FIS Transfer Agency Services Order

By the signatures of their duly authorized representatives below, FIS Investor Services LLC (“Service Provider” or “FIS”) and Lincoln Funds Trust (“Client”), on behalf of its funds listed on Annex B to Attachment 2, intending to be legally bound, agree to all of the provisions of this FIS Transfer Agency Services Order (“Order”) with an Order effective date of September 4, 2024 (“Order Effective Date”).

LINCOLN FUNDS TRUST		FIS INVESTOR SERVICES LLC
Signature:	/s/ Jim Hoffmayer	Signature:	/s/ Peggy Poche
Name:	Jim Hoffmayer	Name:	Peggy Poche
Title:	VP, Treasurer and CAO	Title:	Accounting Manager
Date:	September 4, 2024 | 14:48 EDT	Date:	September 4, 2024 | 14:55 EDT

Account ID: 39044	OID: 01054433	LR 200826
	Prepared for: Lincoln National Corporation	Page 1

FIS TRANSFER AGENCY SERVICES ORDER

SOLUTION AND RELATED INFORMATION

1. SERVICES: See Attachment 2 hereto.

2. TERM: See Attachment 2.

3. FEES: See Attachment 2.

4. PERSONAL DATA: Client will use FIS as a data processor of Personal Data under this Order. Client will use the Services to Process Personal Data of the following categories: individuals’ name, email address, telephone number, account number, relating to the following categories of natural persons: staff of customers of Client, customers of Client, and Shareholders (as that term is defined in Subsection 5.1 below). Such Personal Data will only include Personal Data in relation to individuals domiciled in the United States and shall be processed in accordance with the FIS United States Data Protection Attachment set forth in Attachment 3, which is incorporated into this Order. If requested by Client or any data subject or regulator, FIS shall cooperate with Client as reasonably required to assist Client with Client’s compliance with its legal obligations under applicable Privacy Laws (as defined in Attachment 3), and Client shall reimburse FIS for any out-of-pocket costs reasonably incurred.

5. TERMS AND CONDITIONS:

5.1 DEFINED TERMS. As used in this Order, the terms below (and their plural or singular forms as applicable) have the following meanings:

5.1.1 “Affiliate” whether capitalized or not means, with respect to a specified Person, any Person which directly or indirectly controls, is controlled by, or is under common control with the specified Person as of the Order Effective Date, for as long as such relationship remains in effect.

5.1.2 “Agent” means any administrative or other service provider used by a Party in connection with carrying out its obligations under this Order, whether or not such Person would be deemed an agent under principles of any applicable law, and “FIS Agent” shall mean such service provider used by FIS and “Client Agent” shall mean such service provider used by Client.

5.1.3 “Applicable Jurisdiction” means the U.S., the United Kingdom, and any other jurisdiction where any FIS IP will be located or from where any FIS IP will be accessed under this Order.

5.1.4 “Authorized Person” means Client or any Person (including Client Agents) whom or which, respectively, FIS believes in good faith to be authorized by Client under this Order to act on its behalf in the performance of any act, discretion, or duty under this Order, or notified to FIS in a notice delivered in accordance with the requirements of Section 5.7.6 hereof as having been so authorized by Client.

5.1.5 “Authorized Recipient” means (i) with respect to Client, Client, any officer of Client, and any employee of an Agent, provided that the Agent is not a competitor of FIS; and (ii) with respect to FIS, its Affiliates, and its and their respective contractors and third-party providers. .

5.1.6 “Board” means the Board of Trustees of Client.

5.1.7 “Business Day” means Monday through Friday with the exception of: (i) FIS’ holidays which are generally the same as the official US federal holidays; and (ii) New York Stock Exchange closings.

5.1.8 “Client Agent” is defined in the definition of “Agent”.

5.1.9 “Client Data” means data provided by or on behalf of Client in connection with the Services related to Client, its Investors, (and if Fund(s) are listed in Annex B to Attachment 2), said Fund(s)) that is stored or Processed by FIS as a result of the Services and all information that is derived from such Data; provided however, that aggregated data that is not Personal Data and also not identifiable to Client shall not be deemed Client Data nor Client’s Confidential Information.

5.1.10 “Client IP” means any trademark, service mark, certification mark, logo, trade dress, trade name, corporate name, brand name or other intellectual property source indicators, including all good-will associated with any of the foregoing, of Client and/or any of its Affiliates, and any and all of the following as applicable: the object code and the source code for any Client-owned software (including Licensed System) made available to FIS in connection with FIS’ provision of the Services to Client, including the visual expressions, screen formats, report formats and other design features of such software, all ideas, methods, algorithms, formulae and concepts used in developing and/or incorporated into such software, and all future modifications, updates, releases, improvements and enhancements of such software, all derivative works (as such term is used in the U.S. copyright laws) based upon any of the foregoing,

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 2

all copies of the foregoing, and all intellectual property rights in, to, or under any of the foregoing. Client IP excludes FIS IP.

5.1.11 “Client Portal” means a FIS self-service portal that offers a comprehensive and streamlined set of resources for Client to effectively manage its relationship with FIS, including specific information and documentation about FIS, its comprehensive written policies, procedures, and standards related to information security. As of the Order Effective Date, the link to the Client Portal is as follows: https://my.fisglobal.com/vendor-management.

5.1.12 “Client Systems” means the information technology infrastructure, including the computers, software, databases, electronic systems and networks, of Client or any of its Affiliates.

5.1.13 “Confidential Information” means all business or technical information disclosed by Disclosing Party to Receiving Party in connection with this Order. Without limiting the generality of the foregoing, Client’s Confidential Information shall include Client Data and the details of Client’s computer operations, and FIS’ Confidential Information shall include FIS IP. Confidential Information shall include the terms of this Order, but not the fact that this Order has been signed, the identity of the Parties, or the Services. Notwithstanding the foregoing, and except for Personal Data, the term “Confidential Information” does not include information that: (i) prior to the receipt thereof under this Order had been developed independently by Receiving Party, or was lawfully known to Receiving Party, or had been lawfully received by Receiving Party from other sources’, provided such other source(s) had not received it due to a breach of an agreement with Disclosing Party; (ii) subsequent to the receipt thereof under this Order (A) is published by Disclosing Party or is disclosed generally by Disclosing Party to others without a restriction on its use and disclosure, or (B) has been lawfully obtained by Receiving Party from other source(s) which Receiving Party reasonably believes lawfully came to possess it, (iii) is publicly known at or after the time either Party first learns of such information or is generic information or knowledge which either Party would have learned in the course of its work in the trade, business, or industry, or (iv) is subject to a written agreement under which the Disclosing Party authorized the Receiving Party to disclose the subject information. For clarity, any Client Data containing Personal Data is Client Confidential Information.

5.1.14 “Copy” whether capitalized or not means any paper, disk, tape, film, memory device or other material or object on or in which any words, object code, source code, or other symbols are written, recorded, or encoded, whether permanent or transitory.

5.1.15 “Documentation” means the standard user documentation FIS provides with respect to the Services as such Documentation may be updated from time to time.

5.1.16 “Export Laws” means any laws, administrative regulations, and executive orders of any Applicable Jurisdiction relating to the control of imports and exports of commodities and technical data, use or remote use of software and related property or services, embargo of goods or services, or registration of this Order including the Export Administration Regulations of the U.S. Department of Commerce and the regulations and executive orders administered by the Office of Foreign Asset Control of the U.S. Department of the Treasury.

5.1.17 “Feedback” means any suggestions or recommendations for improvements or modifications to FIS IP made by or on behalf of Client.

5.1.18 “FIS Agent” is defined in the definition of “Agent”.

5.1.19 “FIS IP” means any of the following: the Documentation related to the Services, the object code and the source code for any software made available by FIS and/or FIS Affiliate(s) to Client or Client Agents in connection with the Services, the visual expressions, screen formats, report formats and other design features of such software and/or Services, and all ideas, methods, algorithms, formulae, and concepts used in developing and/or incorporating into such software, the Services, Documentation, and all future modifications, updates, releases, improvements, and enhancements of such software, all derivative works (as such term is used in the U.S. copyright laws) based upon any of the foregoing, and all copies of the foregoing, and all intellectual property rights in, to, or under any of the foregoing. FIS IP excludes Client IP.

5.1.20 “Fund” means a separate portfolio or series of Client listed in Annex B to Attachment 2, if any.

5.1.21 “Fund Data” means the data and information provided by the Funds or FIS on behalf of the Funds pursuant to this Order, in connection with the Processing to be performed by FIS in accordance with this Order, including information concerning the policies established under the Rule for the purpose of eliminating or reducing any dilution of the value of the outstanding securities issued by such Funds.

5.1.22 “Good Faith Dispute” means a good faith dispute by Client of certain amounts invoiced under this Order. A Good Faith Dispute will be deemed to exist only if (i) Client had given notice of the dispute to FIS promptly after receiving the invoice, and (ii) the notice explains Client’s position in reasonable detail. A Good Faith Dispute will not exist as to an invoice in its entirety merely because certain amounts on the invoice have been disputed.

5.1.23 “Governmental Authority” means any regulatory agency, court, other governmental body or self-regulatory agency with jurisdiction over a Party.

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 3

5.1.24 “Including” whether capitalized or not means including but not limited to.

5.1.25 “Instruction” means a direction or order, either oral or in writing, made by Client, Authorized Person(s), or Client Agent(s).

5.1.26 “Intellectual Property” means Client IP or FIS IP as applicable.

5.1.27 “Intermediaries” means Client’s financial intermediaries, dealers, and selling group members collectively.

5.1.28 “Investor” means a person that buys or sells securities.

5.1.29 “Liability Cap” means the higher of (i) the amount paid in fees by Client to FIS under this Order in the twelve (12) month period immediately preceding the date on which FIS had received written notice from Client of the first claim by Client against FIS arising from this Order; or (ii) the Annual Base Fee.

5.1.30 “Licensed System” means the proprietary system(s) licensed by Client from FIS or an Affiliate of FIS, or other proprietary system(s) (including Client’s) utilized by Client from time to time for purposes of trade monitoring or operations.

5.1.31 “Offering Documents” means communications or documents intended for distribution to any Investor in connection with the offering or sale by Client of securities, products, or services, as such communications or documents may be amended from time to time.

5.1.32 “Organic Documents” means, for any incorporated or unincorporated entity, the documents pursuant to which the entity was formed as a legal entity, as such documents may be amended from time to time.

5.1.33 “Parties” means both (i) Service Provider or FIS, and (ii) Client.

5.1.34 “Person” whether capitalized or not means any individual, sole proprietorship, joint venture, partnership, corporation, company, firm, bank, association, cooperative, trust, estate, government, governmental agency, regulatory authority, Fund, or other entity of any nature.

5.1.35 “Personal Data” has the meaning set forth in Attachment 3.

5.1.36 “Policies and Procedures” means the written policies and procedures, including amendments thereto, of Client in any way related to the Services, including any such policies and procedures contained in the Organic Documents or Offering Documents.

5.1.37 “Process” (and its derivatives) have the meaning set forth in Attachment 3.

5.1.38 “Rule 22c-2” or “Rule” means Rule22c-2 under the Investment Company Act of 1940.

5.1.39 “Service Period” means the period beginning on the Service Period Start Date, which is identified in Attachment 2, and ending on the last day of the Term.

5.1.40 “Shareholder” means a shareholder in the Fund(s).

5.1.41 “Shareholder Data” means the data with respect to Shareholders that is delivered for access by FIS and Client, by either an Intermediary as required pursuant to the Rule or applicable agreement or by FIS.

5.1.42 “Solution” means the Transfer Agency Services being provided under this Order and as described more particularly herein.

5.2 SERVICES.

5.2.1 Services; No Implied Duties. Client agrees to engage FIS to perform the services (the “Services”) described in Attachment 2. FIS will perform the Services in accordance with and subject to the terms of this Order. The Services will be provided only on Business Days and during FIS’ business hours. The Services are provided only with respect to Client and the Funds, and FIS shall have no obligation to provide Services to any Person unless FIS has agreed to do so in a written amendment to Attachment 2. FIS is responsible for the performance of only those duties as are expressly set forth herein, including Attachment 2. FIS will have no implied duties or obligations.

(a) Rule 22c-2 Services.

General. The following shall apply to all Rule 22c-2 Services if any Rule 22c-2 Services are listed in Attachment 2.

Client acknowledges receipt of a copy of FIS’ policy related to the acceptance of trades for prior day processing (the “FIS As-Of Trading Policy”). FIS may amend the FIS As-of Trading Policy from time to time in its sole discretion. A copy of such amendments, if any, shall be delivered or made available to Client. FIS may apply the FIS As-Of Trading

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 4

Policy whenever applicable, unless FIS agrees in writing to process trades according to an as-of trading policy as adopted by Client and furnished to FIS by Client. Client acknowledges and agrees that deviations from the FIS As-Of Trading Policy and its written transfer agent procedure and compliance procedures might involve a substantial risk of loss. In the event an Authorized Person requests that an exception to such procedures or the FIS As-Of Trading Policy, FIS may in its sole discretion determine whether to permit such exception. If FIS determines to permit such exception, the exception shall become effective when set forth in a written instrument approved by FIS, executed by an Authorized Person, and delivered to FIS (an “Exception”); provided that an Exception concerning the requirements of Client’s Anti-Money Laundering (“AML”) Program shall be authorized by Client’s AML Compliance Officer. An Exception shall be deemed to remain in effect until such instrument expires according to such instrument’s terms (or if no expiration date is stated, until FIS receives written notice from Client that such instrument has been terminated and the Exception is no longer in effect).

Client acknowledges that Intermediaries (and not FIS (except to the extent if FIS is transfer agent to Client)) provide the Shareholder Data and that FIS’ service is dependent upon delivery of the Shareholder Data by such Intermediaries. Client agrees that it will be bound to those terms and conditions imposed by Intermediaries to which Client and FIS has agreed in writing. Client acknowledges that FIS’ ability to monitor trades and provide the Rule 22c-2 Services is dependent upon (i) timely delivery of accurate data by Intermediaries, and (ii) continued availability of such data. Client acknowledges that Intermediaries may supplement, modify, remove, or discontinue providing data, or discontinue the availability of such data, and in all such events FIS may be limited in its ability to monitor the trades and/or provide the Services with respect to such data. FIS shall have no obligation to monitor trades to the extent that data is not available to FIS.

Client acknowledges that in connection with the provision of the Rule 22c-2 Services, if any, FIS may be asked by third-party providers to agree to certain terms and conditions and the imposition of certain fees. Client agrees that it will promptly respond to any request made by FIS with respect to whether Client will consent to the terms, conditions, and fees being imposed by any third-party provider. Failure to promptly respond shall be deemed acceptance. Client understands that any failure to consent to such terms, conditions, and fees may result in the failure to receive information from third-party providers, including Intermediaries. If Client is so deemed to accept or if Client consents, Client shall then be bound by any such terms and conditions and shall reimburse FIS for any such fees imposed on FIS.

Shareholder Information Agreement Services. The following shall apply only to “Shareholder Information Agreement Services”, if such Services are listed in Attachment 2 as part of “Rule 22c-2 Services: Client authorizes its transfer agent, distributor, or other appropriate party to enter into the Shareholder Information Agreements (as that term is defined in Annex A of Attachment 2) in order for Client to obtain transaction information from Intermediaries.

Trade Monitoring Services. The following shall apply only to “Trade Monitoring Services”, if such Services are listed in Attachment 2 as part of “Rule 22c-2 Services”: In order for FIS to perform trade monitoring services, Client will provide to FIS promptly after the Order Effective Date: (i) authorization for FIS or its designee to receive transaction information from Intermediaries for any underlying accounts of omnibus accounts held on the Funds’ shareholder record keeping system; (ii) a list of all known omnibus accounts maintained with respect to the Funds; (iii) authorization for FIS to provide information and data about the Fund(s) and/or Client (including the Prospectus and Statement of Additional Information for each Fund, and all other forms of documents commonly used by Client or its distributor with regard to relationships and transactions with Shareholders, and Client’s and each Funds’ written market timing policies, including any related policies and procedures and rules (collectively “Company Policies”)), and/or Shareholders to FIS’ service providers, including the provider(s) of the Licensed System(s), in connection with the provision of services listed under the Trade Monitoring Services subheading of “Rule 22c-2 Services” and as required in connection with the use of the Licensed System(s); (v) authorization for FIS and any other provider(s) of the Licensed System(s), acting individually, to act as attorney-in-fact for the Client to obtain data from Intermediaries and give instructions related to the delivery of such data (including the manner of such delivery); and (vi) copies of all Shareholder Information Agreements between Intermediaries and the Fund(s), their distributor(s), or any party acting on the Client’s or Fund(s)’ behalf. Client shall give FIS advance written notice of any modification or termination of any Shareholder Information Agreement or any new agreements entered into with Intermediaries and the terms thereof.

