMATION HAS BEEN EXCLUDED FROM THIS EXHIBIT BECAUSE IT IS BOTH (I) NOT MATERIAL AND (II) WOULD BE COMPETITIVELY HARMFUL IF PUBLICLY DISCLOSED. THE REDACTED TERMS HAVE BEEN MARKED WITH THREE ASTERISKS [***]
|2
|3.
|INTELLECTUAL PROPERTY.
3.1Assignment of Intellectual Property. Company hereby assigns to Republic, Company's entire right, title, and interest in and to any Intellectual Property Rights, hereafter made or conceived solely or jointly by Company or its Affiliates while working for or on behalf of Republic pursuant to the terms of the MSA or the SLA, which relate to the "Foreground IP". [***]
3.2Works of Authorship. All Foreground IP that are writings or works of authorship, including, without limitation, program codes or documentation, produced or authored by Company or its Affiliates in the course of performing services for Republic, together with any associated copyrights, are works made for hire and the exclusive property of Republic. To the extent that any writings or works of authorship may not, by operation of law, be works made for hire, Company hereby irrevocably assigns Republic all ownership of and all rights of copyright in, such items, and Republic shall have the right to obtain and hold in its own name, rights of copyright, copyright registrations, and similar protections which may be available in such works. Company shall give Republic or its designees all assistance reasonably required to perfect such rights.
3.3[***]
3.4[***]
3.5[***]
3.6Non-Exclusivity; No Commitments. The Parties and their Affiliates acknowledge and agree that the terms of this MSA and the SLA, the Services, and the relationship between the Parties and their respective Affiliates, do not impose any obligations of exclusivity on either Party or its Affiliates. Republic and its Affiliates are under no obligation to (i) enter into the SLA, (ii) guarantee a minimum number of Users who will use the Services, or (iii) provide a minimum volume of transactions processed through the Services or a minimum amount of fees, amounts paid, or revenues in connection with the Services.
CERTAIN IDENTIFIED INFORMATION HAS BEEN EXCLUDED FROM THIS EXHIBIT BECAUSE IT IS BOTH (I) NOT MATERIAL AND (II) WOULD BE COMPETITIVELY HARMFUL IF PUBLICLY DISCLOSED. THE REDACTED TERMS HAVE BEEN MARKED WITH THREE ASTERISKS [***]
|3
3.7Republic Entities and Third Parties. Any Republic Entity may perform any of Republic's obligations, grant any approvals required by Republic, and exercise all rights and all licenses granted to Republic under the SLA. Republic may designate a Representative to receive, on its behalf, any information, communications, reports, or other materials to be provided by Company to Republic pursuant to the SLA. Republic may engage its Representatives to perform its obligations under the SLA. The acts and omissions of a Representative in performing Republic's obligations under the SLA will be treated as the acts and omissions of Republic under the SLA.
3.8Further Assurances. If for any reason, Republic is unable to secure Company's signature on any document needed to apply for, perfect, or otherwise acquire title to the Intellectual Property Rights granted to it under this Section 3, or to enforce such rights, Company hereby designates Republic as Company's attorney-in-fact and agent, solely and exclusively to act for and on Company's behalf to execute and file such documents with the same legal force and effect as if executed by Company and for no other purpose.
|4.
|DATA; DATA SECURITY.
4.1 Data Use, Disclosure and Retention. Notwithstanding anything to the contrary in Section 3, Company will only use data related to Republic and any intellectual property of Republic solely as required to provide the Services to Republic as required under this MSA, the SLA, or, as applicable, to comply with any Governmental Authority. Company shall secure and protect such data from misuse and unauthorized access and implement and maintain security (including, operation, technical, and physical controls), data management, human resource management, asset protection and incident response standards, processes, and protocols of an appropriate level and strength to reasonably protect such data. Company shall use all reasonable efforts to ensure that Republic's data will not be subject to any loss, theft, unauthorized use or access, damage, or other loss of value.
4.2Management of Data and Data Security. Company will secure and protect the Services from misuse and unauthorized access and implement security, data management, and incident response protocols in accordance with industry best practices and comply with the terms of Exhibit B (Data Security Program).
4.3Business Continuity and Disaster Recovery. Company will maintain a business continuity and disaster recovery plan that complies with industry best practices and that enables Company to perform its obligations under the SLA in accordance with the terms thereof without any interruption (the "BCDR Plan"). Company will maintain multiple data centers in different geographic locations and will ensure that all core components of the Company Technology, and all data repositories used to provide the Services, are located in multiple and redundant data centers. Upon Republic's request, Company will provide Republic with a copy of the BCDR Plan. Company will test the BCDR Plan no less than once annually and will provide Republic with a copy of the test results no later than thirty (30) days following the completion of such test, including a detailed description of any material deficiencies, and Company's plan and schedule for curing such deficiencies. If there is a business interruption or disaster, Company will activate and comply with its BCDR Plan.
|5.
|FEES AND INVOICES.
5.1Service Fees. Company shall invoice Republic on a monthly basis in the total amount of the fees incurred by Company in connection with providing the Services to Republic (the "Service Fees"). Republic shall submit payment with respect to any invoice via wire transfer to the Company account listed on such invoice within ten (10) days of receipt of such invoice. [***]
CERTAIN IDENTIFIED INFORMATION HAS BEEN EXCLUDED FROM THIS EXHIBIT BECAUSE IT IS BOTH (I) NOT MATERIAL AND (II) WOULD BE COMPETITIVELY HARMFUL IF PUBLICLY DISCLOSED. THE REDACTED TERMS HAVE BEEN MARKED WITH THREE ASTERISKS [***]
|4
5.2Service Fee Disputes. If Republic disputes any amounts in connection with the Services (e.g., amounts owed, paid, or transferred to Company or charged, reimbursed, collected, invoiced, withheld, or transferred by Company), Republic may provide Company written notice (including via email) of such dispute (a "Notice of Dispute"). Each Notice of Dispute will include sufficient detail for the Company to investigate the dispute and Republic may withhold payment of the disputed amounts in good faith. Once Republic has given Company sufficient detail about the dispute, within ten (10) days of such receipt, Company will use commercially reasonable efforts to resolve the issue and communicate its position in writing to Republic. If the Parties are unable to resolve a dispute within thirty (30) days of Company's receipt of the Notice of Dispute, at the request of either Party, the dispute will be promptly escalated to senior personnel of each Party for resolution. If Republic does not provide a Notice of Dispute with respect to any amounts in connection with the Services, Republic does not waive its right to dispute such amounts at a later date, even if it has paid the amount charged or accepted the amount reimbursed.
