STAKING & DELEGATION SERVICES AGREEMENT
This Staking & Delegation Services Agreement (the “Agreement”) dated November [__], 2025 (the “Effective Date”) is between Galaxy
Blockchain Infrastructure LLC, a Cayman Islands limited liability company having its registered address at Maples Corporate Services Limited, PO Box 309, Ugland House, Grand Cayman, KY1-1104, Cayman Islands (“Galaxy”)
and Invesco Galaxy Solana ETF, a Delaware statutory trust located at 3500 Lacey Road, Suite 700, Downers Grove, IL 60515 (“Delegator”).
WHEREAS, some blockchain
protocols achieve consensus among distributed nodes through a system known as “proof-of-stake” in which holders of tokens native to the protocol may stake and/or delegate their tokens with a validator node to participate in the consensus validation
process;
WHEREAS, to incentivize staking and validation, proof-of-stake systems programmatically allocate
tokens as rewards for performing validation processes;
WHEREAS, Galaxy offers non-custodial validation-as-a-service to qualified token holders through
Galaxy’s proprietary hardware and computational systems that facilitate validation and staking processes on certain blockchain protocols;
WHEREAS, Delegator wishes to delegate the staking of its tokens to Galaxy
on the terms of this Agreement.
NOW, THEREFORE, in consideration of the mutual promises contained herein and for other good and valuable consideration,
the receipt and sufficiency of which are hereby acknowledged, the parties hereby agree as follows:
The definitions for some defined terms used in this Agreement are set forth below. Other terms may be defined elsewhere in this Agreement.
1.1 “Agreement” means this Staking & Delegation Services Agreement and includes the Supported Blockchain Terms and all the schedules attached hereto, as any of the same may be updated,
supplemented, and amended from time to time.
1.2 “Affiliate” means, with respect to any entity, any other entity that, directly or indirectly, through one or more intermediaries, controls, is controlled by, or is under common control
with, such entity. The term “control” means the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through the ownership of
voting securities, by contract, or otherwise.
1.3 “Blockchain Protocols” means any protocols or operations of the Supported Blockchain, including the rules governing the validation and inclusion of transactions in the Supported Blockchain.
1.4 “Confidential Information” means: (i) with respect to Galaxy, the Platform, the Website, and any and all
source code relating thereto and any other non-public information or material regarding its legal or business affairs, financing, customers, properties, pricing, or data; and (ii) with respect to Delegator, any non-public information or material
regarding Delegator's legal or business affairs, financing, customers, properties, or data. Notwithstanding any of the foregoing, Confidential Information does not include information which: (a) is or becomes public knowledge without any action by,
or involvement of, the Party to which the Confidential Information is disclosed (the “Receiving Party”); (b) is known to the Receiving Party prior to its
disclosure by the other Party (the “Disclosing Party”); (c) is independently developed by the Receiving Party without reference or access to the
Confidential Information of the Disclosing Party; or (d) is obtained by the Receiving Party without restrictions on use or disclosure from a third party not known to the Receiving Party to be subject to or to owe a legal, contractual or other duty
of confidentiality to the Disclosing Party.
1.5 “Delegator Wallet” mean the digital asset wallet associated with the relevant Tokens to be delegated by Delegator.
1.6 “Law” means any national, provincial, international, federal, state, county, and local statute, law, ordinance, regulation, rule, code, and order applicable to a Party.
1.7 “Missed Rewards” means Delegator’s Rewards that would have been received but for the failure of Galaxy to sign blocks for a Supported Blockchain when performing Services in its role as a validator,
unless such failure was due to a Force Majeure Event.
1.8 “Net Rewards” means the sum of the Rewards minus the Service Fee, as such term is defined in Section 5.1 below.
1.9 “Party” means Galaxy or Delegator, as applicable; and “Parties” means, together, Galaxy and Delegator.
1.10 “Person” means any individual, organization, business, partnership, trust, entity, corporation, or government.
1.11 “Platform” means Galaxy's proprietary computational infrastructure or platform that it uses to perform the
Services.