5.2.2 Changes. If Client or FIS requests to amend this Order the Parties will negotiate in good faith and if agreement is reached, execute an amendment to this Order. If such request is to change the Services, the amendment must specify (i) the timeline and dependencies, and each Party’s obligations for implementing the change to the Service (“Change”), and (ii) any implementation and additional ongoing fees and expenses that might be required to effect such Change. Client will promptly notify FIS of any changes (or pending changes) in law(s) applicable to Client and/or the Fund(s) that are relevant to the Services. Notwithstanding the foregoing, FIS shall implement such Change(s) that are necessary or advisable, as determined by FIS, in order to comply with any laws applicable to FIS that become effective after the Order Effective Date. FIS shall exercise reasonable commercial efforts to provide prior written notice to Client of such Change(s) if and to the extent such laws so require; provided, however, that lack of prior notice shall not

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 5

constitute a breach hereunder unless (and solely to the extent that) Client suffers material prejudice due to the lack of prior notice.

5.2.3 Provision of Information. In order for FIS to provide the Services, Client shall promptly provide, and cause its employees and current and immediately preceding Client Agents to promptly provide, to FIS the information and documents that FIS reasonably requests in connection with the Services and this Order, including any Organic Documents, Offering Documents, and Policies and Procedures.

5.2.4 Dependencies. FIS’ obligation to provide the Services is contingent on the dependencies specified in Subsection 5.10 below in addition to any dependencies or contingencies set forth expressly herein.

5.2.5 Use of Agents. FIS is permitted to appoint FIS Agents without the consent of Client to perform any of the back-office duties of FIS under this Order, including printing, mailing, and distributing documents. FIS will use reasonable care in the selection and continued appointment of FIS Agents and shall remain responsible for all actions of the FIS Agents. If FIS desires to appoint any other FIS Agent, FIS shall seek the consent of the Client, and Client shall not unreasonably withhold or delay its consent.

5.2.6 Insufficient Instruction. FIS may act on any Instruction where FIS reasonably believes the Instruction contains sufficient information. FIS may decide not to act on any Instruction where FIS reasonably doubts its contents.

5.2.7 Recalled, Amended, and Cancelled Instructions. If Client requests FIS to recall, cancel or amend an Instruction, FIS shall, subject to applicable law, use reasonable efforts to comply.

5.2.8 No Fiduciary. FIS, its employees, FIS Agents, and each of FIS Agent’s employees are not under this Order: (i) acting as a fiduciary, certified public accountant, broker or dealer; (ii) providing investment, accounting, valuation, legal or tax advice to Client or any other person; (iii) providing investment advisory, portfolio management, risk management, depository, custodian or other services; or (iv) providing compliance services except as expressly set forth in Attachment 2. FIS shall not be required under this Order to take any action that would require licensing or registration to provide any of the foregoing services or perform any of the foregoing functions.

5.3 CLIENT’S RESPONSIBILITIES, REPRESENTATIONS, AND AUTHORIZATIONS.

5.3.1 Client’s Information. As between the Parties, Client is responsible for the accuracy and completeness of, and FIS has no obligation to review for accuracy or completeness of: (i) information contained in the Organic Documents, Offering Documents, and Policies and Procedures; and (ii) any data submitted to FIS for Processing by or on behalf of Client. However, notwithstanding the foregoing, FIS shall conduct the review if and as expressly set forth in the “Profile II Services” section of Annex A to Attachment 2, or the “Miscellaneous/Other” Subsection in the “Shareholder Transactions” section of Annex A to Attachment 2.

5.3.2 Client’s and Third-Party’s Information and Communications.

(a) Reliance. Client and FIS shall comply with security procedures used by FIS (and disclosed to Client from time to time) that are intended to establish the origination of the communication and the authority of the Person sending any communication, including any Instruction. Provided Client and FIS comply with such security procedures, FIS will be entitled to treat any communication, including any Instruction, as having originated from an Authorized Person, Client, or Client’s Agent, and to treat Client as having authorized FIS to accept and act upon any communication, including any Instruction and any form or document (including Offering Documents, prospectuses, Organic Documents, Policies and Procedures). Client also authorizes FIS to rely on and share the information and data it receives from (i) providers of market data services provided by a securities exchange or other providers of market data, (ii) clearance or settlement systems, (iii) any Person who/which possesses information about Client, Client’s Investors and/or Shareholders reasonably necessary for FIS to provide the Services and with whom/which FIS is required to engage or contract in order to receive such information and data, (including investment advisers, Funds’ accountants, intermediaries, or custodians that service Client, Investors, Client Agents, Investors’ agents (whether or not such Person would be deemed an agent under principles of any applicable law), Client’s employees, each of Client Agents’ employees, said Investors’ employees and each of said Investor’s employees, shareholders of Client, agents of Client’s shareholders, Shareholders, and agents of Shareholder(s)); and (iv) third parties engaged by FIS at the request of Client to provide Services to or for the benefit of Client and/or its investors in securities of Client or Funds; and notwithstanding anything to the contrary in this Order, such third parties will not be considered FIS Agents, or agents of FIS under any applicable law or for purposes of this Order.

(b) Authorization. Client confirms that each Authorized Person is authorized to perform all lawful acts on behalf of Client in connection with this Order, including (i) and (ii) below, until FIS receives written notice or other notice acceptable to FIS of any change of an Authorized Person and FIS has had a reasonable opportunity under the circumstances to act in response to said notice: (i) signing any agreements, declarations or other documents relating to the Services; and (ii) providing any Instruction.

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 6

(c) Errors, Duplication. Client shall be responsible for acts, errors, and omissions made by Client, Client Agents, Authorized Persons, the third parties described in Sub-subsection 5.3.2(a)(iv) above, and any Person whom/which FIS relied upon in accordance with this Order, and the duplication of any Instruction by Client, Client Agents, Authorized Persons, and any of said third parties.

5.3.3 Client’s Representations. Client represents and acknowledges that as of the Order Effective Date and at the date any Service is used or provided: (i) where it acts as an agent on behalf of any of its own Investors, whether or not expressly identified to FIS from time to time, any such Investors will not, by virtue of the Services provided hereunder by FIS to Client, be customers or indirect customers of FIS; and (ii) without prejudice to any more specific obligations set forth in this Order, Client has obtained all consents from Investors and Intermediaries required in connection with the engagement by Client of FIS to provide the Services.

5.3.4 Cooperation and Access. To the extent reasonably necessary for FIS to perform its obligations under this Order, Client shall provide, or cause to be provided to FIS access to Client, Clients Agents, and the location site(s), equipment, data and employees, of each of Client and Client Agents, and shall otherwise cooperate with FIS in its performance hereunder, all as reasonably necessary for FIS to perform its obligations under this Order.

5.4 PAYMENTS.

5.4.1 Fees, Expenses and Payment Terms. Client shall pay to FIS the fees and reimburse FIS for the expenses set forth in or provided for in this Order (including Attachment 1 and Attachment 2). The fees set forth in Attachment 2 do not include third-party fees. Third-party fees are described in Attachment 1, and Client shall be solely responsible for and shall pay all third-party fees, as and when directed by FIS or the third-party providers. Client’s payments shall be due within thirty (30) days after the invoice date. A late payment fee at the rate of twelve percent (12%) per year (or, if lower, the maximum rate permitted by applicable law) shall accrue on any amounts thirty (30) days past due and unpaid by Client to FIS, except for those line items of an invoice subject to a Good Faith Dispute. FIS may increase the fees payable by Client as set forth in Attachment 2.

5.4.2 Invoices. FIS shall provide monthly invoices in arrears. All invoices shall be sent to Client’s address set forth in Attachment 2. Client will notify FIS promptly in writing of any incorrect invoice, periodic accounting, or other report with respect to the Services (said accounting and report, a “Report”) and, in any case, within sixty (60) days from the date on which the invoice or Report is sent or made available to Client. Nothing herein is intended to prevent Client from notifying FIS of any errors or corrections in an invoice or Report beyond such time, provided that FIS shall not be responsible for any losses caused by such delay in notification.

5.4.3 Taxes. The fees and other amounts payable by Client to FIS under this Order do not include any taxes, duties, levies, fees or similar charges or surcharges of any jurisdiction (including consumption taxes such as GST or VAT), that might be assessed or imposed in connection with the transactions contemplated by this Order (collectively “Taxes”), excluding only taxes based upon FIS’ net income. Client shall (i) be responsible for the payment of all such Taxes, (ii) directly pay all such Taxes assessed against it or promptly reimburse FIS for any Taxes that FIS is required by law to collect or pay on behalf of Client. Taxes do not include withholding tax (“WHT”) based on the income of FIS. FIS is ultimately responsible for any WHT; however, if Client is required by law to deduct WHT from payments owing by Client to FIS and remit it to the applicable tax authorities, Client will: (a) promptly notify FIS; (b) deduct such WHT from the payment due to FIS (and, in doing so, Client shall apply to such withholding any exemption or reduced tax rate specified in a tax treaty between Client’s and FIS’ respective countries of tax domicile); (c) promptly pay such WHT to the relevant government agency and remit the net amount after the WHT deduction to FIS; (d) promptly, and in any event upon FIS’ request, give FIS an official receipt or other official document evidencing payment of such WHT so that FIS may claim a tax credit from the applicable tax authorities; and (e) remain liable to pay FIS for any difference in the amount calculated at the applicable WHT rate that is not supported by a WHT certificate from Client. Each Party will provide such assistance, documentation, and information reasonably requested by the other Party to resolve any dispute, difference, or disagreement with the applicable tax authorities. FIS will not be responsible for any penalties, WHT, or interest related to the failure of Client to deduct and pay Taxes timely in accordance with applicable local laws. FIS and Client will reasonably co-operate with each other in determining the extent to which any Taxes is due and owing in connection with this Order.

5.4.4 Remedies for Non-Payment. If Client fails to pay FIS, within sixty (60) days after FIS makes written demand therefor, any past-due amount payable under this Order (including interest thereon) that is not the subject of a Good Faith Dispute, then in addition to all other rights and remedies which FIS may have, FIS may, in its sole discretion and with further notice to Client stating the suspension date, suspend performance of any or all of its obligations under this Order (other than those in subsections or Sub-subsections, as applicable: 5.4.2, 5.4.3, 5.5.2, 5.6, 5.7, 5.12.1, 5.12.8, and 5.12.13 of Section 5 of this Order) and FIS shall have no liability for Client’s use of the Services until all past-due amounts are paid in full.

5.5 GENERAL OBLIGATIONS; SERVICES’ DESCRIPTION.

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 7

5.5.1 FIS will maintain a Global Business Resilience Program, designed to minimize the risks associated with crisis events affecting FIS’ ability to provide the Services, as set forth in the FIS Security Statement attached hereto as Attachment 4 (the “Security Statement”), incorporated herein by this reference.

5.5.2 Each party will implement reasonable administrative, technical and physical safeguards designed to: (i) ensure the security and confidentiality of the other party’s Confidential Information; (ii) protect against any anticipated threats or hazards to the security or integrity of the other party’s Confidential Information; and (iii) protect against unauthorized access to or use of the other party’s Confidential Information. Further details of FIS’ administrative, technical and physical safeguards are set forth in the Security Statement.

5.5.3 Compliance with Laws. FIS shall comply with all laws, enactments, orders, and regulations applicable to it solely as the provider of Services. Client will promptly notify FIS of any changes (or pending changes) in applicable laws, enactments, orders, and regulations with respect to Client or the Funds that are relevant to the Services. In the event that any such changes applicable to the Funds or Client require changes to the Services, such changes shall be agreed to in accordance with Subsection 5.2.2 above. Client shall comply with all laws, enactments, orders, and regulations applicable to it as the recipient and user of Services. Without limiting the foregoing, Client shall comply with all applicable laws and obtain all necessary consents from any Person, including its Investors and employees, regarding the collection, use, and distribution to FIS of any information or data regarding such Persons to (i) permit FIS to provide Services under this Order to Client and where contemplated by this Order Client’s Affiliates and Investors in accordance with this Order, and (ii) undertake activities related to the provision of Services under this Order (the “Permitted Purposes”).

5.5.4 Services’ Description. Without the written approval of FIS, Client will not describe the Services or the terms or conditions of this Order in any communication or document intended for distribution to any Investor in connection with an Offering Document and will not amend any such references to FIS or the terms or conditions of this Order in any Offering Document that has been previously approved by FIS. FIS will not unreasonably withhold, condition, or delay any of the foregoing requested approvals, provided that Client includes, upon request by FIS, reasonable notices describing the terms of this Order relating to FIS, its liability, and the limitations thereof. If the Services include the distribution by FIS of notices or statements to Investors, FIS may, upon advance notice to Client, include reasonable notices describing the terms of this Order relating to FIS, its liability, and the limitations thereof. If Investor notices are not sent by FIS but rather by Client or some other Person, Client will reasonably cooperate with any request by FIS to include such notices. Client shall not, in any communications with Investors, whether oral or written, make any representations to its Investors stating or implying that FIS is providing valuations with respect to Client’s securities, products, or services, verifying any valuations, or verifying the existence of any assets in connection with Client’s securities, products, or services.

5.6 MITIGATION OF HARM; LIMITATIONS OF LIABILITY; INDEMNITIES; DISCLAIMER.

5.6.1 Mitigation of Harm. Upon the actual knowledge by a Party of the occurrence of any event which might cause any loss, damage, or expense to the other Party, the Party with such knowledge shall, as soon as reasonably practicable: (i) notify the other Party of the occurrence of such event, and (ii) use commercially reasonable efforts to take reasonable steps under the circumstances to mitigate or reduce the effects of such event and avoid its continuing harm, if any.

5.6.2 Liability; Limitations of Liability.

(a) FIS shall use reasonable skill, care, and diligence in the performance of the Services provided under this Order, but shall not be liable hereunder for any action taken or omitted by itself in the absence of bad faith, willful misfeasance, gross negligence, fraud, or reckless disregard by it of its obligations or duties, and shall not be liable unless Client complies with Subsection 5.6.2. Where FIS has engaged in bad faith, willful misfeasance, gross negligence, fraud, or reckless disregard of its obligations and duties hereunder, then, within thirty (30) days of Client’s actual discovery of an issue with the Services, Client must give notice to FIS (and FIS must receive same) describing the particular Services at issue to the extent known to Client, together with, to the extent available under the circumstances, adequate supporting documentation and data. Upon receipt of such notice, FIS shall, where practicable, remedy the issue or re-perform the particular Services affected as soon as reasonably practicable at no additional charge.

(b) FIS will not be liable hereunder (including, notwithstanding anything to the contrary, under Subsection 5.6.2(a) above) for:

(i) failure to provide, in whole or in part, any Service in the following circumstances: (i) if any Dependency set forth in Subsection 5.10 below is not met through no fault of FIS; (ii) if the failure is at the request or with the consent of an Authorized Person; (iii) if any law to which FIS is subject prohibits or limits the performance of the Services; or (iv) if the failure results from a Force Majeure Event;

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 8

(ii) errors or failures to act by Client or any third party (except FIS Agents), including failure by Client to obtain all necessary consents from Intermediaries and Investors or comply with laws applicable to Client, or the inaccuracy, incompleteness, sequence or timeliness of any data supplied by. Such third parties include custodians, Funds’ accountants and investment advisers, market and reference data providers, brokers and other intermediaries, Client Agents, Authorized Persons, and Investors;

(iii) reliance on the advice of counsel or independent accountants chosen or approved by Client or chosen by FIS with reasonable care;

(iv) legal, tax, or investment advice; and

(v) breach of any Shareholder Information Agreement(s) or the terms, conditions, or procedures of any Intermediary.

(c) FIS’ CUMULATIVE LIABILITY TO CLIENT FOR ALL LOSSES, CLAIMS, SUITS, CONTROVERSIES, BREACHES OR DAMAGES FOR ANY CAUSE WHATSOEVER ARISING OUT OF OR RELATED TO THIS ORDER, (REGARDLESS OF THE FORM OF ACTION OR LEGAL THEORY), SHALL NOT EXCEED THE LIABILITY CAP.