5.3Taxes. The fees set forth in this MSA and the SLA not include any sales, withhold and use taxes, duties, and charges of any kind imposed by any federal, state, local or international governmental authority ("Taxes") on amounts payable by Republic under this MSA and the SLA. The Republic will provide to Company any withhold tax certificate derived from the services rendered within ten (10) days of receipt of monthly invoice.
5.4Books and Records; Audit. Company will keep and maintain consistently applied, complete and accurate books, records and other documentation, that are, in each case, audited by a reputable and duly licensed audit firm, in connection with the Services, including for all financial transactions, and will retain such books, records and other documentation for a period of no less than ten (10) years following the expiration or termination of the SLA or for such longer period as may be required under Applicable Law (the "Audit Period"). During the Audit Period, upon providing reasonably advanced written notice (including via email) to Company, Republic may audit, or may direct a third-party auditing firm to audit such books and records during normal business hours. Company will cooperate with Republic or such auditing firm in conducting any such audit.
|6.
|TERM AND TERMINATION RIGHTS.
6.1Term. This MSA commences on this MSA Effective Date and, unless otherwise terminated pursuant to the terms of this MSA, continues through July 30, 2024 (the "MSA Term").
6.2Service Level Agreement Term. The SLA commences on the effective date set forth in the SLA and, unless the SLA is terminated, continues for the period of time set forth in the SLA, or if no period of time is set forth, for the period of time coterminous with this MSA (such period of time and any applicable Phase-Out Period, the "SLA Term"). If the SLA Term continues beyond the expiration of the MSA Term, the MSA Term of this MSA will be extended until such time that the SLA expires or is terminated, solely with respect to the Services provided under that SLA. The termination of a specific SLA will not terminate this MSA or any other SLA. Notwithstanding the foregoing, upon termination of this MSA by Republic, the SLA will terminate.
6.3Termination for Cause. Either Party to this MSA or the SLA may terminate this MSA or the SLA (as the case may be) by providing written notice to the other Party, if the other Party commits a material breach of this MSA or the SLA (as the case may be) that (i) is not capable of cure, or (ii) is capable of cure but that the other Party fails to cure within thirty (30) days after receipt of written notice from the other Party of such breach.
6.4Termination for Financial Insolvency. Republic or any Republic Entity that is a party to the SLA, at its sole discretion, may terminate this MSA or the SLA (as the case may be) by providing Company with written notice, if Company (i) becomes insolvent, undergoes a dissolution, or ceases its business operations, or any petition is filed or other steps are taken for its bankruptcy, liquidation, receivership, administration, examinership, dissolution, or other similar action, or (ii) commences negotiations or enters into an agreement with all or any class of its creditors in relation to any assignment for the benefit of such creditors, the rescheduling of any of its debts, and/or any compromise or other arrangement with any of its creditors.
|5
6.5Termination Due to a New Regulatory Requirement. If a Governmental Authority enacts or issues an Applicable Law that conflicts with any term of the SLA (a "Regulatory Requirement"), the Parties will discuss an amendment to the SLA to modify the SLA as required to comply with such Regulatory Requirement. While the Parties are discussing such amendment, if, due to the Regulatory Requirement, Company is unable to perform an obligation under the SLA, then prior to not performing such obligation, Company will inform Republic of the obligation it is unable to perform and will use commercially reasonable efforts to continue to try to perform such obligation in a manner that does not diminish or degrade the functionality of the Services or the User experience (if applicable). If the Parties cannot agree upon the amendment, then upon written notice to Company, Republic may, at its sole discretion, terminate the portion of the SLA affected by the Regulatory Requirement (if practicable) or terminate the SLA in its entirety. Notwithstanding the above, the amendment provision of this Section 6.5 shall not be triggered by any actions of Republic or its Entities.
6.6Additional Termination. Republic may terminate this MSA or the SLA at any time and for any reason by providing the Company with at least thirty (30) days' prior written notice.
6.7Not Exclusive Remedy. Termination of this MSA or the SLA is not an exclusive remedy, and the exercise by any Party of any remedy under this MSA or the SLA will be without prejudice to any other remedy it may have under this MSA, the SLA, Applicable Law, or otherwise.
6.8Phase-Out Period/Transition Support. If the SLA expires or is terminated for any reason, Republic may elect to have the Services continue for a period of six (6) months, or such other agreed upon period, starting from the date of termination of the SLA (the "Phase-Out Period"); provided, however, that the Phase-Out Period shall not extend after July 30, 2024. During the Phase-Out Period, Republic may continue to exercise its rights under the SLA, and Company will: (i) continue to operate and provide the Company Technology and Services, and continue to perform its other obligations under the SLA, (ii) cooperate, in a manner that minimizes disruption to Republic and Users, with any transition of the Services to an alternative service provider selected by Republic in its sole discretion, (iii) permit Republic to have full access to all personnel necessary to transition Services to such alternative service provider, and (iv) perform any other actions that are necessary and proper to ensure the transition of the provision of the Services to such alternative service provider.
6.9Migration of Data. Upon the expiration or termination of the SLA, or otherwise upon Republic's request, Company will provide Republic all Data that is necessary for an alternative service provider, selected by Republic in its sole discretion, to provide the Services (or substantially similar services). All such Data will be provided in a form and format selected by Republic and shall be Republic Data.
6.10 Return/Destruction of Confidential Information. Upon the expiration or termination of this MSA or the SLA (as the case may be) (and any Phase-Out Period), Company will cause its Affiliates and its and their Representatives to, return or destroy all copies of Republic's and its Entities' respective Confidential Information possessed by or within the control of Company or its Affiliates or their Representatives in connection with this MSA or the SLA (as the case may be). Notwithstanding the foregoing, Company may retain Republic's Confidential Information if it is required to be retained (i) to comply with Applicable Law, or (ii) to comply with its obligations under this MSA or the SLA due to an obligation that survives the expiration or termination of this MSA and the SLA. All such retained Confidential Information will (a) only be retained for so long as required and (b) still be subject to the use, disclosure, data security, and other restrictions and obligations in this MSA and the SLA (as applicable).
6.11Survival. The following Sections and Exhibits will survive any expiration or termination of this MSA or the SLA: Section 1 (MSA), Section 2.6 (Service Providers), Section 2.7 Communications), Section 3.6 (Non-Exclusivity; No Commitments), Section 4.2 (Management of Data and Data Security), including Exhibit B (Data Security Program), Section 5.4 (Books and Records; Audit), Section 6.7 (Not Exclusive Remedy), Section 6.8 (Phase-Out Period), Section 6.9 (Migration of Data), Section 6.10 (Return/Destruction oflnformation and Data), Section 6.11 (Survival), Section 6.12 (Effect of Termination), Section 8 (Disclaimers; Limitation of Liability), Section 9 (Indemnification and Performance Bond), Section 10 (Confidentiality), Section 11 (General), Exhibit A (Definitions), in addition to any Sections and Exhibits that are otherwise designated as surviving.