1.12 “Prohibited Content” means content that: (i) is illegal under Law; (ii) violates any third party's intellectual property rights, including copyrights, trademarks, patents, and trade
secrets; (iii) contains indecent or obscene material; (iv) contains libelous, slanderous, or defamatory material, or material constituting an invasion of privacy or misappropriation of publicity rights; (v) promotes unlawful or illegal goods,
services, or activities; (vi) contains false, misleading, or deceptive statements, depictions, or sales practices; or (vii) contains viruses, Trojan horses, worms, or any other harmful, malicious, or hidden procedures, routines, mechanisms, or
code.
1.13 “Public Rate” means the standard, publicly-available rate programmatically transferred to Galaxy for providing the technological infrastructure and support services in providing
validation Services to each Supported Blockchain to earn Rewards
1.14 “Rewards” or “Staking Rewards” means with respect to any Tokens staked by Galaxy in accordance with this Agreement on behalf of Delegator, any
rewards allocated by the Supported Blockchain in respect of such staked Tokens, including block rewards, endorser rewards, and transaction fees (including, for the avoidance of doubt, fees received from maximal extractable value), in each case as
actually allocated to Delegator by the Supported Blockchain and received in connection with the performance of the Services.
1.15 “Representatives” means, in respect of a Person, such Person’s Affiliates and its and their officers, directors and employees, as applicable.
1.15 “Slashing Penalties” means any penalty imposed by the Supported Blockchain..
1.17 “Slashing Reimbursements” means the payment by Galaxy to Delegator of an amount equal to any
Slashing Penalties, subject to Section 5.6.
1.18 “Sponsor” means Invesco Capital Management LLC.
1.19 “Supported Blockchain” means the distributed ledger maintained by any proof-of-stake based blockchain network on which Galaxy
may exercise Token Rights delegated to it by Delegator. Each Supported Blockchain has its own protocols and terms. Supported Blockchains and some applicable terms are identified in the Supported Blockchain Terms.
1.20 “Supported Blockchain Terms” means certain terms in respect of the delegation of Tokens of each Supported Blockchain. The Supported
Blockchain Terms are subject to the Blockchain Protocols and changes of such protocols imposed by the respective Supported Blockchain. Supported Blockchain Terms are set forth in Schedule A.
1.21 “Token” means any token (whole or fractional) that Delegator has delegated to Galaxy in
accordance with the protocol of the applicable Supported Blockchain.
1.22 “Token Rights
” means, together, Validation Rights and Voting Rights.
1.23 “Validation Rights” means rights of a Token owner to validate and sign the next definitive serial transaction record on a Supported Blockchain.
1.24 “Voting Rights” means rights of a Token owner to vote upon proposals related to the operation and governance of the respective Supported Blockchain.
1.25 “Website” means www.galaxy.com .
2.1 Subject to the protocols of the Supported Blockchains and unless otherwise provided in the Supported Blockchain Terms, by interacting directly with the protocols of a Supported Blockchain:
|
|(a)
|
Delegator may delegate any number of the relevant Tokens to Galaxy at any time during the Term; and
|
|(b)
|
Delegator may initiate the process of withdrawing such Tokens at any time.
2.2 Galaxy may add additional Supported Blockchains to this Agreement. Any additional Supported Blockchains shall be indicated in Schedule A, including applicable terms for such Supported Blockchain(s).
2.3 Galaxy may choose to discontinue support of any existing Supported Blockchain by providing no less than sixty (60) calendar days’ written notice to Delegator, which may be provided via email, that such support shall be discontinued.
2.4 Delegator shall not delegate any Tokens to Galaxy hereunder if Delegator reasonably expects that any condition described in Section 6.1(b) to and including (e) is not satisfied, and, in
the event that any such condition ceases to be satisfied, then Delegator shall reasonably promptly deliver written notice of the same to Galaxy.