(d) UNDER NO CIRCUMSTANCES SHALL EITHER PARTY (OR ANY OF ITS AFFILIATES PROVIDING OR RECEIVING SERVICES UNDER THIS ORDER ) BE LIABLE TO THE OTHER OR ANY OTHER PERSON FOR LOSSES OR DAMAGES WHICH FALL INTO ANY OF THE FOLLOWING CATEGORIES: (A) LOST REVENUES; (B) LOST PROFITS; (C) LOSS OF BUSINESS; (D) TRADING LOSSES; (E) INACCURATE DISTRIBUTIONS; (F) LOST PERFORMANCE; (G) OPPORTUNITY COSTS; OR (H) INCIDENTAL, INDIRECT, EXEMPLARY, CONSEQUENTIAL, SPECIAL, OR PUNITIVE DAMAGES OF ANY KIND RESULTING FROM THE SERVICES PROVIDED HEREUNDER, OR ARISING FROM ANY BREACH OR TERMINATION OF THIS ORDER), WHETHER SUCH LIABILITY IS ASSERTED ON THE BASIS OF CONTRACT, TORT (INCLUDING NEGLIGENCE OR STRICT LIABILITY), OR OTHERWISE, AND WHETHER OR NOT FORESEEABLE, EVEN IF THE RELEVANT PARTY WAS ADVISED OR AWARE OF THE POSSIBILITY OF SUCH LOSSES OR DAMAGES. FOR PURPOSES OF CLARIFICATION, THE FOLLOWING SHALL BE DEEMED “DIRECT DAMAGES” AS BETWEEN CLIENT AND FIS FOR THE PURPOSES OF THIS ORDER: ANY AND ALL DAMAGES, INCLUDING CONSEQUENTIAL AND SIMILAR DAMAGES, AWARDED TO A THIRD PARTY FOR WHICH INDEMNIFICATION IS PROVIDED BY A PARTY UNDER SUBSECTIONS 5.6.3 OR 5.6.4 BELOW.

(e) THE LIMITATIONS AND EXCLUSIONS SET FORTH IN SUB-SUBSECTIONS (c) AND (d) ABOVE SHALL NOT APPLY TO: (a) FAILURE TO PAY FEES AND EXPENSES WHEN DUE; (c) DAMAGES CAUSED BY EITHER PARTY’S FRAUD OR WILLFUL MISCONDUCT; (b) A PARTY’S LIABILITY FOR DEATH OR PERSONAL INJURY DUE TO THAT PARTY’S NEGLIGENCE; OR (c) A PARTY’S LIABILITY FOR DAMAGES TO THE EXTENT THAT SUCH LIMITATION OR EXCLUSION IS NOT PERMITTED BY APPLICABLE LAW.

(f) Neither Party shall be liable for or be considered in breach of this Order due to any of the following events or failure to perform its obligations under this Order (other than for Client its payment obligations, which obligations shall be suspended only for so long as the Force Majeure Event renders Client unable by any means to transmit payments when due hereunder) as a result of: a cause beyond its reasonable control, including any act of God or a public enemy or terrorist, act of any military, civil or regulatory authority, change in any law or regulation, fire, flood, earthquake, storm or other like event, theft or criminal misconduct by unrelated third parties, disruption or outage of communications (including the Internet or other networked environment) beyond reasonable control of the party, power, or other utility, unavailability of supplies or any other cause, whether similar or dissimilar to any of the foregoing, which could not have been prevented by the non-performing Party with reasonable care (singularly a “Force Majeure Event”). This provision does not relieve FIS from its obligations to maintain a Global Business Resilience Program as referenced in Section 5.5.1 (including maintaining and testing disaster recovery plans) for the Services.

(g) The representations and warranties made by FIS in this Order and the obligations of FIS under this Order run only to Client and not to its Affiliates, Client Agents, Authorized Persons, Investors, Client’s investment advisors, affiliated Persons, Funds, Shareholders, or any other Persons. Under no circumstances shall any Affiliate, Client Agents, Authorized Persons, Client’s investment advisors, or any other Person be considered a third-party beneficiary of this Order or otherwise entitled to any rights or remedies under this Order (including any right to be consulted in connection with any variation or rescission of this Order agreed between FIS and Client), even if such Affiliates, Client Agents, Authorized Persons, Investors, Client’s investment advisors, or any other Persons are provided access to the data maintained by FIS in connection with the Services via the Internet or other networked environment.

5.6.3 Indemnity by Client. Client will indemnify FIS, each of its Affiliates, and its and each Affiliate’s officers, directors, employees, and representatives, FIS Agents, and each FIS Agent’s officers, directors, employees and representatives (each, a “FIS Indemnitee”), and will defend and hold each FIS Indemnitee harmless from all losses, costs, damages, and expenses (including reasonable legal fees) incurred by FIS and/or each FIS Indemnitee in any action or proceeding between FIS and Client, or between FIS, Client and any third party(ies), or between FIS and any

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 9

third party(ies), and all claims, demands, or requests imposed on, incurred by, or asserted against FIS (collectively “Losses” and each a “Loss”), all the foregoing Losses in connection with or arising out of the following:

(i) the Services, data (including Fund Data or Shareholder Data) and/or documents provided or failed to be provided to FIS in accordance with this Order, or this Order, except any Loss resulting from the bad faith, willful misfeasance, or gross negligence, fraud, or reckless disregard by FIS or FIS Agents of its obligations or duties hereunder; or

(ii) any alleged untrue statement of a material fact contained in any Offering Document of Client, or arising out of or based upon any alleged omission to state a material fact required to be stated in any Offering Document or necessary to make the statement(s) in any Offering Document not misleading, unless such statement or omission was made in reliance upon, and in conformity with, information furnished in writing to Client by FIS specifically for use in the Offering Document; or

(iii) any breach of any Shareholder Information Agreement(s) or the terms, conditions, or procedures of any Intermediary or Intermediaries; or

(iv) any third-party claim asserting that any Client IP, as and when made available to FIS by Client and when properly used for the purpose and in the manner specifically authorized by this Order, infringes, misappropriates, or otherwise violates any patent issued as of the Order Effective Date by a country that is a signatory to the Paris Convention, any copyright of any country that is a member of the Berne Convention as of said date, or any trade secret or other proprietary right of any Person.

The third parties referenced in this Subsection 5.6.3 above include any Investor, Shareholder, the U.S. Internal Revenue Service, or any regulatory, prosecuting, tax, or governmental authority in any jurisdiction, domestic or foreign.

If any claim under Subsection 5.6.3(iv) is initiated, or in Client’s sole opinion is likely to be initiated, Client may at its option and expense:

(i) modify or replace all or part of the subject Client IP so that it is no longer allegedly infringing, misappropriating or violative of the aforesaid rights; provided that the functionality thereof is not reduced in any material respect; or

(ii) procure for FIS the right to continue using the subject Client IP; or

(iii) remove all or the pertinent part of the subject Client IP, and in such case this Order shall terminate with respect to any portion of the Services that relies on FIS’ use of or access to the subject Client IP or part thereof removed.

Client’s obligation under Subsection 5.6.3 is contingent upon FIS: (a) promptly giving notice to Client after the date FIS first receives notice of the applicable claim (provided that later notice shall relieve Client of its liability and obligations under this Subsection 5.6.3 only to the extent that Client is prejudiced by such later notice); (b) allowing Client to have sole control of the defense or settlement of the claim; provided that, Client will not enter into any settlement agreement for such claim that has a material adverse impact on FIS without FIS’ written consent; (c) reasonably cooperating with Client during defense and settlement efforts; and (d) not making any admission, concession, consent judgment, default judgment, or settlement of the applicable claim or any part thereof (unless otherwise agreed by Client in writing). For the purpose of this paragraph and without limitation, provisions of a settlement agreement shall not be deemed to have a material adverse impact on FIS to the extent that the provisions (i) require the payment of amounts covered by Client’s indemnification obligation under this Subsection 5.6.3, or (ii) impose restrictions related exclusively to Client IP or part(s) thereof. FIS may monitor any such litigation or proceeding at its expense, using counsel of its choosing.

Notwithstanding the foregoing, subject to clause (a) below in this paragraph, FIS may assume the defense of any claim at any time upon notice to Client if such claim: (i) arises from a regulatory examination, investigation, inquiry, or other regulatory action, proceeding, or review of FIS, or (ii) seeks injunctive or other, similar relief that would require FIS to take or refrain from taking any action; and (a) under no circumstance shall any FIS Indemnitee confess any claim or make any compromise of any claim in which Client does undertake the indemnity in accordance with this Subsection 5.6.3, except with Client’s prior written consent (which consent shall not be unreasonably withheld, conditioned or delayed). Client shall have no obligation or duty with respect to any such confession or compromise that is made without its such consent.

5.6.4 Intellectual Property Indemnity by FIS. FIS will indemnify Client, each of its Affiliates, and its and each Affiliate’s officers, directors, employees, and representatives, Client Agents, and each Client Agent’s officers, directors, employees and representatives (each, a “Client Indemnitee”), and will defend and hold each Client Indemnitee harmless from all Losses incurred by Client and/or each Client Indemnitee in any action or proceeding between Client and FIS, or between Client, FIS, and any third party(ies), or between Client and any third party(ies), and all claims, demands, or requests imposed on, incurred by, or asserted against Client, in connection with or arising out of any third-

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 10

party claim (also “Losses”) (i) asserting that any FIS IP used by FIS to provide the Services (“FIS Solution”), as and when used by FIS on behalf of Client or made available to Client by FIS and, to the extent applicable, when properly used by Client for the purpose and in the manner specifically authorized by this Order, infringes, misappropriates, or otherwise violates any patent issued as of the Order Effective Date by a country that is a signatory to the Paris Convention, any copyright of any country that is a member of the Berne Convention as of said date, or any trade secret or other proprietary right of any Person.

The third parties referenced in this Subsection 5.6.4 above include any Investor, Shareholder, the U.S. Internal Revenue Service, or any regulatory, prosecuting, tax, or governmental authority in any jurisdiction, domestic or foreign.

FIS’ obligation under Subsection 5.6.4 is contingent upon Client: (a) promptly giving notice to FIS after the date Client first receives notice of the applicable claim (provided that later notice shall relieve FIS of its liability and obligations under this Subsection 5.6.4 only to the extent that FIS is prejudiced by such later notice); (b) allowing FIS to have sole control of the defense or settlement of the claim, provided that, FIS will not enter into any settlement agreement for such claim that has a material adverse impact on Client without Client’s written consent; (c) reasonably cooperating with FIS during defense and settlement efforts; and (d) not making any admission, concession, consent judgment, default judgment, or settlement of the applicable infringement claim or any part thereof (unless otherwise agreed by FIS in writing). For the purpose of this paragraph and without limitation, provisions of a settlement agreement shall not be deemed to have a material adverse impact on Client to the extent that the provisions (i) require the payment of amounts covered by FIS’ indemnification obligation under this Subsection 5.6.4 or (ii) impose restrictions related exclusively to FIS IP or part(s) thereof. Client may monitor any such litigation or proceeding at its expense, using counsel of its choosing.

If any claim under Subsection 5.6.4 is initiated, or in FIS’ sole opinion is likely to be initiated, FIS may at its option and expense:

(i) modify or replace all or part of the subject FIS Solution so that it is no longer allegedly infringing, misappropriating or violative of the aforesaid rights; provided that the functionality or performance thereof is not reduced in any material respect; or

(ii) procure for Client the right to continue using the subject FIS Solution; or

(iii) remove all or the pertinent part of the FIS Solution, and in such case this Order shall terminate with respect to the Services that are dependent on such FIS Solution or part thereof removed, and refund to Client any pre-paid and unearned amounts with respect to said Services; provided that Client shall have the right to terminate this Order in its entirety if Client determines, in its reasonable discretion, that the termination of such Services materially compromises FIS’ ability to fulfill Client’s requirements with respect to the subject matter of this Order.

The remedies provided in this Subsection 5.6.4 are the sole remedies for any Losses.

5.6.5 DISCLAIMER. EXCEPT AS EXPRESSLY STATED IN THIS ORDER, ALL REPRESENTATIONS, WARRANTIES, TERMS AND CONDITIONS, ORAL OR WRITTEN, EXPRESS OR IMPLIED, ARISING FROM COURSE OF DEALING, COURSE OF PERFORMANCE, USAGE OF TRADE, QUALITY OF INFORMATION, QUIET ENJOYMENT, OR OTHERWISE (INCLUDING IMPLIED WARRANTIES, TERMS AND CONDITIONS OF MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INTERFERENCE, AND NON-INFRINGEMENT) ARE, TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, EXCLUDED FROM THIS ORDER.

5.6.6 Open Negotiation. Client and FIS have freely and openly negotiated this Order, including the pricing, with the knowledge that the liability of the Parties is to be limited in accordance with the provisions of this Order.

5.7 CONFIDENTIALITY; SECURITY; INTELLECTUAL PROPERTY; USE RESTRICTIONS.

5.7.1 Confidentiality. The Party receiving Confidential Information (“Receiving Party”) from the other Party (“Disclosing Party”) shall not, and shall cause its Authorized Recipients not to, use Confidential Information for any purpose except as necessary to implement, perform, or enforce this Order. Receiving Party will implement commercially reasonable administrative, technical, and physical safeguards designed to: (a) ensure the security and confidentiality of the Confidential Information; (b) protect against anticipated threats or hazards to the security of the Confidential Information; and (c) protect against unauthorized access to or use of the Confidential Information. Prior to disclosing the Confidential Information to its Authorized Recipients, Receiving Party shall inform them of the confidential nature of the Confidential Information and require them to abide by the terms of this Order. Receiving Party will promptly notify Disclosing Party if Receiving Party discovers any confirmed improper use or disclosure of Confidential Information and will promptly commence all reasonable efforts to investigate and correct the cause(s) of such improper use or disclosure. If Receiving Party believes the Confidential Information must be disclosed under applicable law, Receiving Party may do so provided that, to the extent permitted by law, (y) the Disclosing Party is given a reasonable opportunity

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 11

to contest such disclosure or obtain a protective order, and (z) discloses only the portion of Disclosing Party’s Confidential Information that is required to be disclosed under applicable law.

5.7.2 Security.

(a) FIS will implement commercially reasonable administrative, technical, and physical safeguards designed to: (i) ensure the security and confidentiality of Client Data; (ii) protect against any anticipated threats or hazards to the security of the Client Data; and (iii) protect against unauthorized access to or use of the Client Data. FIS will review and test such safeguards at least annually.

(b) Client shall be solely responsible for Client Systems.

(c) Except as otherwise permitted in this section, FIS shall not (i) access, process, store, or move Client Data outside of the United States or (ii) use resources including FIS Authorized Recipients outside of the United States. Notwithstanding the foregoing, FIS is expressly permitted to use FIS Authorized Recipients outside of the United States, subject only to the Prohibited Countries section directly below this subsection 5.7.2(c) to access Client Data stored in the United States for security, maintenance, operational, or technical support reasons only, subject to the use of virtual desktop infrastructure (VDI) connection or equivalent technology with no ability to download, copy or print outside of an FIS-operated facility, or the ability to otherwise transmit data to the accessing device. In no event will any Client Data be downloaded to or otherwise stored on any device or media outside of the United States.

(d) Prohibited Countries. FIS Authorized Recipients shall not provide Services from the following locations: Afghanistan, Bangladesh, Belarus, Bosnia & Herzegovina, Burkina Faso, Burma (Myanmar), Burundi, Cambodia, Central African Republic, Chad, China, Congo, Cuba, Democratic People’s Republic of Korea (DPRK—North Korea), Democratic Republic of the Congo, Ethiopia, Gabon, Guinea, Guinea-Bissau, Iran, Iraq, Kazakhstan, Kenya, Lebanon, Libya, Mali, Mozambique, Nicaragua, Niger, Nigeria, Pakistan, Palestine (West Bank and Gaza), Russian Federation, Somalia, South Sudan, Sudan, Syrian Arab Republic, Turkmenistan, Uzbekistan, Venezuela, Yemen, or Zimbabwe. No FIS Authorized Recipient shall be a person or entity listed on the Specially Designated Nationals and Blocked Persons list (“SDN List”) or other sanctions lists administered by U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”).

(e) The Security Statement shall apply in respect of FIS possession or control of Client Data.

(f) Vendor Diligence and Audit Materials.

i. Outsourcing Generally. FIS will cooperate with Client to meet its responsibilities to perform due diligence and assess FIS as its third-party technology service provider. This includes cooperating with regulatory authorities having jurisdiction over Client (“Regulators”). Client shall at all times have regard to the principle of proportionality and take a risk-based approach to exercising the rights set out in this Section.

ii. Vendor Diligence and Audit Materials. Through the FIS Client Portal (Login | FIS (fisglobal.com)), Client will have continuous electronic access to audit reports, attestations, and other detailed information regarding FIS’ internal systems testing and procedures, and FIS’ information security and data privacy controls. These audit materials evidence FIS’ compliance with industry and regulatory standards and include independent audits (such as SSAE 18’s), third-party attestations and certifications (such as ISO certifications, and PCI AOC’s), and detailed information and testing results regarding physical, technical and administrative controls utilized by the Solution’s business lines within FIS and the security of Client’s Confidential Information.

iii. Information Security and Risk Management Information. FIS will make available to Client, either virtually or in person, upon Client’s request, comprehensive vendor diligence information, including (i) summaries of FIS enterprise-wide security and system controls, and (ii) specific assessments of industry standards and best practices for financial technology information security and risk management.

iv. SSAE 18 Audit. FIS shall cause an independent public accounting firm to perform the audits (generally SSAE 18) with respect to the Services being provided under the Order which FIS has agreed to be in scope for such audits. FIS shall make available to Client a copy of the resulting independent audit report(s) relevant to this Order. FIS shall promptly address and resolve any mutually agreed upon deficiencies identified in such audit report(s).

v. Governmental Access. FIS shall permit Regulators to examine FIS’ books and records to the same extent as if the Solution was being performed by Client on its own premises, subject to FIS’ confidentiality and security policies and procedures.

vi. Client Questionnaires. Questionnaires may be submitted to FIS for completion no more than once annually unless there is a request by a Regulator or Data Breach (as defined in Attachment 4 (Security Statement)).

vii. Compliance with FIS Policies. While exercising the audit rights under this Section (Audit), Client shall comply with FIS’ reasonable confidentiality and security policies and procedures.