6.12 Effect of Termination. Termination or expiration of the SLA will not affect a Party's respective rights, obligations, and remedies under the SLA with respect to transactions submitted by a User or Republic before the date of termination or expiration (including any chargebacks or reversals related thereto), or with respect to a Party's right to collect for fees of any transaction or service provided.
|6
|7.
|REPRESENTATIONS, WARRANTIES AND COVENANTS.
7.1 1Mutual. Each Party to this MSA and the SLA represents and warrants that: (i) it has and will retain, the full right, power, and authority to enter into this MSA or the SLA; (ii) it has been duly authorized to do so by all required governmental, corporate or similar action; (iii) when executed and delivered by such Party, this MSA or the SLA will be legally binding upon and enforceable against such Party, and this MSA or the SLA will not conflict with any agreement, instrument, or understanding, oral or written, to which such Party is a party or by which it may be bound; and (iv) as of the date such Party executed this MSA or the SLA, there are no proceedings pending or, to its knowledge, threatened or reasonably anticipated that would challenge or that may have a material adverse effect on its performance under this MSA or the SLA.
7.2 Company. Company represents, warrants, and covenants that:
7.2.1 Company Organization. Company is duly organized, validly existing, and in good standing as a corporation or other entity as represented in this MSA or the SLA under the laws and regulations of its jurisdiction of incorporation, organization, or chartering.
7.2.2 Company Property.
7.2.2.1The Company Technology, Company Data, and the Services, and the use of them as contemplated under each applicable SLA, do not and will not infringe, violate, or misappropriate the Intellectual Property Rights of any Entity anywhere in the world.
7.2.2.2 The Company Technology is and will be sufficient to enable the Services, including to operate them for the Republic ATMs and enable the use of the Services by Users or Republic, as contemplated under the SLA.
7.2.3 Open Source Software. No portion of the Company Technology is or will be subject to any open source or other license that when used with the Republic ATMs or Republic's Technology as contemplated by each applicable SLA, will require any software associated with the Republic ATMs or Republic's Technology to be disclosed or distributed in source code form, licensed for the making of derivative works, or freely redistributable.
7.2.4No Harmful Material or Disruption. The Company Technology and the Services do not and will not contain or cause any viruses, worms, time bombs, Trojan horses or other harmful, malicious or destructive code to be installed on or introduced into the software for the Republic ATMs or Republic's Technology. Company and its Service Providers will not engage in any act or fail to take any act that could or does result in the disablement, interference, or impairment, in whole or in part, any part of the Republic ATMs or Republic's Technology.
7.2.5Applicable Rights and Licenses. Company has, and each of the Service Providers has, obtained and possesses, and will maintain at all times, all authorizations, permissions, consents, rights, licenses, agreements, permits, approvals, registrations, orders, declarations, filings, and the like, that are required under Applicable Law or by a Governmental Authority, and/or that are necessary (i) to provide the Services and perform its obligations, and (ii) for the Services to be made available and used as contemplated under each applicable SLA.
7.2.6Compliance with Applicable Law. Company's and each Service Providers' performance of its obligations under this MSA and the SLA, and the Services, are and will at all times be in compliance with Applicable Law. Company will promptly notify Republic of any actual or expected changes in Applicable Law that would reasonably be expected to affect the Services or the use of the Services as contemplated.
7.2.7Protection of Reputation. Company and each Service Provider will take no action that is intended to, or would reasonably be expected to, harm Republic or its reputation or which reasonably would be expected to lead to unwanted or unfavorable publicity to Republic.
7.2.8[***]
CERTAIN IDENTIFIED INFORMATION HAS BEEN EXCLUDED FROM THIS EXHIBIT BECAUSE IT IS BOTH (I) NOT MATERIAL AND (II) WOULD BE COMPETITIVELY HARMFUL IF PUBLICLY DISCLOSED. THE REDACTED TERMS HAVE BEEN MARKED WITH THREE ASTERISKS [***]
|7
7.3Anti-Corruption. Company, on behalf of itself, its Affiliates, its Service Providers, and each of their Representatives, represents, warrants and covenants that they have not engaged in and covenants that they will refrain from offering, promising, paying, giving, authorizing the paying or giving of, soliciting, or accepting money or Anything of Value, directly or indirectly, to or from (i) any Government Official to (a) influence any act or decision of a Government Official in his or her official capacity, (b) induce a Government Official to use his or her influence with a government or instrumentality thereof, or (c) otherwise secure any improper advantage; or (ii) any Entity in any manner that would constitute bribery or an illegal kickback, or would otherwise violate applicable anti-corruption laws. Company will immediately report to Republic any breach of this Section 7.3. As used in this Section 7.3, "Anything of Value" includes cash or a cash equivalent (including "grease," "expediting" or facilitation payments), discounts, rebates, gifts, meals, entertainment, hospitality, use of materials, facilities or equipment, transportation, lodging, or promise of future employment. As used in this Section 7.3, "Government Official" refers to any official or employee of any multinational, national, regional, or local government in any country, including any official or employee of any government department, agency, commission, or division; any official or employee of any government-owned or government-controlled enterprise; any official or employee of any public educational, scientific, or research institution; any political party or official or employee of a political party; any candidate for public office; any official or employee of a public international organization; and any Entity acting on behalf of or any relatives, family, or household members of any of those listed above.
7.4Anti-Money Laundering. Company, on behalf of itself, its Affiliates, its Service Providers, and each of their Representatives, represents, warrants and covenants that they will comply with all applicable laws and regulations aimed at preventing, detecting, and reporting money laundering and suspicious transactions and will take all necessary and appropriate steps, consistent with Applicable Law and generally accepted industry standards set forth by the Financial Action Task Force ("FATF"), to (i) obtain, verify, and retain information with regard to User identification and source of funds, (ii) maintain records of all User transactions, (iii) file reports with applicable Governmental Authorities, and (iv) block account access and terminate transactions that are, or are reasonably suspected to be, in contravention of Applicable Law and generally accepted industry standards set forth by the FATF. Company will immediately report to Republic any breach of this Section 7.4.
|8.
|DISCLAIMERS.