3.1 Services. Subject to the terms of this Agreement, Galaxy will provide the following services (together, the “Services”):
|
|(a)
|
stake the relevant Tokens by exercising the Validation Rights in a manner intended to generate Rewards;
|
|(b)
|
Delegator will rely on Galaxy to perform the Services, subject to the duty to perform the Services in a commercially reasonable manner intended to maximize the amount of Net Rewards receivable by Delegator, to the
extent legally permissible and subject to Galaxy’s internal regulatory and legal compliance policies, in accordance with this Agreement in a safe and sound manner; provided that, at all times, Delegator shall have the discretion whether to
delegate its Tokens to Galaxy for Galaxy to perform the Services in respect of the relevant Supported Blockchain; and
|
|(c)
|
provide the Services in a manner that meets or exceeds the service levels set forth in Schedule B attached
hereto; provided that Galaxy shall perform all Services not otherwise subject to a service level requirement in accordance with leading industry standards.
3.2 Restriction. Galaxy will not, directly or indirectly, lend, pledge, encumber, hypothecate or rehypothecate any Tokens staked or delegated under this
Agreement.
|
|4.
|
WITHDRAWAL & UNBONDING
4.1 Tokens withdrawn by Delegator may be subject to unbonding periods imposed by the protocols of the relevant Supported Blockchain.
4.2 Pursuant to the protocols of certain Supported Blockchains, Tokens and Net Rewards may be unavailable to Delegator during the unbonding periods and subject to other restrictions imposed by the Supported Blockchain.
|
|5.1
|
Determination of Service Fees.
|
|(a)
|
The Parties understand and acknowledge that each Supported Blockchain will programmatically determine the quantum of Rewards that will be allocated to Galaxy for staking and transaction validation Services based on the relevant Public
Rate.
|
|(b)
|
The Parties understand and agree that a portion of the Rewards will be used to compensate Galaxy for providing the technological infrastructure and support services in providing such validation Services to
each relevant Supported Blockchain to earn Rewards, which may differ from the Public Rate (the “Service Fee”).
|
|(c)
|
The Service Fee in respect of each Supported Blockchain shall be mutually agreed upon by Galaxy and Delegator, as indicated in the Supported Blockchain Terms.
|
|5.2
|
Transfer of Net Rewards.
|
|(a)
|
The Parties acknowledge that the performance of the Services by Galaxy with respect to each relevant Supported Blockchain is intended to result in the transfer of:
|
|(i)
|
the Service Fee to Galaxy; and
|
|(ii)
|
Net Rewards to Delegator,
in each case in accordance with the relevant Supported Blockchain Terms.
|
|(b)
|
Galaxy and Delegator will transfer the applicable Net Rewards on a monthly basis, as agreed upon by the Parties.
|
|(c)
|
The Net Rewards will be in the same denomination as the Tokens that Delegator delegated to Galaxy under this Agreement, unless otherwise agreed between the Parties in
writing, or as otherwise set forth in the protocols of the relevant Supported Blockchain.
|
|(d)
|
This Section 5.2 shall be subject to the applicable Blockchain Protocol and any variations to Section 5.2 under the Supported Blockchain Terms.
5.3 Rewards Not Guaranteed. Delegator acknowledges that the transfer of Rewards by the relevant Supported Blockchain is not guaranteed (even if Galaxy performs the Services properly and in accordance with this Agreement), and that Galaxy is not responsible for any failure by the relevant Supported Blockchain to transfer Rewards to
Galaxy or Delegator, or for any loss or destruction of Rewards or transfer by the relevant Supported Blockchain of Rewards to the incorrect Delegator Wallet or other wallet address of Delegator (unless such loss, destruction or incorrect transfer
was caused by the gross negligence, fraud, or willful misconduct of Galaxy). For the avoidance of doubt, nothing in this Section limits Galaxy’s obligations or liability
with respect to Missed Rewards as set forth in Section 14.3.
5.4 Slashing. Galaxy will take all commercially reasonable steps to avoid the slashing of any Token delegated to it by Delegator hereunder. The slashing risk of any
Supported Blockchain, as made known by that Supported Blockchain, will be identified in the Supported Blockchain Terms.