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 12

5.7.3 Personal Data.

(a) Client shall ensure that it has obtained all necessary consents and it is entitled to transfer the relevant Personal Data to FIS so that FIS may lawfully use, Process, and transfer the Personal Data as set forth in this Order. FIS shall Process all Personal Data in accordance with Attachment 3.

(b) Client represents and warrants that it is a U.S. based company, and for purposes of this Order it does not collect, transfer, maintain, receive or Process any Personal Data subject to any non-US data protection laws, including, without limitation, the General Data Protection Act, the United Kingdom General Data Protection Act, or the Swiss Federal Act on Data Protection. If Client Processes or otherwise has access to any Personal Data regarding employees or contractors of FIS or an FIS Affiliate as a result of this Order, Client shall treat such Personal Data as FIS’ Confidential Information and only Process it for legitimate purposes in accordance with all applicable laws. To the extent required by applicable laws, Client shall give prompt, written notice to FIS of any Personal Data breach relating to the Personal Data of FIS.

(c) FIS and Client acknowledge that the Shareholder Data provided by Client and the Fund Data are considered Confidential Information of Shareholders, the Fund(s), Client’s customers or clients, and/or Fund(s)’ customers or clients (as appropriate), that Shareholder Data provided by Intermediaries is considered Confidential Information of the Intermediaries, and/or the Intermediaries’ customers or clients, (as appropriate), and might also be considered Confidential Information of Client.

(d) Reserved.

5.7.4 Intellectual Property.

(a) FIS IP is trade secrets and/or proprietary property of FIS or its licensors, having great commercial value to FIS or its licensors. Title to all FIS IP and all related intellectual property and other ownership rights with respect thereto shall be and remain exclusively with FIS or its licensors, even with respect to such items that were created by FIS specifically for or on behalf of Client. FIS and its Affiliates may freely use Feedback without attribution or the need for FIS, its Affiliates, or any third party to pay Client or its Affiliates any royalties or fees of any kind. This Order is not an agreement of sale of FIS IP. No intellectual property or other ownership rights to FIS IP are transferred to Client by virtue of this Order. All copies of FIS IP in Client’s possession shall be deemed to be on loan and licensed to Client under the terms of Sub-subsection 5.7.4(c) during the Term of this Order.

(b) Client IP is trade secrets and/or proprietary property of Client or its licensors, having great commercial value to Client or its licensors. Title to all Client IP and all related intellectual property and other ownership rights with respect thereto shall be and remain exclusively with Client or its licensors. Client and its Affiliates may freely use Feedback without attribution or the need for Client, its Affiliates, or any third party to pay FIS or its Affiliates any royalties or fees of any kind. This Order is not an agreement of sale of Client IP, and no intellectual property or other ownership rights to any Client IP are transferred to FIS by virtue of this Order. All copies of Client IP in FIS’ possession shall be deemed to be on loan and licensed to FIS under the terms of Sub-subsection 5.7.4(c) during the Term of this Order.

(c) Each Party (as between the Parties, the “Licensor”) grants to the other Party (as between the Parties, the “Licensee”) a non-transferable, non-exclusive, limited license during the Term of this Order to use its Intellectual Property in accordance with this Order. The Licensee may use the Intellectual Property System only in the ordinary course of Licensee’s internal business operations solely in conjunction with the provision or receipt of the Services hereunder, as applicable, for the benefit of Licensee. Each Party in its capacity as a Licensee shall be liable for any breach of this Order by any Persons to whom or which Licensee gives access to the Licensor’s Intellectual Property.

(d) Except for those licenses expressly stated or referenced in this Order, this Order does not grant either Party the right to use the other Party’s Intellectual Property, without such other Party’s prior written consent.

5.7.5 Use Restrictions. Except to the extent specifically authorized by this Order, or as necessary for FIS to provide or Client to receive the Services hereunder, a Party shall not, shall not attempt to, and shall not permit any other Person under its reasonable control to: (a) use or sub-license Intellectual Property of the other Party for any purpose, at any location, or in any manner not specifically authorized by this Order; (b) make or retain any Copy of any Intellectual Property of the other Party; (c) create or recreate the source code for any software included among the Intellectual Property of the other Party, or re-engineer, reverse engineer, decompile, or disassemble such software, except to the extent specifically permitted by applicable law; (d) modify, adapt, translate, or create derivative works based upon such Intellectual Property, or combine or merge any part of such Intellectual Property with or into any other software, documentation, or intellectual property, except to the extent specifically permitted by applicable law; (e) refer to, disclose, or otherwise use any Intellectual Property of the other Party as part of any effort either to (i) develop a program having any functional attributes, visual expressions, or other features similar to those of the software included in the Intellectual Property of the other Party, or (ii) compete with the other Party; (f) remove, erase, or tamper with any copyright or other proprietary notice printed or stamped on, affixed to, or encoded, or recorded in any Intellectual Property of the other Party, or fail to preserve all copyright and other proprietary notices in any Copy of the Intellectual

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 13

Property of the other Party; (g) sell, market, license, sublicense, distribute, or otherwise grant to any Person, including any outsourcer, vendor, sub-contractor, consultant ,or partner, any right to use any Intellectual Property of the other Party or allow such other Person to use or have access to any Intellectual Property of the other Party, whether on the other Party’s behalf or otherwise; or (h) use the Services to conduct any type of application service provider, service bureau, or time-sharing operation, or to provide remote processing, network processing, network telecommunications, or similar services to any Person, whether on a fee basis or otherwise. Each Party shall promptly cease the use of any Intellectual Property belonging to or licensed by the other Party upon written notice from such other Party.

5.7.6 Notice and Remedy of Breaches. Each Party shall promptly give notice to the other Party of any breach by it of any of the provisions of Subsection 5.7 (including its sub-subsections), whether or not intentional, and the breaching Party shall, at its expense, take all reasonable steps to prevent or remedy the breach.

5.7.7 Enforcement. Each Party acknowledges that any breach of any of the provisions of Subsection 5.7 (including its sub-subsections) might result in irreparable injury to the other Party for which money damages would not adequately compensate. If there is a breach, the injured Party shall be entitled, in addition to all other rights and remedies which it might have, to have a decree of specific performance or an injunction issue by any competent court, requiring the breach to be cured or enjoining all Persons involved from continuing the breach.

5.8 AUDIT MATERIAL; AGENCIES’ EXAMINATIONS.

5.8.1 Audit Material. Through the Client Portal, Client will have continuous electronic access to audit reports, attestations, and other information regarding FIS’ internal systems testing and procedures, and FIS’ information security and data privacy controls. These audit materials and attestations evidence FIS’ compliance with industry and regulatory standards and include then-recent independent audits (such as SSAE 18s), third-party attestations and certifications (such as ISO certifications and PCI AoCs), and detailed information and testing results regarding physical, technical, and administrative controls utilized by the service business lines within FIS for the security of Client’s Confidential Information.

5.8.2 Governmental Agencies’ Examinations. FIS shall permit governmental agencies that regulate Client in connection with a Service to examine FIS’ books and records to the same extent as if that Service was being performed by Client on its own premises, subject to FIS’ confidentiality and security policies and procedures.

5.9 TERMINATION.

5.9.1 Termination Rights. Subject to Sub-subsection 5.9.3 below, a Party may terminate this Order by giving notice of termination to the other Party if the other Party breaches any of its material obligations under this Order and does not cure the breach within thirty (30) days after receiving notice describing the breach in reasonable detail.

5.9.2 Termination-Related Obligations.

(a) If Client terminates this Order without cause, Client will pay FIS as a termination fee for such default, an amount equal to the average monthly fees payable by Client for the then (as of the effective date of termination)-preceding twelve (12) months, multiplied by the number of months remaining in the Term as of the effective date of such termination (“Termination Fee”). In the event that Client is, in part or in whole, liquidated, dissolved, merged into a third party, acquired by a third party, or involved in any other transaction that materially reduces the assets and/or accounts serviced by FIS pursuant to this Order, the Termination Fee provision set forth above will not apply, and will be adjusted ratably if any of the events described above is partial. Any termination fee payable to FIS will be payable on or before the date of the event that triggers the payment obligation. A default by Client will cause substantial damages to FIS and because of the difficulty of estimating the damages that will result, the Parties agree that the Termination Fee is a reasonable forecast of probable actual loss to FIS and that this sum is agreed to as a termination fee and not as a penalty.

(b) Upon termination FIS will, at the expense and written direction of Client and to the extent permitted by law, transfer to Client, or any successor service provider(s) to Client, copies of all Client Records, subject to the payment by Client of unpaid and undisputed amounts due to FIS hereunder, including any Termination Fee. If by the termination date Client has not given written Instruction for delivery of Client Records, FIS will keep Client Records until Client provides such written Instruction to deliver Client Records, provided that FIS will be entitled to charge Client FIS’ then-standard fees for maintaining Client Records, and FIS shall have no obligation to keep Client Records beyond six (6) months after the termination date. FIS will provide no other services in connection with the termination of this Order. “Client Records” shall mean the records required by Section 17A of the Securities Exchange Act of 1934, as amended, and the rule thereunder with respect to Client, and Section 31 of the Investment Company Act of 1940, as amended, and the rules thereunder with respect to the Funds, if any, prepared by FIS relating to the Services or maintained by FIS relating to the Services.

5.9.3 Effects of Termination. The provisions of Section 5.6 (“FIS’ Addresses for Notices”), and Section 5.7 (“FIS’ Wiring Instructions”) of Attachment 2, Subsections 5.1, 5.4, 5.6, 5.7, 5.9, and 5.12 (including all sub-subsections thereof, except Sub-subsections 5.12.9) of Section 5 of this Order, shall survive any termination of this

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 14

Order, whether under Subsection 5.9 or otherwise. Client shall remain liable for all payments due to FIS with respect to the period ending on the date of termination.

5.10 DEPENDENCIES.

FIS’ delivery of the Services and its other obligations under this Order are dependent upon the following (each a (“Dependency”):

(i) The communications systems operated by Client and/or third parties (other than FIS Agents) in respect of activities that interface with the Services remaining fully operational.

(ii) The authority, accuracy, truth, and completeness of any information or data provided by Client, its employees, current and predecessor Client Agents and/or other Persons (including, but not limited to, investment advisors, custodians, and Intermediaries) that had been reasonably requested by FIS or had been provided to FIS.

(iii) Client informing FIS on a timely basis of any modification to, or replacement of, any agreement to which it is a party that is relevant to the provision of the Services.

(iv) Without limitation to the foregoing, in connection with any implementation plan or Service change plan agreed by the Parties, Dependencies shall include: Timely delivery of technical data details and internal information of Client, as reasonably requested by FIS.

5.11 FEE ASSUMPTIONS. See Attachment 1 hereto.

5.12 OTHER PROVISIONS.

5.12.1 Notices. All notices, consents and other communications under or regarding this Order shall be in writing and shall be deemed to have been received on the earlier of: (a) the date of actual receipt; (b) the third business day after being mailed by first class, certified, or air mail or (c) the first business day after being sent by a reputable overnight delivery service. Client’s address for notices and FIS’ address for notices are stated in Attachment 2. Either Party may change its address for notices by giving written notice of the new address to the other Party.

5.12.2 Parties-in-Interest.

(a) This Order shall bind, benefit, and be enforceable by and against FIS and Client, and to the extent permitted hereby their respective successors and assigns.

(b) Client shall not assign this Order or any of its rights hereunder, nor delegate any of its obligations hereunder, without FIS’ prior written consent, except that such consent shall not be required in the case of an assignment of this Order (but not of any individual rights or obligations hereunder) to (i) a purchaser of or successor to substantially all of Client’s business (unless such purchaser or successor is a software, data processing or computer services vendor that is a competitor of FIS, its parent company or any of its Affiliates), or (ii) an Affiliate of Client, provided in the case of such an assignment under (i) or (ii), Client guarantees the obligations of the assignee. Any assignment by Client in breach of this Subsection 5.12.2 (including its sub-subsections) shall be void. Any express assignment of this Order, any change in control of Client (or its Affiliate in the case of an assignment to that Affiliate under this Subsection 5.12.2, and any assignment by merger or otherwise by operation of law shall constitute an assignment of this Order by Client for purposes of this Subsection 5.12.2 (“Client Assignment”). In the event of a Client Assignment, or any acquisition of additional business by Client, whether by asset acquisition, merger, operation of law or otherwise (collectively with Client Assignment, “Client Additional Business Acquisition”), Client shall give notice to FIS notifying FIS if Client desires to use the Services to Process any additional business related to such Client Additional Business Acquisition.

5.12.3 Export Laws. Client acknowledges that FIS IP and the Services provided by FIS under this Order are subject to the Export Laws. Client shall not violate the Export Laws or otherwise export, re-export, or use, directly or indirectly (including via remote access), any part of the Confidential Information or the Services in a manner, or to or for any Person or entity, for which a license or other authorization is required under the Export Laws, without first obtaining such license or authorization.

5.12.4 Relationship. The relationship between the Parties created by this Order is that of independent contractors and not partners, joint venturers, or agents.

5.12.5 Entire Understanding; Non-Reliance. This Order, which includes and incorporates the attachments, including Attachments 1 and 2, states the entire understanding between the Parties with respect to its subject matter, and supersedes all prior proposals, marketing materials, negotiations, representations (whether negligently or innocently made), agreements, and other written or oral communications between the Parties with respect to the subject matter of this Order. Any written, printed, or other materials which FIS provides to Client that are not included in the Documentation are provided on an “as is” basis, without warranty, and solely as an accommodation to Client. By entering this Order each Party acknowledges and agrees that it has not relied on any express or implied representation,

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 15

warranty, collateral contract, or other assurance (whether negligently or innocently made), except those expressly set out in this Order. Each Party waives all rights and remedies which, but for this Sub-subsection 5.12.5 might otherwise be available to it in respect of any such representation (whether negligently or innocently made), warranty, collateral contract, or other assurance. Nothing in this Order shall limit or exclude any liability for fraud or fraudulent misrepresentation.

5.12.6 Modification; Waiver. No modification of this Order and no waiver of any breach of this Order shall be effective unless in writing and signed by an authorized representative of the Party against whom enforcement is sought. This Order may not be modified or amended by electronic means without written agreement of the Parties with respect to formats and protocols. No waiver of any breach of this Order and no course of dealing between the Parties shall be construed as a waiver of any subsequent breach of this Order.

5.12.7 Severability, Headings, and Counterparts. A determination that any provision of this Order is invalid or unenforceable shall not affect the other provisions of this Order. Section, subsection, and sub-subsection headings are for convenience of reference only and shall not affect the interpretation of this Order. This Order may be executed in one or more counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument. If this Order is executed via facsimile, each Party shall provide the other Party with an original executed signature page within five (5) days following the execution of this Order.

5.12.8 Insurance. Each Party will be covered at all times during the Term by such insurance as it deems adequate in its reasonable judgment, which shall in any event consist of not less than the following types and minimum amounts of coverage with a reputable insurance company(ies):

(i) commercial general liability insurance covering claims for personal injury and property damage, with limits of not less than US$1,000,000 per occurrence;

(ii) commercial crime coverage/fidelity bond insurance, with limits of not less than US$1,000,000 per occurrence;

(iii) workers’ compensation coverage as required by the statutes of the jurisdiction(s) in which the Services are being performed covering all Personnel employed by FIS in the performance of their duties who are required to be covered by the statutes of the applicable jurisdiction(s); and

(iv) errors and omissions insurance with a reputable insurance company, with limits of not less than US$5,000,000 per occurrence and in the aggregate.

Upon the reasonable request of a Party, the other Party shall furnish the requesting Party a certificate of insurance as specified in this Order. Maintenance of insurance as specified in this Order shall in no way be interpreted as relieving or increasing a Party’s responsibilities or liabilities under this Order. A Party may carry, at its own expense, such additional insurance as it deems necessary, including self-insurance.