8.1Warranty Disclaimer. EXCEPT AS EXPRESSLY SET FORTH IN THIS MSA OR THE SLA, NEITHER PARTY TO THIS MSA OR THE SLA MAKES ANY REPRESENTATIONS OR WARRANTIES, AND ALL OF THE PARTIES HEREBY EXPRESSLY DISCLAIM, TO THE MAXIMUM EXTENT PERMITTED BY LAW, ALL WARRANTIES, EXPRESS OR IMPLIED, WRITTEN OR ORAL, STATUTORY OR OTHERWISE, INCLUDING WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND IMPLIED WARRANTIES OF NON-INFRINGEMENT AND THOSE ARISING FROM THE COURSE OF DEALING OR PERFORMANCE, USAGE OR TRADE PRACTICES.
8.2Damages Disclaimer. EXCEPT WITH RESPECT TO (I) A BREACH OF SECTION 2.8 (CONTINUED PERFORMANCE), (II) ANY OBLIGATIONS UNDER SECTION 9 (INDEMNIFICATION AND PERFORMANCE BOND), (III) A BREACH OF ANY OBLIGATIONS OR RESTRICTIONS REGARDING DATA USE OR SECURITY OR REGARDING CONFIDENTIAL INFORMATION, INCLUDING SECTION 4 (DATA; DATA SECURITY) AND SECTION 10 (CONFIDENTIALITY), (IV) A BREACH OF SECTION 7.2.8 (ACCESS TO BITCOIN AND PRIVATE KEYS), (V) A PARTY'S GROSS NEGLIGENCE, WILLFUL MISCONDUCT, FRAUD, OR FRAUDULENT MISREPRESENTATION, OR (VI) DEATH OR BODILY INJURY CAUSED BY A PARTY, TO THE MAXIMUM EXTENT PERMITTED BY LAW, NEITHER PARTY TO THIS MSA OR THE SLA WILL BE LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES, OR LOST PROFITS (DIRECT OR INDIRECT), OF ANY KIND IN CONNECTION WITH THE TERMS OR THE BREACH OF THE TERMS OR SUBJECT MATTER OF THIS MSA OR THE SLA, REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, EVEN IF INFORMED OF THE POSSIBILITY OF SUCH DAMAGES IN ADVANCE.
|8
|9.
|INDEMNIFICATION.
9.1 Company Indemnification. Company agrees to indemnify, defend, and hold harmless Republic and its Entities, and their respective employees, officers, directors, and other representatives (collectively, the "Republic Indemnified Parties") from and against any and all losses, costs, expenses (including reasonable legal fees and expenses such as for attorneys, experts, and consultants, and reasonable out-of-pocket costs, and interest), penalties, fines, judgments, settlements, damages (of all types including special damages), or liabilities (collectively,"Losses"), suffered or incurred by any of them in connection with any claim, cause of action, or other legal assertion, brought or threatened to be brought by a third party, or any investigation, examination, or proceeding of a Governmental Authority, or any request by a third party for reimbursement or compensation (each a "Claim"), where such Claim arises out of or alleges any of the following: (i) any acts or omissions of Company or a Service Provider that constitute a breach of Section 7 (Representations and Warranties) or any other representations or warranties made under this MSA or the SLA; (ii) Company or a Service Provider's failure to pay any withholding Taxes, social security, unemployment or disability insurance or similar items in connection with compensation received by Company pursuant to this MSA or the SLA; [***]
|10.
|CONFIDENTIALITY.
|10.1
|Definition and Exclusions.
10.1.1Definition of CI. A Party (each a "Disclosing Party") may disclose information, directly or indirectly, to the other Party (each a "Receiving Party"), and such information will be deemed to be "Confidential Information" if when it is disclosed, regardless of the form or medium (whether in writing, verbally, electronically, or otherwise), (i) it is designated as confidential by the Disclosing Party, or (ii) it should reasonably be understood by the Receiving Party, given the nature of the information or the circumstances surrounding its disclosure, to be confidential. Confidential Information includes information such as product designs, product plans, software, Technology, financial information, marketing plans, business opportunities, pricing information, information regarding customers or users, inventions, and know-how. The terms of this MSA and the SLA will be treated as Confidential Information. Notwithstanding the foregoing, all Republic Technology, Republic Data and information comprising or concerning the Republic ATMs or Republic's or its Entities' use of the Services, including Usage Information, will be deemed to be Republic's Confidential Information. Notwithstanding anything to the contrary, Personal Data will not be deemed to be Confidential Information under this MSA or the SLA and the use, disclosure, and retention thereof will be governed by other provisions under this MSA and the SLA.
10.1.2Exclusion for Government Business. In the case of Republic as the Receiving Party, the obligations under this MSA and the SLA with respect to Confidential Information, including the restrictions on use and disclosure in Section 10.2, do not apply to information that is desirable to use or disclose to third parties in conjunction with the performance of official government business.
CERTAIN IDENTIFIED INFORMATION HAS BEEN EXCLUDED FROM THIS EXHIBIT BECAUSE IT IS BOTH (I) NOT MATERIAL AND (II) WOULD BE COMPETITIVELY HARMFUL IF PUBLICLY DISCLOSED. THE REDACTED TERMS HAVE BEEN MARKED WITH THREE ASTERISKS [***]
|9
10.2Use and Disclosure of CI. A Receiving Party will only use the Confidential Information of a Disclosing Party as required to perform its obligations and exercise its rights under this MSA or the SLA, provided that, subject to the requirements of Section 10.3, a Receiving Party may disclose the existence of this MSA or the SLA and their respective key terms pursuant to a securities filing to a Governmental Authority. [***]
10.3Disclosures to Governmental Authorities. If a Governmental Authority requires a Receiving Party to disclose the Confidential Information of a Disclosing Party, the Receiving Party will (i) immediately notify the Disclosing Party after learning of the existence or likely existence of such requirement (unless prohibited by Applicable Law); [***]
10.4Feedback. A Party or any one of its Affiliates may, but is not required to, provide the other Party or its Affiliates, suggestions, comments, ideas, or know-how, in any form, that are related to the other Party's or its Affiliates' respective products, services, or Technology ("Feedback"). Any such Feedback will be considered Confidential Information. Neither Party nor any of their respective Affiliates will have any obligation to provide compensation for any use of Residuals or Feedback. Nothing in this Section 10.4, will be deemed to license any patents or transfer any Intellectual Property Rights from a Party or its Affiliates to the other Party or its Affiliates. Notwithstanding anything to the contrary, this Section 10.4 does not govern the use and disclosure of Personal Data.
10.5[***]
CERTAIN IDENTIFIED INFORMATION HAS BEEN EXCLUDED FROM THIS EXHIBIT BECAUSE IT IS BOTH (I) NOT MATERIAL AND (II) WOULD BE COMPETITIVELY HARMFUL IF PUBLICLY DISCLOSED. THE REDACTED TERMS HAVE BEEN MARKED WITH THREE ASTERISKS [***]
|10
|11.
|GENERAL.