5.5 Slashing Reimbursement. Galaxy will make payment, directly to the applicable Delegator Wallet, a Slashing Reimbursement for
any Slashing Penalty (except for a Slashing Penalty that is solely the result of a protocol-wide malfunction of a relevant Supported Blockchain) assessed against a Delegator Wallet in connection with Galaxy’s
Services, subject to Section 14.2 and the Supported Blockchain Terms.
|
|5.6
|
Protocol Changes, Airdrops & Forks; Governance and Voting Rights
|
|(a)
|
The Parties acknowledge and agree that Supported Blockchain protocols may change, and airdrops or forks may arise, in each case outside of the control of Galaxy and that,
therefore, except as may be otherwise provided in this Agreement:
|
|(i)
|
Galaxy may respond to protocol changes, airdrops or forks in any way that Galaxy determines appropriate in its commercially reasonable discretion acting in good faith
(provided that, to the extent reasonably practical, Galaxy will advise Delegator of its anticipated response to a protocol change or fork with respect to a Supported Blockchain in advance thereof);
|
|(ii)
|
the reasonable exercise by Galaxy, acting in good faith, of any right or power that is available to it in its capacity as a validating node on the Supported Blockchain
shall not constitute a breach or violation of any obligation owed by Galaxy to Delegator under this Agreement; and
|
|(iii)
|
Galaxy is not responsible for any losses or reductions in value in respect of the Tokens or otherwise suffered by Delegator in connection with protocol changes, airdrops or forks unless caused by Galaxy’s gross negligence, fraud or willful misconduct.
|
|(b)
|
In the event that the Supported Blockchain Terms describe a protocol of a Supported Blockchain that undergoes a change imposed by the protocol that affects the Public Rate, Rewards, Slashing Penalties, or Validation
Rights of the Supported Blockchain, such protocol change shall be deemed to be incorporated into and supersede any conflicting Supported Blockchain Terms.
5.7 Governance. Certain Supported Blockchains may offer the ability for staking parties to participate in governance voting relating to the related Blockchain Protocol. To the extent set forth
in this Section 5.7, Galaxy may, solely for the benefit and on behalf of Delegator, facilitate the casting of votes associated with Delegator’s Tokens for governance matters relating to the relevant Blockchain Protocol. Any such action
shall be taken solely upon Delegator’s written direction, which must be received by Galaxy no less than forty-eight (48) hours prior to the applicable governance matter’s voting deadline, as set forth in the applicable governance proposal (the “Notice of Intent to Vote”).
Delegator shall be solely responsible for monitoring all governance matters, proposals, and voting opportunities relating to any Supported
Blockchain. Galaxy shall have no obligation to monitor, identify, track, or notify Delegator of any such governance matters. Galaxy’s obligation to act is limited solely to timely receiving the Notice of Intent to Vote and only with respect to
governance proposals that materially affect Delegator in relation to the applicable Supported Blockchain, as mutually determined by the Parties acting in a commercially reasonable manner; provided that, Galaxy reserves the right to decline to act
on any voting instruction if Galaxy determines, in its sole but reasonable discretion, that (i) doing so is necessary or advisable to address a material risk to Galaxy (including to its reputation), its affiliates or business partners, or
Galaxy’s technical, operational, or commercial systems; (ii) it would be technically or commercially unsafe; or (iii) the action would violate applicable Law.
To the maximum extent permitted by applicable Law and notwithstanding anything contrary in this Agreement, Galaxy shall not be liable for any loss, damage, or
claim arising out of or related to Galaxy’s good-faith actions or omissions in following Delegator’s written directions in connection with participation in governance voting relating to any Blockchain Protocol, including any failure to act due to
late, unclear, incomplete, or conflicting instructions. Delegator shall be solely responsible for any tax liabilities arising in connection with governance voting, including any new tokens or rewards that may be created, distributed, or credited as a
result of such voting activity.
Delegator acknowledges and agrees that the governance support described in this Section 5.7 does not create, and shall not be construed as creating, any fiduciary
duty, advisory duty, or other heightened standard of care on the part of Galaxy, and that Galaxy’s obligations with respect to governance matters related to a Blockchain Protocol are strictly limited to those expressly set forth in this Section 5.7.