5.12.9 Language. It is the express desire of the Parties that this Order and all related documents be written in English.

5.12.10 Jurisdiction and Governing Law. This Order and any dispute, difference, controversy, or claim arising, directly or indirectly, out of or in connection with it or its subject matter or formation (including non-contractual disputes, differences, controversies, or claims) (collectively “Disputes”) is governed by, and shall be construed and enforced in accordance with, the laws of the state of Florida without regard to that state’s choice of law provisions or principles. Each Party irrevocably: (aa) agrees that the Florida state courts located in the City of Jacksonville, Florida, Duval County, or the United States District Court for the Middle District of Florida, sitting in the City of Jacksonville, Florida, shall have exclusive jurisdiction to adjudicate any Dispute directly or indirectly arising out of, related to, or in connection with Subsection 5.7 above (including its sub-subsections or the breach or validity of Subsection 5.7 (including its sub-subsections), and consents to submit itself to the personal jurisdiction of such courts; (bb) agrees that such courts shall be the proper venue therefor; (cc) waives any defense of inconvenient forum to the maintenance of any action or proceeding so brought; (dd) waives the right to trial by jury in any such action or proceeding; and (ee) consents to service of process by first class certified mail, return receipt requested, postage prepaid, to the address at which the Party is to receive notice, provided that nothing in this Sub-subsection 5.12.10 shall affect the right of any Party to serve legal process in any other manner permitted by law.

5.12.11 Subpoenas; Data Preservation. If (1) FIS is required: (a) by subpoena or other judicial or legal process or by Governmental Authority with jurisdiction over Client to produce documents, testify, give evidence, or otherwise respond as a non-party in an investigation, action, arbitration, or other proceeding in which Client is a party or a subject; or (b) in connection with such a proceeding, to preserve documents, materials, or other data not otherwise required to be preserved pursuant to FIS’ standard retention policies; or (2) is requested or authorized by Client to produce documents or person(s) with respect to the Services, Client shall promptly, upon FIS’ request, as long as FIS is not the subject of the investigation or proceeding in which the documents, testimony, evidence, participation, or information is

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 16

so sought, reimburse FIS at its then-standard rates and for its costs and out-of-pocket expenses, including attorneys’ fees and other legal costs and expenses, incurred in responding or complying with the foregoing (1) or (2).

5.12.12 Business Continuity and Disaster Recovery.

(a) FIS maintains policies and procedures for contingency and business resumption plans, disaster recovery plans and proper risk controls for the Services. FIS’ business continuity plans are based on a business impact analysis for recovery times, recovery points, and priority.

(b) For data centers, FIS maintains automatic early-warning sensors (e.g., fire, water, temperature and humidity), independent air conditioning systems and fire suppression systems. Mission-critical hardware is protected by an emergency power supply system with batteries and backup generators. Hazardous or combustible materials are kept at a safe distance from information assets.

(c) FIS has put in place disaster recovery plan(s), site recovery plan(s) and business continuity plan(s) designed to minimize the risks associated with a disaster affecting FIS’ ability to provide the Services. FIS’ business continuity management system meets the FFIEC business continuity guidelines and the PS-Prep / ISO 22301 business continuity international standards. FIS’ recovery time objective under such disaster recovery plan(s) is as set forth in the business continuity management summary document made available to Client via the Client Portal. FIS will maintain adequate backup procedures in order to recover Client Data to the point of the last available good backup, with a recovery point objective as set forth in the business continuity management summary document made available to Client. FIS will test its disaster recovery plan annually. FIS will provide a business continuity management summary of its disaster recovery plan(s) process in the Client Portal. Disaster recovery exercise and site business continuity exercise results are provided in the form of an exercise bulletin, excluding any proprietary information or Personal Data, via the Client Portal. If a third party is used, Client authorizes FIS to provide Client Data to external suppliers in order to test and prepare for disaster recovery, as well as provide replacement services in the event of a disaster, provided that all such external suppliers and replacement service providers will be obligated to maintain the confidentiality of Client Data utilizing procedural, physical, and electronic safeguards designed to prevent the compromise or unauthorized disclosure of Client’s Data. Client is responsible for adopting a disaster recovery plan relating to disasters affecting Client’s facilities and for securing business interruption insurance or other insurance necessary for Client’s protection.

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 17

Attachment 1

to FIS Transfer Agency Services Order

Fees’ Assumptions and Expenses

1. All freight and other delivery and bonding charges incurred by FIS in delivering materials to and from Client, its services provider, or otherwise on behalf of Client.

2. Cost of microfilm or microfiche or other electronic storage of records or other materials and other costs associated with record retention on behalf of Client.

3. Costs of tax forms.

4. Costs for investor correspondence.

5. Direct telephone, telephone transmission and telecopy or other electronic transmission expenses incurred by FIS in communication with Client, dealers, public accountants, Investors, or others as required for FIS to perform the Services to be provided hereunder.

6. Costs of fulfilment if requested.

7. Bank account charges including check payment and processing fees.

8. Costs incurred as part of AML/CIP and OFAC screening.

9. SOC1 costs.

10. Lost shareholder/escheatment expenses.

11. Blue sky expenses.

12. Confirmations, check production.

13. Costs associated with participation in NSCC’s services or other clearing and settlement platform.

14. Printing production (including graphics support, copying, and binding) and distribution expenses incurred in relation to board meeting materials, tax forms, periodic statements, confirmations, check production, new account letters, and maintenance letters, if applicable.

15. Costs of tax data Services.

16. Costs incurred with administration Services including travel and lodging expenses incurred by employees of FIS in connect with attendance at board meetings and any other meetings for which such attendance is requested or agreed upon by the Parties.

17. Ad-hoc reporting fees will be billed, when mutually agreed upon, according to applicable rate schedules.

18. Systems development fees billed at an hourly rate at the applicable per hour professional services rate and all system related expenses as agreed in advance, associated with the provision of special reports and Services.

19. Fees for the development of custom interfaces billed at a mutually agreed upon rate.

20. Expenses FIS incurs at the written direction of Client.

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 18

Attachment 2

to FIS Transfer Agency Services Order

PRICING ATTACHMENT

1. ORDER TERM; SERVICE PERIOD START DATE:

(a) Term: Five (5) years commencing on the first day of the Service Period.

(b) Service Period Start Date: The earlier of (i) September 1, 2024; or (ii) the first date the Services are made available to Client.

(c) Right to Terminate: Notwithstanding the foregoing or any language to the contrary in the Order, Client may terminate this Order at its option, without penalty, on or before 11:59 pm ET on September 27, 2024 in the event the parties do not finalize by such time a mutually agreeable clause regarding FIS’ use of generative artificial intelligence hereunder. Each party agrees to work together in good faith in order to finalize a mutually agreeable clause without undue delay.

2. FEES: The fees in this Section 2 (including all subsections) are accrued daily

(a)   Annual Base Fee includes up to and including Four (4) CUSIPs:	USD $100,000.00 per annum.
(b)   Annual Per CUSIP Fee above Four (4) CUSIPS:	USD $750.00
(c)   Annual Per Open NSSC Account Fee:	USD $3.60
(d)   Annual Per Open Direct Account Fee:
i.   Up to 20,000 accounts	USD $10.00
ii.  20,001-50,000 accounts	USD $9.00
iii.   50,001 and above	USD $8.00
(e)   Annual Per Closed Account Fee:	USD $1.20

Assumptions: future growth will include approximately 80 CUSIPs, 20,000 Direct Accounts and 8,000 NSCC Accounts within year one (1).

(f) Additional Services Provided (USD)

Blue Sky Services	$	72.00 per permit, per annum
22c-2	$	1,341.80 per month
Intermediary Payment Administration
Annual Base Fee, billed monthly in arrears:
Includes 240 invoices	$	30,000
Plus:
Next 241 to 480 Invoices:	$	20,000
Next 481 to 600 Invoices:	$	18,000
Note: Assumes not all invoices are standard
Investor Portal (On-Line Access)
Monthly usage fee	$	4,000
Transaction fees
•  Per Inquiry	$	.03
•  Per Financial transaction	$	.20
•  Per Account Maintenance transaction	$	.35
•  Per Account Option transaction	$	.35

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 19

•  Per New Account set up	$	1.20
FundsAUM Asset Manager Portal
Monthly usage fee	$	3,500
Transaction fees
•  Per Inquiry	$	.03
•  Per Financial transaction	$	.20
•  Per Account Maintenance transaction	$	.35
•  Per Account Option transaction	$	.35
•  Per New Account set up	$	1.20
Transfer Agent Advanced Reporting and Analytics solution (TAARA)		Monthly Fees
TAARA—Micro-strategy monthly usage fee (includes 2 users)		3,500
Report Storage (per GB, after 20)	$	7.00

Other FIS Fees:

AML Monthly Service Fee	$	428.00 per month
Abandoned Property Administration Fee	$	5,000 per annum
NSCC Fund/Serv—Same Day Trade Confirm (SDTC)	$	.15 per transaction
NSCC Fund/Serv non-SDTC	$	.10 per transaction
NSCC Profile II	$	250.00 per CUSIP Set-Up
•   Ongoing maintenance 1 – 100 CUSIPS		•  $25.00 per CUSIP per month
•   Ongoing Maintenance 101 – 150 CUSIPS		•  $15 per CUSIP per month
Digital Recording	$	.08 per minute
Document IMAGE and Storage	$	.06 per image or $.06 per page
TA Report Storage (FIS TA Reports)	$	.009 per page
SOC1	$	600 per month

3. PAYMENT TERMS AND CONDITIONS: All fees are due and payable monthly in arrears at 1/12 of the applicable annual rate commencing from the Service Period Start Date; provided, however, that the billing for the initial month shall be adjusted to reflect the number of days on which the Services are actually provided.

4. SERVICES’ HOURLY RATE: The standard hourly rate in effect on the Order Effective Date for Services is USD $250.00 per hour.

5. CLIENT’S PURCHASE NUMBER (IF REQUIRED FOR INVOICING): None. The terms of the Order override any terms or conditions stipulated or referred to by Client in its purchase order.

6. CLIENT’S ADDRESS FOR INVOICES AND NOTICES:

(a) Invoices:

Lincoln Funds Trust

150 North Radnor Chester Road

Radnor, PA 19087

Attention: Chief Accounting Officer

(b) Notices:

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 20

Lincoln Funds Trust

150 North Radnor Chester Road

Radnor, PA 19087

Attention: Chief Legal Officer

7. FIS’ ADDRESSES FOR NOTICES: 4249 Easton Way, Suite 400, Columbus, Ohio 43219

In the case of (a) any notice by Client alleging a breach of this Order by FIS or (b) a termination of this Order, Client shall also send a copy to the below and such notices shall identify the name, date, and Parties:

Fidelity National Information Services, Inc.

Attention: Chief Legal Officer

347 Riverside Ave. Jacksonville, FL 32202

8. FIS’ WIRING INSTRUCTIONS: On each invoice.

9. Services: During the Service Period commencing on the Service Period Start Date, or if applicable the Service Period and Renewal Term, on behalf of Client FIS will perform the transfer agency services described in Annex A to this Attachment 2 for the funds listed in Annex B to this Attachment 2.

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 21

ANNEX A TO ATTACHMENT 2

a. Shareholder Transactions

Financial Processing

i. Process Shareholder purchase and redemption orders in accordance with terms set forth in the Offering Documents.

ii. Process transfers and exchanges.

iii. Process dividend and capital gain payments, including the purchase of new shares, through dividend and capital gain reinvestment.

iv. Where applicable, process redemption fee.

v. Balance daily transaction activity.

vi. Manage daily ACH transmissions.

vii. Automated Investment Plans

viii. Process systematic withdrawals.

ix. Automated Exchange Plans

x. Process payments to multiple payees.

xi. Complete cash settlement between Funds, custodians, National Securities Clearing Corporation (“NSCC”) and Shareholders.

xii. Prepare and manage daily open items report.

Non-Financial Processing

i. Set up and maintain account information, including address, dividend option, taxpayer identification numbers and wire instructions.

ii. Establish accounts for relationship linking.

Miscellaneous/Other

i. Communicate and coordinate Fund events.

ii. Complete quality review of transactions

iii. Image all documentation related to shareholder requests received by mail, email, and/or fax.

iv. Calculate and produce Shareholder tax records (1099’s,5498’s, etc.) by IRS deadlines.

v. Provide twenty-four (24) hour voice response system, account balances, Funds’ yields, Fund(s)’ NAVs, total rates of return, and offering prices.

vi. Reconcile TA Operating Demand Deposit Accounts (DDA)

vii. Tracking and invoicing gain/loss in accordance with the -agreed upon policy and working in conjunction with Client’s Funds’ accounting service provider(s) to book any receivables and payables due to the Funds.

viii. Review, Offering Documents, Policies and Procedures, and amendments to any of the foregoing received by FIS and in connection with the Services and this Order.

Additional Services Related to IRA Accounts

i. Perform good order review by ERISA guidelines of documents required to open new retirement accounts for Shareholders. This includes obtaining for each Shareholder a retirement application executed by such Shareholder and the custodian.

ii. Perform good order review by ERISA guidelines and process transfers specific to retirement accounts. This includes transfers from prior custodian or to successor custodians, direct rollovers from qualified plans, and Roth conversions. This includes obtaining acceptance by an authorized delegate of the successor custodian.

iii. Perform annual population extraction, notification, ERISA good order review, and processing of required mandatory distributions for Shareholders aged 73 or older.

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 22

iv. Record the names of beneficiaries identified by the holder of the IRA Account (the “Account Holder”).

v. Calculate distributions, withdrawals, required Federal and State withholding and other payments to Account Holders.

vi. Process contributions and distributions for Account Holders.

vii. Collect close-out and/or custodial fees when retirement plan assets are fully liquidated from accounts and disburse revenue in accordance with prospectus, IRA disclosure, and/or IRA custodial agreement.

viii. Collect custodial fees from Account Holders who elect prepayment and disburse revenue in accordance with prospectus, IRA disclosure, and/or IRA custodial agreement.

ix. Coordinate and execute the annual IRA custodial fee event to collect fees from active retirement plan Account Holders via asset liquidation. Disburse revenue in accordance with prospectus, IRA disclosure, and/or IRA custodial agreement.

x. Retain all ERISA required Account Holder documents in original form. These documents will include IRS Form 5303-A, Forms 5305-A, -RA,—EA, -SA, -SEP, and 403(b)(7) plan agreements.

xi. Tracking, production, and filing to Account Holders and government entities of federal and state tax forms specific to retirement plan accounts (i.e., Forms 1099-R and 5498).

xii. Complete annual W4P federal withholding solicitation.

xiii. Maintain Form W-4P elections for federal and state withholding on retirement plan distributions for each retirement plan shareholder and perform withholding accordingly.

xiv. Respond to Account Holders’ written and verbal operational inquiries related to their retirement accounts.

b. Shareholder Information Services

i. Create and transmit data files to print and mail vendor for confirmations of financial and non-financial confirmable transactions.

ii. Create and transmit data files to print and mail vendor for periodic statements for Shareholders.

iii. Produce on-demand annual duplicate statements and prior year statements, if available to FIS, upon request.

iv. Provide data files to Client or preferred vendor for distribution of Fund financial reports, prospectuses, proxy statements or marketing material to current Shareholders, upon request.

v. Provide personnel with knowledge about the Funds to respond to telephone inquiries from Shareholders and prospective Shareholders.

c. Compliance Reporting & Sanction Screening

i. Prepare and distribute appropriate Internal Revenue Service forms for corresponding Funds’ and Shareholders’ income and capital gains.

ii. Issue tax withholding reports to the Internal Revenue Service.

iii. Review Shareholders’ names against lists of suspected terrorists and terrorist organizations supplied by various governmental organizations, such as the Office of Foreign Asset Control.

iv. Provide services for compliance filings (TA-1, TA-2, 17AD, etc.).

d. Shareholder Account Maintenance

i. Maintain all Shareholders’ records for each account in Client.

ii. Record Shareholders’ account information changes.

iii. Maintain account documentation files for each Shareholder.

e. Dealer/Load Processing (if applicable)

i. Calculate fees due under 12b-1 plans for distribution and marketing expenses.

ii. Provide for payment of 12b-1 fees and/or shareholder servicing fees to dealers.

iii. Where appropriate information is provided, process purchases made under the rights of accumulation or a Letter of Intent privileges at the appropriate breakpoint.