11.1Governing Law; Jurisdiction; Venue. The MSA and SLA shall be governed by and construed in accordance with the internal laws of the state of New York, without giving effect to any choice or conflict of law provision or rule (whether of the state of New York or any other jurisdiction) that would cause the application of laws of any jurisdiction other than those of the state of New York. [***]
11.2Assignment. This MSA and the SLA will each bind and inure to the benefit of each of its respective Parties and their permitted successors and assigns. Company and its Affiliates will not, in whole or in part, assign this MSA or the SLA (as the case may be), without the prior written consent of Republic, which shall not be unreasonably withheld or delayed. [***]
11.3Notices. Except as otherwise expressly set forth in this MSA or the SLA, any notice required under this MSA or the SLA will be in writing delivered to the applicable address below and will be deemed given: (i) upon receipt when delivered personally; (ii) two (2) days (other than weekends or public holidays) after it is sent if sent by certified or registered mail (return receipt requested); or (iii) one (1) day (other than weekends or public holidays) after it is sent if by next day delivery by a major commercial delivery service. Any notice provided to Athena Bitcoin Global shall be deemed effectively provided to Company inclusive of all Parties included in the definition of "Company."
|Republic:
|Company:
|Chivo, Sociedad An6nima de Capital Variable
|Athena Bitcoin Inc
|Attn: Legal Representative
|Attn: Chief Executive Officer
|Boulevard del Hipodromo
|221 W. Wacker Dr.
|Local 8, #243, Century Tower
|Ste. #900B
|Sergio Viera de Mello
|Chicago, IL., 60606, USA
|San Salvador, El Salvador
|With a copy to:
|Pratin Vallabhaneni
|White & Case LLP
|1221 Avenue of the America
|New York, NY 10036
11.4Amendments. No supplement, modification, or amendment of this MSA or the SLA will be binding unless executed in writing by a duly authorized signatory of each Party. A valid amendment of this MSA will be deemed to automatically amend and will be binding upon Party that is a signatory to the SLA.
CERTAIN IDENTIFIED INFORMATION HAS BEEN EXCLUDED FROM THIS EXHIBIT BECAUSE IT IS BOTH (I) NOT MATERIAL AND (II) WOULD BE COMPETITIVELY HARMFUL IF PUBLICLY DISCLOSED. THE REDACTED TERMS HAVE BEEN MARKED WITH THREE ASTERISKS [***]
|11
11.5Waivers. No waiver will be implied from conduct or failure to enforce or exercise rights under this MSA or the SLA, nor will any waiver be effective, unless in writing signed by a duly authorized signatory on behalf of the Party claimed to have waived such rights.
11.6No Publicity by Company. Company and its Affiliates will not engage in any promotions, publicity, marketing, or make any other public statement relating to the Services as used in connection with the Republic ATMs or its relationship with Republic or Users (including regarding the existence and terms of this MSA or the SLA), unless Company has obtained Republic's prior written consent, which shall not be unreasonably withheld. [***]
11.7Insurance. During the MSA Term, Company shall, at its own expense, maintain and carry insurance in full force and effect with financially sound and reputable insurers, that includes, but is not limited to, commercial general liability with limits no less than an amount deemed reasonably satisfactory by Republic which policy will include contractual liability coverage insuring the activities of Company under this MSA. Upon Republic's request, Company shall provide Republic with a certificate of insurance from Company's insurer evidencing the insurance coverage specified in this MSA. The certificate of insurance shall name Republic as an additional insured. Company shall provide Republic with sixty (60) days' advance written notice in the event of a cancellation or material change in Company's insurance policy.
11.8Entire Agreement. This MSA (including all exhibits) is the complete and exclusive statement of the mutual understanding of the Parties, and supersedes and cancels all previous written and oral agreements and communications, relating to the subject matter of this MSA. The SLA (including any exhibits), is the complete and exclusive statement of the mutual understanding of the Parties with respect to the Services provided thereunder, and supersedes and cancels all previous written and oral agreements and communications, relating to the subject matter of the SLA.
11.9 Independent Contractors. The Parties are independent contractors. There is no relationship of partnership, joint venture, employment, franchise or agency created between the Parties. Company will be solely responsible and liable for any compensation due any of its employees, agents, or contractors and employment-related Taxes, insurance premiums or other employment benefits required to be provided to its employees, agents, or subcontractors under Applicable Law. Company and its employees, agents or subcontractors will not be eligible for any benefits from Republic (including vacation or illness payments, stock awards, bonus plans, health insurance or retirement benefits) normally provided by Republic to its employees.
11.10Remedies. Unless expressly set forth otherwise in this MSA or the SLA, any and all remedies expressly conferred upon a Party are cumulative with and not exclusive of any other remedy conferred by this MSA or the SLA or by law on that Party, and the exercise of any one remedy does not preclude the exercise of any other available remedy.
11.11Counterparts. This MSA and the SLA may be executed in one or more counterparts, each of which will be considered an original, but all of which together will constitute one agreement.
11.12Severability. Any provision of this MSA or the SLA that is invalid, prohibited, or unenforceable in any jurisdiction will, as to such jurisdiction, be ineffective to the extent of such prohibition or unenforceability, without invalidating the remaining provisions hereof, and any such prohibition or unenforceability in any jurisdiction will not invalidate or render unenforceable such provision in any other jurisdiction.
CERTAIN IDENTIFIED INFORMATION HAS BEEN EXCLUDED FROM THIS EXHIBIT BECAUSE IT IS BOTH (I) NOT MATERIAL AND (II) WOULD BE COMPETITIVELY HARMFUL IF PUBLICLY DISCLOSED. THE REDACTED TERMS HAVE BEEN MARKED WITH THREE ASTERISKS [***]
|12
11.13Third-Party Rights. Except as expressly set forth in this MSA or the SLA, any party that is not a Party to this MSA will not have any rights as a third-party beneficiary to enforce any term of this MSA.
11.14Construction. Captions are for convenience only and do not constitute a limitation of the terms hereof. The singular includes the plural, and the plural includes the singular. References to "herein," "hereunder," "hereinabove," or like words will refer to this MSA or the SLA as a whole and not to any particular section, subsection, or clause contained in this MSA or the SLA. The terms "include" and "including" are not limiting. Reference to any agreement or document includes any permitted modifications, supplements, amendments and replacements thereto. References to "day" refer to a calendar day, unless otherwise expressly stated.
11.15Authorized Representative. Authorized Representative represents and warrants that he is an authorized representative of each of Athena Bitcoin Holdings El Salvador SA DE CV, Athena Bitcoin, Inc., Athena Bitcoin Global and has the full authorization and authority to execute this Agreement. Authorized Representative represents and warrants that he has had the opportunity to consult legal counsel prior to executing this Agreement.