6.1 The obligation of Galaxy to perform the Services is conditional on the satisfaction of the following conditions precedent as of the Effective Date and the time of performance of the Services:
|
|(a)
|
Galaxy is authorized to operate a validator node on the Supported Blockchain;
|
|(b)
|
the covenants and obligations of Delegator under this Agreement are performed and satisfied;
|
|(c)
|
the representations and warranties of Delegator set forth herein are true, accurate and complete in all material respects as of all times on and after the date of this Agreement during the Term;
|
|(d)
|
neither the delegation of the Token Rights by Delegator to Galaxy, nor Galaxy’s performance of Services, constitute, or would be
reasonably expected to result in (with or without notice, lapse of time, or both) a breach, default, contravention or violation of any Law, or agreement to which Delegator or Galaxy is a party or by
which Delegator or Galaxy is bound, including this Agreement and the protocols of each relevant Supported Blockchain; and
|
|(e)
|
without limiting the generality of the foregoing, under Law:
|
|(i)
|
neither Galaxy nor Delegator, to the best of its knowledge, is deemed to be a “money service business,” “money transmitter” or a similar classification in accordance with applicable anti-money laundering,
know-your-customer or similar rules, regulations or other Laws; and
|
|(ii)
|
the performance of this Agreement, including the Services, by each of Galaxy and Delegator, to the best of its knowledge, does not require any licenses, permits, or
registrations (in respect of securities Law or otherwise) not possessed by Galaxy or Delegator.
7.1 Delegator shall be solely responsible for the payment to applicable governmental authorities of any and all taxes or associated penalties, duties, and interest (together, “Taxes”) (i)
applicable to the Delegator's Net Rewards, Slashing Reimbursements and other amounts receivable or received by Delegator in connection with or resulting from this Agreement, and (ii) all other Taxes of Delegator or which may apply to Delegator
resulting from or related to the transactions contemplated under this Agreement or otherwise.
7.2 Galaxy shall be solely responsible for the payment to applicable governmental authorities of any and all Taxes (i) applicable to Galaxy’s Service Fee and other amounts receivable or received by
Galaxy in connection with or resulting from this Agreement, and (ii) all other Taxes of Galaxy or which may apply to Galaxy resulting
from or related to the transactions contemplated under this Agreement or otherwise.
7.3 Neither Galaxy nor any of its agents have provided or will provide advice or guidance with respect to any Law, applicable Tax or other obligations of Delegator. Delegator is strongly
encouraged to seek advice from Delegator's legal and tax advisors with respect to any Law, applicable Tax and other obligations of Delegator related to the entering into and performance of this Agreement.
7.4 Delegator shall indemnify and hold harmless Galaxy and its Representatives in respect of all Taxes levied by any governmental authority on any Net Rewards, Slashing Reimbursements and
other amounts receivable or received by Delegator in connection with this Agreement.
|
|8.
|
TERM, TERMINATION, AND SURVIVAL
8.1 Term. The term of this Agreement (the “Term”) commences on the Effective Date and shall continue in effect until terminated in accordance with Section
8.2.
8.2 Termination. A Party or the Parties (as applicable) may terminate this Agreement in accordance with items (a) through (f) below (each, a “Termination
Event”). In addition, upon any Termination Event, for the avoidance of doubt, existing staking arrangements will be unwound and there will be no requirement for either Party to undertake the staking of new tokens. A Party or the Parties
(as applicable) may terminate this Agreement as follows:
|
|(a)
|
for material uncured breach of this Agreement that continues for thirty (30) calendar days following written notice to the breaching Party;
|
|(b)
|
immediately upon (i) the filing of a petition in bankruptcy for relief under the U.S Bankruptcy Code or the institution of any other bankruptcy or insolvency proceedings by, against, or on behalf of the other Party,
(ii) the appointment of a receiver for the other Party, (iii) the dissolution or liquidation of the other Party, or (iv) any act of insolvency by the other Party;
|
|(c)
|
immediately, for reasons of material violation of any Law by the other Party;
|
|(d)
|
immediately, upon a change in Law which does or will render any material portion of the Services illegal or otherwise materially and adversely impacts the Services;
|
|(e)
|
immediately, in the event that the terminating Party is directed in writing by a regulatory authority with valid jurisdiction over it to cease or materially limit performance of such Party’s obligations under this
Agreement;
|
|(f)
|
for convenience by the Delegator, upon ninety (90) days written notice to Galaxy after the initial twelve (12) months of the Agreement (the “Initial Term”); or
|
|(g)
|
upon the mutual written agreement of the Parties to terminate this Agreement.