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 23

iv. Provide for payment of commission on direct Shareholders’ purchases in a load fund.

v. Calculate redemption fee, if any.

vi. Account for separation of Shareholders’ investments from transaction sale charges for purchases of Funds’ shares.

vii. Reporting and payment support of back-end sales charges for applicable share classes.

viii. Reporting and payment support of finder’s fees/jumbo commissions.

ix. Reporting and payment support of trust trail fees/Sub-TA trail fees

f. Anti-Money Laundering Services

Client is responsible for its own compliance with applicable AML laws, and as such, Client will maintain its own AML program in compliance with such AML laws. FIS will assist Client in meeting its obligations under applicable AML laws by carrying out the activities agreed upon in accordance with FIS’ support program. FIS’ support program has been provided to and accepted by Client.

i. Verify Shareholders’ identity upon opening new accounts.

ii. Monitor, identify and report Shareholders’ transactions and identify and report suspicious activities that are required to be so identified and reported, and provide other required reports to the Securities and Exchange Commission, the U.S. Treasury Department, the Internal Revenue Service, or each such agency’s designated agent, in each case consistent with Client’s AML program.

iii. Place holds on transactions in Shareholders’ accounts or freeze assets in shareholders’ accounts, as provided in Client’s AML program.

iv. Create documentation to provide a basis for law enforcement authorities to trace illicit funds.

v. Maintain all records or other documentation related to Shareholders’ accounts and transactions therein that are required to be prepared and maintained pursuant to Client’s AML Program, and make the same available for inspection by (i) Client’s AML Compliance Officer, (ii) any auditor of Client’s AML Program or related procedures, policies or controls that has been designated by Client in writing, or (iii) regulatory or law enforcement authorities, and otherwise make said records or other documents available at the direction of Client’s AML Compliance Officer.

g. NSCC Services

i. NSCC Transaction processing in accordance with NSCC operating guidelines and Client’s operating model as defined by Client and agreed to by FIS, including review and resolution of NSCC transaction rejects in conjunction with broker/dealer back offices and Client.

ii. Daily (nightly) distribution of daily net asset values (“NAVs”) via NSCC operating protocols for those for parties that have activated the option to receive NAVs in this manner.

iii. Facilitation and support of monthly NSCC billing.

iv. Toll free support line providing a single point of contact for broker/dealer back offices.

h. Blue Sky Services—Optional

i. Prepare such reports, applications and documents (including reports regarding the sale and redemption of shares as may be required in order to comply with federal and state securities laws) as may be necessary or desirable to register the Shares with state securities authorities, monitor the sale of Shares for compliance with state securities laws, and file with the appropriate state securities’ authorities the registration statements and reports for Client and the Shares and all amendments thereto, as may be necessary or convenient to register and keep effective the registration of Client and the Shares with state securities authorities to enable each Fund to make a continuous offering of its Shares.

ii. Client shall be responsible for identifying to FIS in writing those transactions and assets to be treated as exempt from reporting for each state and territory of the United States and for each foreign jurisdiction.

i. Profile II Services—Optional

FIS will populate the Mutual Fund Profile II database (“Profile II”) of the NSCC with the appropriate data for the pertinent record types with respect to the Funds. FIS will obtain the information set forth above from FIS’ internal records, Funds’ prospectuses and other Funds’ documents, and third parties that provide services to the Funds

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 24

or to FIS. FIS will use all commercially reasonable efforts to ensure that such information is accurate and updated on a timely basis, but FIS cannot guarantee that such information will be accurate or timely updated.

j. 22c-2 Services—Optional

Program Launch Services

i. Perform business analysis, including review of: (i) Fund-specific market timing and redemption fee policies; (ii) Funds’ Intermediaries and trading practices; and (iii) NSCC/DTCC membership status.

ii. Organize Fund-specific rules and apply to a Rule 22c-2 (“Rule”) under the Investment Company Act of 1940 analytic database.

iii. Upload or input setup data.

iv. Setup Rule system management reports.

v. Establish and confirm intermediary data delivery protocols, including intermediary contact information, trade detail request process and flows, exception process procedures, and trade detail delivery protocols.

vi. Perform Rule system user acceptance testing.

vii. Verify and test setup of Fund-specific system rules.

viii. Perform pass-through tests as necessary.

ix. Perform production testing of Rule system functionality.

Shareholder Information Agreement Services

i. Mail, negotiate, maintain, and track Shareholders’ information agreements (the “Shareholder Information Agreements”) that Client’s transfer agent, distributor, or other appropriate party shall enter into with such Intermediaries as may be mutually agreed upon by Client and FIS, which agreements will be based on the standard Investment Company Institute form with such modification as Client and FIS mutually agree upon (the “Approved Form”).

ii. Provide monthly reporting to Client, its Board, and Client’s Chief Compliance Officer (“CCO”’) with respect to the status of each Shareholder Information Agreement until completion of the project.

Transaction Compliance Services

i. Establish system protocols with Intermediaries to transmit transaction data (which transaction data is intended to meet the requirements of the Rule) to Client or its designee on behalf of Client. This data may include tax identification numbers of Shareholders that purchased, redeemed, transferred, or exchanged shares held through an account with an Intermediary, and the amounts and dates of such Shareholders’ purchases, redemptions, transfers, and exchanges.

Trade monitoring services

i. Monitor the Funds’ shareholders’ trading activity periodically for adherence with the Funds’ market timing policy and provide monthly reporting to Client, its Board, and CCO with respect to frequent trading activity, as defined in the Funds’ policy. The reporting to be performed by FIS will include trade exception volumes (direct and Intermediary), correspondence volumes (direct and Intermediary), redemption fees applied (if applicable), redemption fees waived (if applicable) and Funds’ waivers of trade exceptions.

Redemption fee oversight

i. For accounts held in FIS’ transfer agent shareholder recordkeeping system, (i) monitor redemption fee application for Funds, (ii) monitor the payment of such redemption fees, (iii) track and report Funds’ waivers of such redemption fees when circumstances suggest an Intermediary is not assessing redemption fees or abusive market timing is occurring, (iv) follow-up with Intermediaries on the imposition and collection of such redemption fees on behalf of the Funds, and (v) provide monthly reporting to Client, its Board, and CCO.

Exception management

i. Communicate and follow-up with Intermediaries and Funds’ officers or designees on any identified exceptions to Funds’ market timing policies. Actions might include requesting that the Intermediary provide more information on trading practices of an account owner, restricting or prohibiting further purchases or exchanges by a specific Shareholder who or which had engaged in trading that violated a

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 25

Funds’ market timing policies, or coordinating with Client and the distributor the termination of a selling group agreement.

k. Financial Intermediary Payment Administration

 Asset Based Fees

i. Receive and validate Intermediary Invoice against Average Daily Assets and Eligible Assets for the period.

ii. Validate basis points on Invoice against selling agreement.

iii. Validate against agreed upon tolerance.

iv. Provide Fund with funding package for approval.

v. Request funding from Custodian

vi. FIS pays intermediary.

Per Account/Sub-Accounting Fees

i. Receive Intermediary Invoice

ii. Provide Fund with funding package for approval.

iii. Request funding from Custodian

iv. FIS pays intermediary.

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 26

ANNEX B TO ATTACHMENT 2

FIS shall provide the Services for the following Funds:

• All Funds of the Lincoln Funds Trust

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 27

Attachment 3

FIS UNITED STATES DATA PROTECTION ATTACHMENT

“Aggregate Consumer Information” means information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device.

“Client Affiliate” means an entity that owns or controls, is owned or controlled by or is under common control or ownership with Client, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract, or otherwise;

“Client Portal” means a self-service portal made available to Client’s designated representatives at Client’s request at https://my.fisglobal.com/vendor-management offering specific Client resources to help better manage its relationship with FIS, including information about FIS’ information security practices;”

“Client Data” has the meaning set forth in Section 5.1 of the Order;

“Data Controller” means the entity that determines the purposes and means of the Processing of Personal Data.

“Data Processor” means any person or entity that Processes Personal Data on behalf of a Data Controller.

“Data Breach”has the meaning given to such term in Section 3.2.16 of Attachment 4..

“Deidentified Information” means information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer provided that the business that possesses the information: (a) Takes reasonable measures to ensure that the information cannot be associated with a consumer or household, (b) Publicly commits to maintain and use the information in deidentified form and not to attempt to reidentify the information, except that the business may attempt to reidentify the information solely for the purpose of determining whether its deidentification processes satisfy the requirements of this subdivision, and (c) Contractually obligates any recipients of the information to comply with all provisions of this subdivision

“Depersonalized Information” means Client Data and all information derived therefrom, that has been cleansed to remove Client’s name and any Personal Data;

“FIS Affiliate” means an entity: (a) that Processes Personal Data pursuant to the Order from or on behalf of Client or a Client Affiliate or a customer of Client or a Client Affiliate that is subject to the Privacy Laws; and (b) which owns or controls, is owned or controlled by, or is under common control or ownership with FIS, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract, or otherwise.

“Order” means the FIS Transfer Agency Services Order incorporating this Data Protection Attachment.

“Personal Data” means any information relating to an identified or identifiable natural person.

“Privacy Laws” means all applicable laws, currently in effect, relating in any way to the privacy, confidentiality, security, or protection of Personal Data in the United States. Without limiting the foregoing, Privacy Laws includes the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020) (“CCPA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Connecticut Personal Data Privacy and Online Monitoring Act (“CTDPA”), the Utah Consumer Privacy Act (“UCPA”), the Texas Data Privacy and Security Act (“TDPSA”) (effective July 1, 2024), the Oregon Consumer Privacy Act (“OCPA”) (effective July 1, 2024), and the Montana Consumer Data Privacy Act (“MCDPA”) (effective October 1, 2024).

“Process” (and its derivatives) means any operation or set of operations performed upon Personal Data, whether or not by automatic means, including creating, collecting, aggregating, procuring, obtaining, accessing, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, disseminating, making available, aligning, combining, restricting, erasing and/or destroying the information.

“Pseudonymized Information” means the processing of Personal Data in a manner that renders the Personal Data no longer attributable to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that the Personal Data is not attributed to an identified or identifiable consumer

“Security Statement” means the FIS Security Statement set forth as Attachment 4 hereto.

“Sub-Processor” means any entity engaged by FIS to Process Personal Data on behalf of the Client.

“FIS Personnel” means any employees, agents, consultants or contractors of FIS, including FIS Authorized Recipients, as such term is defined in Section 5.1.5 of the Order.

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 28

“Services” means technology, software, products and services provided by FIS to the Client pursuant to the Order;

Capitalized terms not defined herein shall have the same meaning assigned to them in the Order.

Clauses:

1. In the course of FIS providing the Services under the Order, Client may, from time to time, provide or make Data available to FIS. The Parties acknowledge and agree that, in relation to any Personal Data provided or made available to FIS for Processing by or on behalf of Client or a customer of Client, as listed in Schedule 1, Client will be the Data Controller and FIS will be a Data Processor under all applicable Privacy Laws.

2. The Order determines the subject matter and the duration of FIS’ Processing of Personal Data, as well as the nature and purpose of Processing of Personal Data and the rights and obligations of the Client. FIS shall Process the Personal Data only in accordance with any lawful and reasonable instructions given by Client from time to time, as documented in and in accordance with the terms of the Order, unless FIS is otherwise required by applicable law, in which case FIS shall inform Client of that legal requirement before Processing relevant Personal Data. Client shall ensure that it is entitled to give access to the relevant Personal Data to FIS so that FIS may lawfully Process Personal Data in accordance with the Order on Client’s behalf. Client shall not do or omit to do anything which causes FIS (or any Sub-Processor) to breach any of its obligations under the Privacy Laws.

(a) FIS shall not sell Client’s Personal Data for any purpose other than for the specific purpose of providing Services under the Order.

(b) FIS shall not share Client’s Personal Data for Cross-Context Behavioral Advertising or Targeted Advertising, as those terms are defined in the Privacy Laws;

(c) FIS shall not retain, use, or disclose Client’s Personal Data for any purpose other than for the specific purpose of performing the Services specified in the Order or administration of its rights and obligations under the Order.

(d) FIS shall not retain, use, or disclose Client’s Personal Data outside of the direct business relationship between Client and FIS with respect to the Order.

(e) FIS shall not combine Personal Data FIS receives from Client with consumer personal data FIS collects on its own interaction with consumers, except as permitted under the Privacy Laws.

(f) FIS certifies that it understands the restrictions of this Clause 2 and will comply with its restrictions.

3. Notwithstanding Clause 2 above, Client authorizes FIS to store and use all Client Data in order to provide the Services as required by the Order, to create Depersonalized Information or Deidentified Information, and for other purposes permissible under applicable local, state, federal, or international law, including the Privacy Laws, and to disclose Depersonalized Information, Pseudonymized Information, Deidentified Information, and Aggregate Consumer Information to third parties. Client agrees that FIS is entitled to disclose such Data and derived information to third parties, provided that any such third parties are bound by commercially reasonable confidentiality and non-disclosure restrictions. FIS’ rights with respect to Depersonalized Information, Pseudonymized Information, Deidentified Information, and Aggregate Consumer Information shall survive the termination of the Order.

4. FIS shall confirm that all FIS Personnel (including FIS Authorized Recipients) it authorizes to access the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and only Process Personal Data in accordance with the instructions of Client.

5. Each Party shall take reasonable steps so that any natural person acting under its authority who has access to Personal Data does not Process said Personal Data except in accordance with the Order and this Attachment.

6. FIS shall promptly and without undue delay inform Client in writing of any requests from individuals with respect to Personal Data, including any request to exercise rights under Privacy Laws. Taking into account the nature of Processing and the information available to FIS, FIS shall provide reasonable cooperation and assistance to Client in fulfilling Client’s obligations to timely respond to requests to exercise rights with respect to Personal Data. FIS shall direct the requesting individual to submit the request directly to Client by contacting Client as described in Client’s website privacy notice and not further respond to such requests except as specifically requested by Client and in accordance with Client’s written instructions.

7. Taking into account the nature of Processing and the information available to FIS, FIS shall use commercially reasonable efforts to assist Client in complying with its obligations under Privacy Laws, including Client’s obligations to implement appropriate data security measures, carry out and document data protection assessments, and consult with regulators.

8. Subject to sections 5.7.2(c) and (d) in the underlying Order, Client acknowledges receipt of the current (as of the Effective Date of the Order) list of FIS Sub-Processors and agrees to the appointment or utilization by FIS of any listed Sub-Processor without the need for notice or prior approval. FIS will inform Client of any additions to or removals from

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 29

the Sub-Processor list at least thirty (30) days in advance unless shorter notice is determined by FIS to be necessary in the circumstances (acting reasonably and in good faith), in which case FIS will give as much advance notice as possible in the circumstances and Client shall have the opportunity to comment thereon. FIS may appoint or utilize: (i) any FIS Affiliate (including individual consultants or contractors appointed by FIS or FIS Affiliates); or (ii) FIS Agents as Sub-Processors without the prior written consent of Client to perform any Services (or any part thereof) under the Order, provided that FIS shall provide prior written notice to Client of any FIS Agent that will have access to any Client Data and the opportunity to comment on such retention. Notwithstanding the foregoing and anything to the contrary herein, FIS shall seek prior approval of the use of FIS Agents to the extent applicable law requires prior approval by the Funds or the regulator of the Funds, FIS shall impose on each such Sub-Processor obligations that, in substance, are no less protective than, those imposed on FIS under this Attachment. FIS shall remain fully responsible for its obligations under this Attachment and shall be liable for the acts and omissions of any Sub-Processor to the same extent as if the acts or omissions were performed by FIS. A list of Sub-Processors can be found on the Client Portal. FIS shall: (a) ensure any FIS Authorized Recipients or Sub-Processors who access Personal Data are bound by appropriate obligations of confidentiality with response to that Personal data, (b) require or provide appropriate privacy and information security training at regular intervals, (c) take reasonable steps to ensure FIS Authorized Recipients or Sub-Processors do not Process Personal Information except on instructions from FIS (d) ensure that it has in place policies and procedures designed to regulat develop access to production and UAT data; (e) reasonably cooperate with Client as reasonably required to assist Client with its legal obligations under applicable Privacy laws (and Client shall reimburse FIS for its out-of-pocket costs reasonably incurred in connection therewith). FIS shall be fully responsible for all acts and omissions of FIS Authorized Recipients and Sub-Processors and for any failure of its Authorized Recipients and Sub-Processors to comply with all applicable obligations and responsibilities of FIS under this Order

9. Subject to sections 5.7.2(c) and (d) in the underlying Order, FIS shall inform Client of any intended changes concerning the addition or replacement of other Sub-Processors not permitted hereunder, by making such information available to Client in the GDPR section of its Client Portal (and Client may subscribe to receive electronic notifications when such GDPR section changes). Client may object to such changes in writing setting out its reasonable concerns in detail within ten (10) business days from such notice. If Client does not respond to such changes, FIS shall have the right to continue to Process the Personal Data in accordance with the terms of this DPA, including using the relevant Sub-Processors. If Client objects, FIS shall consult with Client, consider Client’s concerns in good faith and inform Client of any measures taken to address Client’s concerns. If Client upholds its objection and/or demands significant accommodation measures which would result in a material increase in cost to provide the Services, FIS shall be entitled to increase the fees for the Services or, at its option, terminate the Order.