[SIGNATURE PAGE FOLLOWS]
|13
By signing below, each Park acknowledges that is has read, and agrees to, all the terms of the MSA.
|Chivo, Sociedad Anonima de Capital Variable
|Athena Bitcoin Global
|By: /s/ Raymond I. Villalta
|By: /s/ Matias Goldenhorm
|Name: Raymond I. Villalta
|Name: Matias Goldenhorn
|Title: Representante Legal
|Title: CEO
|Athena Holdings El Salvador SA DE CV
|Athena Bitcoin, Inc.
|By: /s/ Carlos Rivas
|By: /s/ Matias Godlenhorn
|Name: CARLOS RIVAS
|Name: Matias A. Goldenhorn
|Title: LEGAL REPRESENTATIVE
|Title: CEO
|Matias A. Goldenhorn
|By:_______________________________
|14
EXHIBIT A
DEFINITIONS
"Affiliate" means, with respect to a specified Entity, any other Entity that directly or indirectly controls, is controlled by, or is under common control with such specified Entity. For the purposes of this definition, "control" means the possession, directly or indirectly, of the power to independently direct or cause the direction of the management and policies of an Entity, whether through ownership of more than fifty percent (50%) of the stock or other equity interests entitled to vote for representation on its board of directors, or body performing similar functions, by contract or otherwise.
"Applicable Law" means, with respect to a specified Entity, each of the following, whether existing now or in the future, including any updates thereto, that are applicable to such Entity: (i) the rules, requirements, or operational and technical standards of any relevant self-regulatory organization having jurisdiction or oversight over the Services, including the PCI DSS; and (ii) all laws, treaties, rules, regulations, regulatory guidance, directives, policies, orders, or determinations of, or mandatory written direction from or agreements with, any Governmental Authority, including trade control laws, export laws, sanctions regulations, statutes, or regulations, relating to stored value, money transmission, unclaimed property, payment processing, telecommunications, unfair or deceptive trade practices or acts, anti-corruption, trade compliance, anti-money laundering, terrorist financing, "know your customer," privacy, or data security.
"Bitcoin Chivo Wallet" means that certain bitcoin wallet, including the application that Republic will make available for Android, iOS, and other operating systems, offered, now or in the future, to Users.
"Bitcoin Digital Platform" means the digital platform based on blockchain technology, including all features, services and products that Republic or its Entities make available to the citizens of El Salvador through hardware, software, APis, websites or other interfaces of any type, whether presently existing or later developed, that are developed or marketed, in whole or in part, by or for any of them, or that relate to the Bitcoin Chivo Wallet.
"Company Data" means any data that Company provides, makes available, or uses in connection with the Services.
"Company Entities" means Company or its Affiliates that have signed the SLA.
"Company Technology" means Technology that Company provides, makes available, or uses in connection with the Services.
"Confidential Information" has the meaning set forth in Section 10 of this MSA.
"Data" means Company Data, Republic Data, Personal Data and, with respect to the SLA, any other data expressly included as "Data" in the SLA.
"Data Breach" means (i) any unauthorized access to or use of Republic Data or Personal Data resulting from Company's or a Service Provider's breach of the data security obligations set forth in this MSA or the SLA (as the case may be), including those in Section 4 of this MSA, or (ii) Company's or a Service Provider's misuse of or unauthorized access to Republic Data or Personal Data (e.g., as a result of a breach of any data use obligations or restrictions).
"Data Security Program" means Exhibit B of this MSA.
''Disclosing Party'' has the meaning set forth in Section 10.1 of this MSA.
"Entity" means an individual, corporation, firm, limited liability company, partnership, joint venture, trust, unincorporated organization, estate, association, Governmental Authority, or other entity or organization, whether or not a legal entity.
"Feedback" has the meaning set forth in Section 10.4 of this MSA.
|15
"Foreground IP" means the Bitcoin Chivo Wallet and the website developed by the Company for accessing the Bitcoin Chivo Wallet.
"Governmental Authority" means any duly authorized federal, national, supranational, inter governmental, state, provincial, local, or other government, governmental, regulatory, or administrative authority, self-regulatory authority, governmental agency, bureau, office or commission, or any court, tribunal, or judicial or arbitral body, of competent jurisdiction.
"Intellectual Property Rights" means any and all right, title, and interest in and to any and all trade secrets, patents, copyrights, service marks, trademarks, know-how, inventions, techniques, processes, devices, discoveries or improvements, trade names, rights in trade dress and packaging, moral rights, and similar rights of any type, including any applications, continuations or other registrations with respect to any of the foregoing, under the laws or regulations of any foreign or domestic governmental, regulatory, or judicial authority.
"Losses" has the meaning set forth in Section 9.1 of this MSA.
"MSA Term" has the meaning set forth in Section 6.1 of this MSA.
"Party" or "Parties" have the meaning set forth in Section 1.2 of this MSA.
"Personal Data" means any information from, about, or that can be associated with any household, individual consumer, or any other legal person (human or non-human), including any Users, employees, and contingent workers, or that otherwise is regarded as personal data or personal information under Applicable Law, including any financial data, transaction data or other data or information related to the usage of the Republic ATMs collected by or on behalf of Company from Users of any Services.
"Phase-Out Period" has the meaning set forth in Section 6.8 of this MSA.
"Receiving Party" has the meaning set forth in Section 10.1 of this MSA.
"Representative" means, with respect to a specified Entity, any of its directors, officers, employees, agents, consultants, contractors, subcontractors, service providers, advisors, accountants, attorneys, or other representatives. For clarity, Company's Representatives includes its Service Providers.
"Republic" has the meaning set forth in Section 1.2 of this MSA.
"Republic Claims" has the meaning set forth in Section 9.1 of this MSA.
"Republic Data" means (i) all data collected by, stored in, used by, or circulated in or through the Bitcoin Digital Platform, (ii) all data relating to Republic's and Users' use of the Services, and (iii) any other data as specified as Republic in the SLA.
"Republic Entity" means Republic or its Affiliates that have signed the SLA.
"Republic Indemnified Parties" has the meaning set forth in Section 9.1 of this MSA.
"Republic Technology" means Technology that Republic provides to Company in connection with the Services. For clarity, Republic Technology does not include Republic Data.
|16
"Residuals" has the meaning set forth in Section 10.4 of this MSA.
"Service Fees" has the meaning set forth in Section 5.1 of this MSA.
"Service Provider" means, any Entity, other than a Company employee, who performs any of Company's obligations under the SLA or who provides, directly or indirectly, any product or service to, on behalf of, or for the benefit of Company (including all other third parties downstream of any such Entity who are performing obligations or providing products or services in connection with the SLA).
"Services" has the meaning set forth in Section 1.1 this MSA. "SLA" has the meaning set forth in Section 1.1 of this MSA. "SLA Term" has the meaning set forth in Section 6.1 of this MSA. "Taxes" has the meaning set forth in Section 5.3 of this MSA.
"Technology" means application programming interfaces, software development kits, software (including object and source code), applications, technical integrations, payment processing platforms, blockchain technology and any derivative technology thereof or technology necessary to use or access blockchain technology, equipment, information technology infrastructure, systems, other technology, and any updates or modifications to, and documentation (e.g., instructional materials) related to, any of the foregoing.
"Usage Information" means any data that is based on, generated or created from, or information about, the use of the Services by Republic or its Affiliates or Users (e.g., the number of transactions or the amounts of transactions).
"Users" means any user who has taken an action to use (e.g., initiated the signup process), or who is using, any Services made available pursuant to the SLA for the Republic ATMs.
|17
EXHIBIT B
DATA SECURITY PROGRAM
Company will maintain a comprehensive written information security program that includes technical, physical, and administrative/organizational safeguards designed to (i) ensure the security and confidentiality of Republic Data and Personal Data, (ii) protect against any anticipated threats or hazards to the security and integrity of Republic Data and of Personal Data, (iii) protect against any actual or suspected unauthorized processing, loss, or acquisition of any Republic Data and any Personal Data, and (iv) ensure the proper disposal of Republic Data and Personal Data. Company will ensure that such program satisfies all of the requirements set forth in this Exhibit B and that Company complies with all such requirements, as well as any other written information security policies, procedures, and guidelines that are applicable to the Services. As used in this Exhibit B, the terms "systems", "information systems", and the like, include all information technology systems and all other Technology. Capitalized terms used but not defined in this Exhibit B will have the meanings set forth in the MSA.
1.Network Segmentation. Company's systems that host Republic Data or Personal Data will be segmented from the Internet by actively managed network access controls that will restrict traffic to the minimum required for proper operation of those systems. Company's systems will also segment the Republic Data and Personal Data from other data, either via separate systems or logical segmentation.
2.Data Storage. Company will store all Republic Data and Personal Data in a manner that enables Company to comply with its obligations under the SLA, including its obligations that require it to be able to identify Republic Data or Personal Data such as those regarding Data Breach Incident notifications and data destruction.
3.Personnel Screening. Company must limit access to Republic Data and Personal Data by Company's employees and Service Providers based on their respective job function and on a need-to know basis. Company will cause all of Company's employees with access to Republic Data and Personal Data to undergo, at a minimum, background screening for criminal history and, in the case of financial related support services, financial risk, unless otherwise restricted by Applicable Law. A Company employee's or a Service Provider's access to Republic's or its Affiliates' respective systems must be revoked at the time that such employee or Service Provider no longer needs access to such systems to facilitate Company's provision of the Services.
4. User Authentication. Company will use multiple factor authentication protocols/methods to access Republic Data or Personal Data. All passwords used by Company in connection with Republic Data and Personal Data must meet or exceed Republic's length, complexity, and age requirements. Company will not use, and will prohibit the use of, shared credentials, with respect to accessing Republic's or its Affiliates' respective systems, or Republic Data or Personal Data residing on other systems.
5.Logging and Monitoring. Company must ensure that it has a process to monitor its systems and networks. This must include monitoring of the environment for external threat actors and internal abuse by Representatives. The process must include steps to follow-up on suspicious activity and investigate potential security breaches. With respect to the SLA, during the SLA Term and for ninety (90) days thereafter, Company must ensure that relevant log data is available for analysis by Republic should the need for such information arise as part of Republic's own incident response process.
6.Vulnerability Management and Application Security. Company will (i) operate systems to discover vulnerabilities on systems that protect Republic Data and Personal Data or connectivity and will remediate these vulnerabilities within a reasonable timeframe not to exceed ninety (90) days from discovery, and (ii) conduct regular security assessments of any code that Company owns or controls, and will remediate any vulnerabilities found during these assessments within a reasonable timeframe not to exceed ninety (90) days from discovery.
|18
7. Encryption.
7.1Encryption in Transit. Company will ensure that all access to Republic Data and Personal Data is protected by Transport Layer Security, IPSec, or equivalent protocols. Company will only use encryption algorithms and protocols that comply with industry best practices and that are approved in the then-current version of the National Institute of Standards and Technology Special Publication 800-52. An alternative algorithm or protocol may only be used upon Republic's prior written consent.
7.2Encryption at Rest. All Republic Data and Personal Data at rest in persistent storage (such as spinning disk, SSD, and flash drive or other removable media) must be encrypted. The granularity of encryption will be commensurate with the use case and risks of this data (for example, on a single-user system, whole-disk encryption will meet the requirement, but on a multi-tenant system with registered data, field-level encryption is required).
8.PCI Compliance. If Company stores, accesses, or processes any Payment Card information in connection with the Services, Company represents and warrants that it will, and each of the Service Providers will, (i) at all times comply with and will have a program to assure its continued compliance with the Payment Card Industry Data Security Standards ("PCI DSS") published by the PCI Security Standards Council, as the PCI DSS may be amended, supplemented, or replaced from time to time; (ii) report in writing to Republic, at least annually, proof of such compliance with the PCI DSS, as determined by a Qualified Security Assessor (QSA); and (iii) promptly report in writing to Republic upon becoming aware of Company's or a Service Provider's non-compliance or likely non-compliance with PCI DSS for any reason.
9.Cooperation with Republic Security Investigations. Company agrees to fully cooperate with Republic in security investigations, except to the extent prohibited by Applicable Law. Company will provide any and all logs surrounding the systems that are under investigation using the following requirements:
|•
|Logging of the systems and network should include details about the access and actions of the users, errors, events, etc. across all its information systems.
|•
|These logs must be protected and not removed or modified by unauthorized Entities.
|•
|Ninety (90) days of relevant log data must be readily available - with historic data securely warehoused separately - for analysis by Republic should the need for such information arise.
|•
|All systems administrator logs and user logs should be registered, regardless of the privileges any system administrator or user has.
|•
|All systems should be configured with the same time and date; Network Time Protocol (NTP) for clock synchronization is required.