10. Taking into account the context of Processing, FIS shall implement reasonable and appropriate technical and organizational measures to protect Personal Data which measures shall be appropriate to the risk to the confidentiality, integrity, and availability of the Personal Data. FIS’ measures comprise those documented in its Security Statement.

11. Should FIS confirm a Data Breach that results in the loss of or unauthorized access to, use, or disclosure of Client’s Confidential Information in FIS’ possession or control, FIS shall provide Client with notification without undue delay, making all reasonable efforts to provide such notification within 24 hours of FIS’ confirmation of the described impact to Client’s Confidential Information and shall proceed in accordance with the procedures set forth in Section 3.2.16 of Attachment 4 (Security and Privacy Incident Response). The written notification shall be made by email sent to FIS’s relationship contact with Client and to privacy@lfg.com, and as otherwise provided in Section 5.12.1 of the Order. . FIS shall, at its own expense, use commercially reasonable efforts to investigate, remediate, and rectify the Data Breach and mitigate its possible adverse effects in accordance with Section 3.2.16 of Attachment 4. Notwithstanding the forgoing, to the extent required by applicable law, FIS shall notify Client of any Data Breach that it reasonably believes to have occurred in accordance with the provisions of this paragraph and Section 3.2.16 of Attachment 4. The parties acknowledge and agree that nothing in the foregoing gives rise to an assumption that the NYDFS Cybersecurity Regulation applies to the Order.

12. Client is solely responsible for complying with data breach notification laws applicable to Client and fulfilling any third-party notification obligations related to any Data Breach. Solely to the extent that a Data Breach resulting in the unauthorized disclosure of or access to Client Data was the result of FIS’ failure to comply with its obligations under Subsections 5.7.1 or 5.7.2 of the Order, in addition to any other rights or remedies provided to Client in the Order with respect to FIS’ , FIS will pay or reimburse Client for (a) the reasonable out-of-pocket costs incurred by Client in the preparation and distribution of any notifications required by applicable data breach notification laws; and (b) the reasonable out-of-pocket costs incurred by Client in providing credit monitoring services to affected individuals for a period of one (1) year or for any other period required by applicable law, if longer. FIS’ notification of, or response to, a Data Breach under this Section is not an acknowledgement by FIS of any fault or liability with respect to the Data Breach. Client has the right, upon notice, to take reasonable and appropriate steps to stop and remediate FIS’ unauthorized use of Personal Data.

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 30

FIS shall, upon Client’s reasonable written request, make available to Client all information reasonably necessary to demonstrate FIS’ compliance with the obligations set out in this Attachment in relation to Personal Data that FIS Processes for Client. FIS and Client will use current certifications or other existing audit reports to minimize repetitive audits. Where required by Privacy Laws, Client shall be entitled to conduct a non-duplicative, dedicated audit visit in accordance with FIS’ then-current on-site audit guidelines. Any such audit shall be conducted virtually, unless otherwise agreed by the parties in writing. Client requests for an audit shall be made in writing at least sixty (60) days in advance, unless required sooner by a regulator, in which case Client shall provide substantiating documentation from such regulator in respect of any such audit request. All audit visits must be reasonable in scope and duration, shall not last more than two (2) business days.

13. Through the FIS Client Portal, Client will have continuous electronic access to audit reports, attestations, and other detailed information regarding FIS’ internal systems testing and procedures, and FIS’ information security and data privacy controls. These audit materials evidence FIS’ compliance with industry and regulatory standards and include recent independent audits (such as SSAE 18’s), third-party attestations and certifications (such as ISO certifications, and PCI AOC’s), and detailed information and testing results regarding physical, technical and administrative controls utilized by the business lines within FIS and the security of Data.

14. FIS shall notify the Client if it determines it can no longer meet its obligation under applicable Privacy Laws.

15. Promptly, upon the expiration or termination of the Order, or such earlier time as Client requests, FIS shall delete (subject to reasonable technical limitations with regards to electronically stored information) or return, at Client’s choice, all Personal Data Processed on Client’s behalf to Client after the end of the provision of Services relating to Processing, subject to FIS retaining any copies required by applicable local, state, federal, or international law. Notwithstanding the foregoing, to the extent that reasonable technical limitations with regard to electronically stored information prevent FIS from deleting Personal Data, FIS shall delete or destroy in accordance with routine procedures and Personal Data will remain subject to non-use until the date of deletion or destruction.

16. FIS’ obligations under this Attachment shall survive the termination of the Order and the completion of all the Services subject thereto until Personal Data no longer remains in the possession, custody or control of FIS or a Sub-Processor.

17. If any provision of this Attachment is held invalid or unenforceable, the remaining provisions shall remain in effect.

18. In the event of a conflict between this Attachment and the Order, the more protective provision shall apply.

19. Unless otherwise prescribed by this Attachment, Client shall reimburse FIS for out-of-pocket costs reasonably incurred by FIS in performing its obligations under this Attachment, in each case except to the extent that such costs were incurred as a result of any breach by FIS of its obligations under this Attachment. If FIS seeks reimburse for out-of-pocket costs under this section, then, except to the extent FIS, in its sole good faith discretion and taking into account the relevant facts and circumstances determines that time is of the essence, FIS must provide (i) notice to Client that FIS intends to seek reimbursement prior to FIS incurring any out-of-pocket costs and (ii) an estimate to Client of FIS’s expected out-of-pocket costs prior to performing such assistance. Any work performed that FIS is reimbursed for under this section is considered a separate service.

20. Privacy Audit Trail. A privacy audit trail history must be retained for a minimum of six (6) months or longer as may be required by Privacy Laws.

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 31

Schedule 1

Services Provided by FIS and Business Purpose:

[LIST/ITEMIZE THEM ALL HERE]

Types of Personal Data Processed:

[LIST/ITEMIZE THEM ALL HERE]

Duration of Processing: for the Term in the Order and any amendments thereto.

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 32

Attachment 4

FIS SECURITY STATEMENT

Version 2024.July

1. INTRODUCTION

This Security Statement (“Statement”) summarizes FIS’ information security policies, procedures, processes and standards including its technical and organizational measures for the security of data (“FIS’ Information Security Practices”) and forms an integral part of the agreement between Client and FIS which incorporates this Statement by reference (“Agreement”). The Statement sets out FIS’ obligations with respect to information security and data protection in relation to the Agreement. To the extent of any conflict or inconsistency between the provisions of this Statement and any provision of the Agreement, the provisions of this Statement prevail and take precedence over such conflicting or inconsistent provisions.

FIS’ Information Security Practices are compliant with International Organization for Standardization ISO 27001:2022, are aligned to the NIST and CIS frameworks, and are designed to protect the security, confidentiality and integrity of Client Data, including Client Personal Data. FIS’ ISO 27001:2022 certification is available on the Vendor Management Resource Center on the Client Portal (as defined below) or upon request.

Additional information on FIS’ Information Security Practices is made available to Client under the Vendor Management Resource Center on the Client Portal or upon request. Such information is FIS’ Confidential Information.

2. ORGANIZATIONAL PRACTICES

FIS’ Information Security Department is responsible for developing and implementing FIS’ Information Security Practices. FIS maintains safeguards designed to prevent the compromise or unauthorized disclosure of, or access to Clients’ Confidential Information, Client Data including Client Personal Data, including loss, corruption, destruction or mis-transmission of Client’s Confidential Information, Client Data, including Client Personal Data.

FIS maintains FIS’ Information Security Practices that are designed to comply with (1) all applicable laws and industry best practices relating to the privacy, confidentiality and security of Client Data, including Client’s Confidential Information and Client Personal Data, to the extent applicable to FIS as a third-party service provider; (2) the requirements set forth in this Statement; and (3) all applicable provisions of FIS’ related policies, including but not limited to FIS’ Information Security Policy.

FIS’ internal and external auditors regularly review FIS’ Information Security Practices. Additionally, FIS performs regular security assessments to determine whether identified vulnerabilities, in particular as related to web and network environments, have been remediated. Security assessments include: diagnostic reviews of devices, internal and external penetration testing, assessments of applications with access to sensitive data, assessments of FIS’ various systems, and reviews of FIS’ Information Security Practices.

Periodic updates are made to FIS’ Information Security Practices pre-empting and responding to evolving information security threats. Such updates provide an equivalent or increased level of security compared to what is described in this Statement, and FIS will provide Client with a summary of material updates upon request. In no event shall FIS make any material changes to its Information Security Practices that reduce, limit, or adversely affect Client’s rights and/or FIS’ obligations under this Statement without the prior written consent of Client.

FIS implements reasonable administrative, technical, organizational and physical safeguards designed to: (i) provide for the security and confidentiality of Client Data, including Client Personal Data; (ii) protect against any anticipated threats or hazards to the security or integrity of Client Data, including Client Confidential Information and Client Personal Data; and (iii) protect against unauthorized access to or use of Client Data, including Client Confidential Information and Client Personal Data. FIS will review and test such safeguards on no less than an annual basis. FIS has processes for regularly testing, assessing and evaluating the effectiveness of its technical and organizational measures in order to verify the security of its processing. The measures are described throughout this Statement.

3. SECURITY CONTROLS

3.1 Access Control to Facilities

3.1.1 FIS Facility Restrictions

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 33

FIS uses a number of technological and operational approaches in its physical security program to mitigate security risks to the extent reasonably practicable. FIS’ security team works closely with FIS’ facilities teams at each FIS facility to confirm appropriate measures are in place to prevent unauthorized persons from gaining access to systems within which data is processed. FIS’ security team also continually monitors any changes to the physical infrastructure, business, and known threats which may impact the physical security of FIS work sites.

Access to FIS facilities is restricted and monitored using controls such as badge access, camera coverage, door alarms and guards. Badges and keys are only distributed in accordance with documented organizational procedures. Visitors are screened prior to admittance, are provided a visitor badge, and in sensitive areas require an escort in accordance with FIS’ Corporate Security Policy. Alarm systems are in place to notify appropriate individuals of potential threats. FIS regularly tests its emergency procedure protocols.

Physical security measures implemented at FIS facilities are designed to protect employees, contractors, visitors, and assets. Physical security consists of a combination of physical barriers, electronic access and monitoring systems, security officers and procedures for controlling access to buildings and sensitive or restricted areas. Physical security is staffed 24 hours a day, seven days a week at all data center facilities used by FIS in the provision of the Solution. Secure shred bins or shredders are provided for the proper disposal of hard copy documentation and other small media at FIS facilities.

An access control system utilizing individual badge identification, doors protected by an electronic badge reader or locked with limited access to the physical key, closed circuit camera monitoring, and onsite physical security guards stationed in strategic locations are utilized to provide facility physical security and protection. Physical access to FIS buildings, office spaces and certain secured areas within FIS facilities are controlled by an electronic access control system. The system provides for real-time monitoring of all electronic badge accesses across the monitored facility, requires physical security officer acknowledgement of system identified error codes or issues, and is tied to centralized servers communicating the exact date and time stamp for each entry (utilizing network time protocol). Automated database backups are performed daily and are replicated on the secondary server.

For data centers, FIS maintains automatic early-warning sensors (e.g., fire, water, temperature and humidity), independent air conditioning systems and fire suppression systems. Mission-critical hardware is protected by an emergency power supply system with batteries and backup generators. Hazardous or highly combustible materials are kept at a safe distance from information assets.

3.1.2 Client Location Policies and Client Location Access

While FIS personnel are performing Professional Services at Client’s site, FIS will ensure that such personnel comply with Client’s security policies and procedures that are generally applicable to Client’s other suppliers providing similar services and that have been provided to FIS in writing in advance. If FIS personnel receive access cards or keys that provide them with access to Client’s premises, FIS shall take reasonable measures designed to ensure that (a) such access cards and/or keys are only used for their intended purpose; (b) are protected from access by unauthorized third parties; (c) are promptly returned to Client once the Professional Services have been completed; and (d) any loss is reported to Client without undue delay.

3.2 Logical Controls and Security

FIS has a dedicated group that is responsible for overseeing operational security, network security, host and server security, applications and system development, patch and vulnerability management, authentication and remote passwords, encryption, passwords and monitoring systems (collectively, “Logical Controls and Security”). FIS has documented protocols for all Logical Controls and Security including the following:

3.2.1 Employees

FIS conducts (at the time of hire) a background check for each FIS employee who is involved in the provision of the Solution and/or performing Professional Services. Currently, the background check in the United States of America consists of, at a minimum, verification of the highest level of education completed, verification of employment (as allowed by applicable law), Social Security Number trace and validation, and a check of U.S. Government Specially Designated National (OFAC) and other export denial lists. Background checks outside of the United States consist of similar reviews to the extent allowed by local laws of each country. FIS complies with all applicable laws related to the background check, including required notices and applicable consents. FIS will not assign any employee to the provision of the Solution and/or Professional Services if his/her background check findings do not meet the standards established by FIS.

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 34

FIS assigns all employees mandatory security and privacy awareness training on an annual basis. FIS requires all employees with access to sensitive information to follow a clean desk and clear screen standard such that the information is controlled and/or protected at all times. FIS has formal disciplinary procedures in place to address policy violations. A terminated employee’s access to FIS facilities and FIS systems containing Client Data, including Client Personal Data is suspended upon termination.

3.2.2 Network Security

FIS employs a defensive in-depth model when building networks in a multi-tiered approach and uses separate layers of presentation, business logic and data when considered necessary. Connection between networks is limited to those ports, protocols and services required for FIS to support, secure, monitor and provide the Solution.

FIS uses Network Intrusion Detection and/or Prevention Systems to monitor threats to the FIS environment. Where all, or part of, the Solution is provided using online services (i.e., accessible via the internet), FIS deploys a web application firewall (WAF) and controls designed to protect against distributed denial of service (DDoS) attacks. For remote access to FIS’ systems and networks, FIS requires the use of multi-factor authentication. Privileged access to the internal FIS technology environment requires network access control (NAC) which evaluates the security posture of the connecting device.

FIS does not intentionally create back doors or similar programming that could be used to access the Client Data, including Client Confidential Information and Client Personal Data, without Client’s permission.

Except as required by applicable law, FIS shall not create or change its business processes with the intention to facilitate access to Client Data, including Client Confidential Information and Client Personal Data, by any government without Client’s permission.

FIS may from time to time in its reasonable discretion block attempted access to the Solution from technology of individuals, entities, or governments which FIS reasonably believes may pose a threat to the Solution, systems or clients (such technology, “Suspicious Technology”). Due to the unknown timing of cyber threats, FIS may not be able to provide Client prior notice of blocking the Suspicious Technology, and it may impact the availability of the Solution. If Client is adversely affected, FIS will make reasonable efforts to resolve any impacts to Client as long as FIS can reasonably prevent any ongoing threats to the Solution, systems and clients. FIS will make information regarding this practice available to Client on the Client Portal or upon request.

3.2.3 Host and Server Security

FIS hardens its operating systems in accordance with industry security standards and procedures. FIS’ hardening standards are based on the Center for Internet Security (CIS) standards. For example, FIS requires that all default passwords are changed, unneeded functionality is disabled or removed, the concept of “least-privileged” access is adhered to, file permissions do not include world writeable ability, administrative or “root” access is limited to the console only, and only those network ports that are necessary to provide the Solution are opened. For database installations, FIS uses security at a table and row level, based upon the placement of a system and its role in the environment.

Access to FIS’ operating systems is limited to those individuals required to support the system including where privileged access is restricted and controlled. FIS has implemented appropriate change management processes. Servers and workstations are enabled with auto-locking (password-protected) screensavers that activate after a period of inactivity. Installation of personal software is not allowed. Local administrative rights are not permitted on FIS’ end user computing devices.

3.2.4 Anti-virus, anti-malware, anti-spyware, PC controls

FIS requires that anti-virus, anti-malware, anti-spyware, and event detection and response (EDR) software is enabled on its operating systems when they are available and supported by a commercially available solution. FIS PCs and laptops have industry standard controls including disk encryption, access management, whitelisting, anti-virus/anti-malware, and administrative controls.

3.2.5 Applications and Systems Development

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 35

FIS uses System Development Lifecycle and system change procedures, which include requirements for code review and secure coding practices. Development and testing environments are segregated and firewalled from FIS’ production environment. Version control software is utilized for the management and deployment of code through appropriate support groups. FIS applies measures for verifying system configuration, including default configuration. FIS considers data protection issues as part of the design and implementation of systems, services, products and business practices (Privacy by Design).