Except when prohibited by Applicable Law, upon Company having knowledge that a Company employee or other Representative of Company has violated any of the data use or data security obligations or restrictions in the SLA or has caused Company to violate any agreement between Company and Republic, Company will provide Republic information regarding such violation.
|19
10. Security Reports and Assessments.
10.1 Security Report.
Within one hundred eighty (180) days of the effective date of the SLA; and within ten (10) days of each anniversary thereof (or as may otherwise be reasonably requested by Republic), Company will deliver to Republic a report prepared (no more than one (1) year prior to such date) by an audit firm and such report must describe Company's systems and security controls implemented and used at the locations involved in Company's provision of the Services governed by the SLA (such report, the "SecurityReport"). The third-party auditor must be a widely-used and reputable auditor in the financial services industry in the applicable jurisdiction and with respect to the United States must be a national major auditing firm. The Security Report must be a SOC 2 Type II report that has been prepared in accordance with the American Institute of Certified Public Accountants' Trust Service Principles/Criteria (including security, availability, processing integrity, confidentiality, and privacy). Where a SOC 2 Type II report cannot be procured or where it is not a common report in the applicable jurisdiction, Company may provide a mutually agreed upon widely accepted equivalent (e.g., a SOC2 Type I report during an initial period). Company will use its best commercially reasonable efforts to cause each Service Provider to also provide Republic a Security Report in accordance with the foregoing requirements.
10.2 Security Assessment.
If Company or a Service Provider fails to comply with the Security Report obligations set forth above in Section 10.1 (Security Report), then, at any time, Republic will have a right to perform a security assessment (as set forth in this Section 10.2) on Company or such Service Provider. During any period of time in which Republic has the right to perform a security assessment on Company or a Service Provider, upon five (5) days' advanced written notice (except in emergency situations, where as much notice as reasonably practicable will be given), Company will permit, or will cause the Service Provider to permit, Republic or its designated Representative to review and access Company's or the Service Provider's (as applicable) books, records, third-party audit and examination reports, systems, facilities, controls, processes, procedures, and information regarding: (i) the use, processing, storage, treatment, and security of data, including Republic Data and Personal Data; (ii) the management of employees and Service Providers, including with respect to the foregoing obligations in Section 3 (Personnel Screening); and (iii) in the event of a Data Breach Incident (as defined in Section 12 (Data Breach) below), to locate the source and scope of the breach and provide Republic with any material information related to Republic, its Affiliates, Users, Republic Data, or Personal Data, with respect to such Data Breach Incident (any such review and access, a "Security Assessment"). Any such Security Assessment will be conducted during normal business hours and in a manner designed to cause minimal disruption to Company's or the Service Provider's (as applicable) ordinary business activities. For purposes of this provision, an emergency situation will include any situation posing imminent risk of harm or damage (as determined by Republic) to Republic's or its Affiliates' respective systems or data, including the systems underlying Republic ATMs, Republic Data, or Personal Data, or any situation that could expose Republic or its Affiliates to legal, financial, or business liability, or cause Republic or its Affiliates to violate any Applicable Law.
10.3 Correction of Non-Compliance.
If a Security Assessment or Security Report reveals any non-compliance by Company or a Service Provider of its obligations under or in connection with the SLA, Company will promptly remedy, or cause the Service Provider to promptly remedy, such non-compliance at its sole expense, and Republic or its designated Representative may perform, upon Republic's notice to Company, at any time, subsequent Security Assessments to verify the sufficiency of such remedial efforts and ongoing compliance with such obligations. Company will be responsible for, and promptly reimburse Republic for, the cost of any Security Assessment that reveals non-compliance by Company or any Service Provider.
|20
11.Incident Response. Company must ensure an incident response ("IR") program is in place following industry best practices. The process should include steps to follow-up on suspicious activity and investigate potential or actual security breaches in line with the following:
|•
|Detection. An initial assessment and triage of any suspicious activity or other suspected incident must be conducted within twelve (12) hours of detection. An initial incident report - quantifying and categorizing the incident - must be drafted for information technology personnel or information security officers and shared with Republic no more than seventy-two (72) hours after detection for analysis.
|•
|Analysis (active IR required). A complete assessment and triage of the incident, including containment, eradication, evidence preservation, and initial recovery must be conducted.
|•
|Recovery (no active IR required). The final collection of evidence, analysis and forensic investigation, including remediation and full recovery, must be conducted. A full incident report must be shared with Republic within twenty-four (24) hours of the termination of this phase.
|•
|Post-incident (actions). Once the incident is adequately handled, the IR team must issue a 'post mortem' report detailing the cause and cost of the incident and the steps the organization should take to prevent future incidents.
12.Data Breach. If Company becomes aware of any unauthorized access to or misuse of Republic Data or Personal Data or Company's or a Service Provider's Technology that stores or has access to Republic Data or Personal Data (a "Data Breach Incident"), Company will: (i) immediately notify Republic of such Data Breach Incident (which, in any case, may not occur more than seventy two (72) hours after becoming aware that such Data Breach Incident may have occurred), and (ii) will work with Republic's security staff to contain, mitigate, and resolve the Data Breach Incident in accordance with the IR protocols set forth in this Exhibit. Such notice will describe when and where the Data Breach Incident occurred, the effect on Republic, its Affiliates, the Users, Republic Data, and Personal Data, and Company's planned corrective action in response to the Data Breach Incident.
13.Destruction of Data. With respect to the SLA, Company will destroy Republic Data and Personal Data within its possession or control upon the later of the time that (i) that such Republic Data or Personal Data (as applicable) is no longer required for Company to perform its obligations under the SLA (including any obligations that survive expiration or termination of the SLA), or (ii) Company no longer needs to retain such Republic Data or Personal Data (as applicable) to comply with Applicable Law. For clarity, in the case of (i) or (ii), Company will only retain the minimum amount of Republic Data or Personal Data (as applicable) required for Company to perform its obligations or comply with Applicable Law (as applicable) and for only so long as required. Company will, (a) destroy such data, and any derivative works thereof, within a reasonable period not to exceed ninety (90) days from such time set forth in the foregoing (i) or (ii), (b) use industry best practices to ensure that the data cannot be recovered, and (c) certify in writing to Republic that it has met the foregoing obligations. Upon Republic's request, Company will destroy all Republic Data or Personal Data specified by Republic, including as required for Republic to comply with Applicable Law (e.g., Republic's requirement under Applicable Law to delete Personal Data in response to a User's request). Company will cause the Service Providers to comply with the foregoing data deletion requirements with respect to any Republic Data or Personal Data within their possession or control.
14.Service Providers. Company will use reasonable best efforts to cause all Service Providers to comply with (i) all data use, disclosure, and retention rights and restrictions, and data security obligations, that apply to Company under the SLA, and (ii) comply with the obligations set forth in this Exhibit B as if each such Service Provider was Company hereunder, including with respect to, each such Service Provider's personnel, systems, and networks, and the Republic Data and Personal Data it possesses, controls, or can otherwise access in connection with the SLA.
|21
EXHIBIT C
FORM OF SERVICE LEVEL AGREEMENT
Attached
|22