3.2.6 Electronic Mail

FIS scans incoming emails, embedded links and attachments prior to allowing them into the FIS environment. FIS also uses industry standard software to control what files are allowed or blocked as attachments to protect against malicious executable files being delivered and/or opened. FIS configures email domains with industry standard anti-phishing technologies such as Sender Policy Framework (SPF) and Domain-based Message Authentication Reporting and Compliance (DMARC).

3.2.7 Vulnerability & Patch Management

FIS employs reasonable efforts to identify and remediate or mitigate vulnerabilities in the Solution in accordance with FIS’ Vulnerability Management Policy. This includes weekly network scanning of FIS’ public internet facing infrastructure and monthly network scanning of FIS’ non-public internet facing infrastructure. FIS, in its sole discretion, may pause or otherwise modify the scanning schedule to accommodate peak volume periods or resolve performance issues associated with scanning. FIS will perform scanning of FIS developed source code and related libraries for the presence of vulnerabilities in currently supported versions of the Solution. FIS undertakes reasonable efforts to remediate or mitigate critical vulnerabilities within 0-14 days of FIS becoming aware of the vulnerability. A critical vulnerability is defined as a public internet exposed vulnerability which has been validated as remotely exploitable and has a CVSS score >9. FIS will make reasonable efforts to meet the vulnerability remediation targets defined within FIS’ vulnerability management policy. Such policy conforms to industry standards and generally applied best practices.

3.2.8 Bug Bounty Program

FIS maintains a public bug bounty program to encourage responsible disclosure of discovered vulnerabilities in the Solution, which is the “FIS Bug Bounty Program”; participating in the FIS Bug Bounty Program shall be subject to conditions set forth by FIS at its discretion, to be updated from time to time. Subject to Client’s participation in the FIS’ Bug Bounty Program as described at the following link: https://bugcrowd.com/fis, FIS will pay financial “bounties” to clients who identify and report vulnerabilities in accordance with the FIS’ Bug Bounty Program requirements.

3.2.9 Client Security Testing

FIS permits and encourages Clients to evaluate, test, and monitor the security of the Solution at Client’s expense, as set out below. Any testing not explicitly allowed by this Section is not permitted.

Scanning

Client may perform automated scanning of FIS’ public internet exposed Solutions. FIS may block or otherwise interfere with Client’s scanning activity, as deemed appropriate and necessary by FIS in its sole discretion. FIS will not provide a response to Client’s scan results although confirmed exploitable vulnerabilities identified via Client’s scanning activity may be submitted to FIS’ Bug Bounty Program as outlined in the paragraph 3.2.8.

Ethical Hacking

Client may conduct ethical hacking of FIS’ public internet exposed Solutions subject to the terms of FIS’ Bug Bounty Program. Vulnerabilities identified through such tests must be promptly submitted to FIS as documented in FIS’ Bug Bounty Program. FIS may block or otherwise interfere with client/customer ethical hacking, as deemed appropriate and necessary by FIS in its sole discretion. FIS will not be liable for Client’s inability to access its product or service as a result of Client’s performance of security testing.

3.2.10 Authentication

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 36

The level of authentication required to access a particular FIS environment is based on the type of data protected within that environment. FIS permits only authorized persons to access any FIS systems in accordance with FIS’ Information Security Policy. User authentications (i.e., username and password) are bound to the respective user and may not be shared. The use of an emergency user account must be documented and logged. Remote access to FIS’ systems requires the use of multi-factor authentication.

3.2.11 Passwords

FIS requires the use of complex passwords. FIS’ password controls do not allow the previous ten (10) passwords to be used, and current passwords expire at regular intervals. Remote access to FIS’ systems requires the use of multi-factor authentication. User accounts are locked after a defined number of abortive or unsuccessful logon attempts. If a password is possibly disclosed, it is changed without undue delay. Using a documented procedure, FIS employs processes to minimize the risk of unauthorized or no longer needed user accounts in the systems and audits user accounts to determine that access that is no longer required is revoked.

3.2.12 Data Classification, Retention, and Controls

FIS’ Information Classification Policy addresses the confidentiality, integrity, security, and availability of Client Data. Client data retention and disposal are to be stipulated in the contract to meet business requirements. All FIS employees and vendors with access to Client Data including Client Confidential Information and Client Personal Data are required to comply with secure deletion standards in alignment with the latest NIST Guidelines for Media Sanitization. FIS will store Client Data, including Client Confidential Information and Client Personal Data, only for as long as necessary to achieve the purposes for which it was collected, for a contractually committed time period as set forth in the Agreement or in accordance with applicable laws and thereafter delete it in accordance with the secure deletion standards.

FIS takes reasonable steps to determine access to Client Personal Data. FIS’ Enterprise Identity and Access Management Policy is based on the “principle of least privilege,” which calls for authorized users to access only the minimum level of Client Personal Data required to satisfy the user’s job responsibilities. Where required, FIS will take adequate steps to keep Client Personal Data relating to different clients or purposes separate.

3.2.13 AI Systems

FIS will use Artificial Intelligence (“AI”) to responsibly and ethically drive innovation while prioritizing and maintaining the security and privacy of relevant parties, all as described in this Section FIS follows a defined set of principles and a formal approval process in the development and use of AI systems and tools. FIS is committed to developing, maintaining and using AI systems and tools that are designed to:

• comply with applicable laws and regulations, including privacy, data protection, and AI laws;

• preserve the intellectual property rights of FIS and those of third parties;

• process data with a high degree of accuracy, quality, and integrity;

• meet the objectives of the AI system’s or tool’s intended use while minimizing errors;

• prevent unauthorized access to or use of the AI system or tool;

• provide required notifications and information to users of AI systems and tools regarding its use and oversight;

• be controlled and monitored by humans; and

• respect human dignity and personal autonomy, promote equal access, and avoid bias.

FIS will regularly review and assess its use of AI and its security controls to ensure ongoing compliance with this Section.

3.2.14 Encryption

FIS’ Encryption Policy aligns with industry standards. FIS encrypts data at rest that is Client Data including Client Confidential Information and Client Personal Data where technically feasible with reasonable effort. Data is encrypted based on data classification policies and standards. FIS will use encryption key lengths that meet current NIST FIPS 140-2 standards where possible. FIS policies require that FIS shall not transmit any unencrypted Client Data including

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 37

Client Confidential Information and Client Personal Data over the internet. Specific algorithm and other minimum key lengths are specified within FIS’ policy.

3.2.15 Monitoring Systems and Procedures / Logging

FIS uses a real-time event management system to monitor its networks and servers via system logs, intrusion detection/prevention systems, data loss prevention, file integrity monitoring and firewall logs on a 24-hour per day, 7 days a week, 365 days a year basis. FIS will perform reasonable logging, monitoring, or record keeping of user activity, including but not limited to where applicable administrator access, login attempts, hostnames/IP addresses of connections, date and time of connections where legally permissible and in accordance with FIS’ applicable information retention standards.

FIS operates a 24/7/365 security operations center which monitors and responds to security threats.

FIS shall securely collect, monitor and retain event logs so access to Confidential information and systems can be traced. FIS shall provide mutually agreed upon logs to Client upon request. The summary will advise root cause of the incident and the mitigating actions taken to bring the incident to a satisfactory conclusion.

3.2.16 Security and Privacy Incident Response

The FIS Security Incident Response Team (FSIRT) is responsible for investigating and responding to confirmed security incidents impacting FIS technology. FSIRT is staffed 24/7/365 with cyber security response experts and is authorized to take the necessary actions to contain and respond to a cyber security incident. Client may review FIS’ Security

Incident Response Plan, which is available on the Client Portal or upon request. The FSIRT Security Incident Response Plan documents the processes and procedures of FSIRT. If Client becomes aware of a security incident impacting FIS’ technology, Solutions, Client should contact FSIRT at FSIRT@fisglobal.com.

The FIS Privacy Incident Response Team (PIRT) employs a coordinated incident response approach, leading a specialized form of privacy compliance protocols that respond to and investigate privacy incidents. Client may review FIS’ Privacy Incident Response Plan, which is available on the Client Portal or upon request. By utilizing a coordinated approach, FIS mitigates, contains, and reduces the potential of any negative impact or risk associated with these incidents. PIRT is responsible for triaging and leading all investigations, as well as verifying documentation and facilitating communication amongst all stakeholders when potential and confirmed privacy incidents are identified. PIRT confirms FIS is timely in its identification, containment, and mitigation of privacy incidents as well as maintaining compliance with all applicable legal requirements. If Client becomes aware of a privacy incident impacting FIS’ technology, Solutions, Client should contact PIRT at PIRT@fisglobal.com.

Should FIS confirm a security incident or privacy incident that results in the loss of or unauthorized access to, use or disclosure of Client Confidential Information in FIS’ possession or control (such an incident a “Data Breach”), FIS shall provide Client with notification without undue delay, making all reasonable efforts to provide such notification within 24 hours of FIS’ confirmation of the described impact to Client’s Confidential Information. The notification shall summarize, in reasonable detail, to the extent possible and to the extent known, the nature and scope of the Data Breach and if known, the corrective action already taken or planned by FIS. Notwithstanding the forgoing, to the extent required by applicable law, FIS shall notify Client of any Data Breach that it reasonably believes to have occurred in accordance with the provisions of this paragraph and Para. 11 of Attachment 3. The parties acknowledge and agree that nothing in the foregoing gives rise to an assumption that the NYDFS Cybersecurity Regulation applies to the Order. FIS shall promptly take all reasonable and necessary actions to end the Data Breach, mitigate its impact, and prevent recurrence. FIS shall cooperate with Client in the investigation of the Data Breach and shall promptly respond to Client’s reasonable inquiries about the Data Breach. FIS shall provide to Client regular updates regarding such Data Breach, and at the conclusion of the investigation, FIS shall provide to Client, to the extent possible and to the extent known, a report detailing the Data Breach, its impact, and the mitigation and/or remediation steps taken by FIS. Based on the nature of the incident, FIS will perform this investigation internally using the FSIRT/PIRT team or with a third-party forensic firm of FIS’ choosing. Client may request that a third-party forensic firm performs a review, at Client’s sole expense, and FIS will negotiate in good faith with Client to select a mutually agreeable third party firm and perform the related review.

The parties acknowledge and agree that this Section does not require notice of unsuccessful security incidents, as described below. “Unsuccessful security incidents” means, without limitation, pings and other broadcast attacks on FIS’ firewall, port scans, unsuccessful log-on attempts, unsuccessful denial of service attacks, unsuccessful exploit attempts, and any mix of the above, so long as no such incident results in unauthorized access, use or disclosure of Client Confidential Information. FIS and Client shall mutually agree upon any external communications that specifically name Client in response to a data breach impacting Client systems or Client Confidential Information

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 38

including Client Confidential Information and Client Personal Data. Nothing in this Section shall prevent FIS from making any notifications or notifying third parties and/or regulators of any incident, cyber-attack, or Data Breach, which may be required under applicable laws, regulations, by such regulator, or in accordance with any client contracts. FIS will not inform any third party of a data breach naming Client without first obtaining Client’s prior written consent, unless and to the extent FIS is otherwise required to provide notice by law and/or regulator.

FIS shall conduct forensic investigation following a data breach when FIS and Client mutually agree it is necessary and conduct any investigations in accordance with legal requirements for preserving evidence. Any forensic investigation will be conducted in a timely manner and will maintain the appropriate chain of custody.

3.2.17 Ransomware

FIS has robust controls in place to protect against ransomware. These controls are regularly tested and validated, providing FIS confidence that we have minimized the risk of a ransomware attack. FIS also regularly tests its ability and processes to respond to a ransomware attack. In the event of a ransomware attack, FIS will recover (rebuild) from trusted backups.

3.2.18 Work from Home

Employees will have only the access rights required for their role. All logical controls remain in place, including the following:

• Working remote means working from a private, reasonably secure location, such as a home, apartment or flat. Working in a public location such as an internet café is not allowed.

• Workers must use FIS-owned and managed laptops that are imaged by FIS and have all of the standard controls including disk encryption, access management, whitelisting, anti-virus/anti-malware, and administrative controls.

• Workers must access FIS networks using multi-factor authentication, network access control, and VPN.

• Navigation of FIS networks must have the same or more stringent controls as from the office, such as the use of hardened intermediary devices to access highly sensitive environments.

In the case where workers are accessing client networks and assets, they must do so based on client connection requirements (for example, virtual desktop infrastructure) and strictly follow client protocols.

3.2.19 Industry Hot Topics

Industry Hot Topics are published on the Vendor Resource Management Center within the FIS Client Portal. Keeping FIS’ clients informed of high-profile potential issues or new security and risk developments is a key tenet of FIS’ partnership with its clients. To help educate clients on these high-profile industry hot topics, FIS has developed a downloadable document that provides:

• A definition of each issue

• FIS’ response to the issue

• FIS’ recommendations for client action

4. BUSINESS CONTINUITY AND DISASTER RECOVERY

FIS has a Global Business Resilience (“GBR”) program and maintains recovery and response plans (“Plans”) designed to minimize the risks associated with crisis events affecting FIS’ ability to provide the Solution. Plans are designed to maintain a consistent provision of the Service(s) in the event of a crisis incident affecting FIS’ operations. FIS’ GBR program meets the FFIEC business continuity guidelines and the PS-Prep / ISO 22301 business continuity international standards or similar equivalent standard.

FIS’ collection of comprehensive and coordinated Plans are designed to address the agreed crisis response, continuity, and recovery needs for the Service(s), including recovery time objective (“RTO”) and recovery point objective (“RPO”).

FIS provides a summary of the GBR program in the Client Portal or upon request. FIS’ RTO and RPO for the Solution are as set forth in such summary (or as set forth in the Agreement, with any RTO and RPO in the Agreement prevailing over such summary). FIS maintains adequate backup procedures in order to recover Client Data to such RPO and within the RTO. FIS validates the efficacy and viability of its Plans at least annually to confirm viability and provide assurance of resilience capabilities as well as the readiness of Plans’ participants. Recovery exercise results are provided via the Client Portal or upon request.

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 39

5. PAYMENT CARD INDUSTRY DATA SECURITY STANDARD

For FIS’ products that require compliance with the then current version of the Payment Card Industry Data Security Standard (“PCI DSS”), FIS will maintain compliance with the then current version of the PCI DSS throughout the term of the Agreement and shall make available, via the Client Portal or upon request, evidence of certification of compliance to Client.

6. VENDOR MANAGEMENT

FIS has an established Vendor Risk Management Program that uses subject matter experts from across the enterprise to determine FIS’ suppliers’ criticality and ability to meet business and control requirements throughout the lifecycle of the relationship.

FIS conducts a risk assessment for all third-party suppliers engaged in the provision of the Solution to validate compliance with FIS’ standards. FIS’ risk assessment requires suppliers to confirm if they have appropriate contracts in place with their vendors that store, process, transmit, manage or access Client Data, including Client Confidential Information and/or Client Personal Data. FIS only allows such third-party suppliers to access, store, transmit, manage, or process Client Data, including Client Confidential Information and Client Personal Data, to the extent permissible under the Agreement and applicable laws.

FIS requires its suppliers who process Client Data to agree to data protection agreements to oblige such suppliers to comply with applicable data protection laws. Such suppliers shall, at a minimum, implement appropriate technical and organizational measures to verify a level of security appropriate to the risk. FIS’ suppliers must cooperate upon reasonable request in order to assist FIS with its compliance with applicable privacy laws.

FIS maintains a list of all third-party suppliers with access to Client Personal Data on the Client Portal.

7. DATA MINIMIZATION

Client is responsible for verifying Client Data, including Client Confidential Information and Client Personal Data, provided to FIS for processing or other purposes under the Agreement is accurate, current, adequate, of appropriate quality, relevant, minimal, and not excessive.

8. DEFINED TERMS

As used in this Statement, the following terms have the following meaning, and all other capitalized terms shall have the meaning as defined in the Agreement:

“Client Data” has the meaning set forth in Section 5.1.9 of the Order.

“Client Personal Data” means any Personal Data provided by Client to FIS, or on Client’s behalf, for the purpose of FIS providing the Solution to Client pursuant to the Agreement.

Client Portal” means a self-service portal made available to Client’s designated representatives at Client’s request at https://my.fisglobal.com/vendor-management offering specific Client resources to help better manage its relationship with FIS, including information about FIS’ Information Security Practices.

“Confidential Information” has the meaning set forth in Section 5.1.13 of the Order.

“Personal Data” is any information relating to an identified or identifiable natural person.

“Professional Services” means programming, training, consulting, implementation and other professional services provided by FIS to Client.

“Solution(s)” means the software and/or services including SaaS and hosting services (as applicable) being provided by FIS to Client under the terms of the Agreement.

Account ID: 39044   OID: 01054433	LR 200826
Prepared for: Lincoln National Corporation	Page 40