|
|8.3
|
Effect of Termination. Upon the termination of this Agreement:
|
|(a)
|
Delegator will cease delegating Tokens to Galaxy;
|
|(b)
|
Delegator will be required to initiate withdrawal and unbonding of Tokens;
|
|(c)
|
Galaxy will transfer to Delegator all amounts owed by Galaxy to Delegator in accordance with the terms of this Agreement, if not yet transferred to Delegator;
|
|(d)
|
Delegator will transfer to Galaxy all amounts owed by Delegator to Galaxy in accordance with the terms of this Agreement, including
Service Fees, if not yet transferred to Galaxy;
|
|(e)
|
Upon reasonable written request, each Party shall either return to the other Party (or, at such other Party’s instruction, and subject to reasonable technical limitations, destroy and provide such other Party with
written certification of the destruction of) all documents, computer files, and other materials containing any of the other Party’s Confidential Information that are in its possession or control, unless such Party is required by applicable
Law or by its internal compliance or document retention policies to retain such Confidential Information solely for archival purposes (in which case such retained Confidential Information will remain subject to the undertakings in Section 9);
and
|
|(f)
|
No Service Fee shall accrue after termination (inclusive of any applicable protocol unbonding period that is solely initiated in relation to such termination) other than amounts attributable to Rewards generated
prior to the termination effective date.
8.4 Survival. The following provisions will survive any expiration or termination of this Agreement: 1, 5, 7, 8.3, 8.4, 9, 11, 12, 14-16; provided that, with respect to Sections 8.3(e) and 9,
each Party’s
obligations hereunder with respect to Confidential Information of the other Party as Disclosing Party shall terminate and expire on that date that is two (2)
years following the date of termination of this Agreement.
The Receiving Party will: (i) protect the confidentiality of the Disclosing Party’s Confidential Information using the same degree of care that it uses with its
own confidential information of similar nature, but with no less than reasonable care; (ii) not use any of the Disclosing Party's Confidential Information for any purpose other than as may be necessary or desirable in connection with the performance
of this Agreement; and (iii) not disclose the Disclosing Party's Confidential Information to any party other than its Representatives and its and their advisors, as reasonably required to perform this Agreement, provided they are advised of the
obligations of confidentiality and restrictions on use hereunder. If the Receiving Party is legally compelled to disclose any of the Disclosing Party's Confidential Information, the Receiving Party will, if legally permitted to do so, provide the
Disclosing Party prompt prior written notice of such requirement so that the Disclosing Party may seek a protective order or other appropriate remedy and/or waive compliance with the terms of this Section. If such protective order or other remedy is
not obtained or the Disclosing Party waives compliance with the terms of this Section, the Receiving Party may furnish only that portion of the Confidential Information which it is legally required to disclose in the opinion of its counsel.
|
|10.
|
SECURITY AND CONFLICT CLEARANCE OBLIGATIONS
10.1 Galaxy
will: (i) maintain appropriate administrative, technical and physical safeguards to protect the security, confidentiality and integrity of its staking service and any of Delegator’s data received or processed or
transmitted by Galaxy, and such safeguards shall include encryption of Delegator’s data in transmission and at rest; and (ii) maintain, and will require all third party data processors that Galaxy engages to maintain, appropriate physical, technical and organizational measures to protect Delegator’s Confidential Information against accidental, unauthorized or unlawful destruction, loss, alteration, disclosure or
access. Galaxy’s obligations for security, data protection and operational resiliency are set forth in Schedule C hereto.
|
|11.
|
INTELLECTUAL PROPERTY AND INFRINGEMENT INDEMNITY
All right, title, and interest in and to the Platform and the Website, including all modifications, improvements, adaptations, and
enhancements made thereto, are and shall remain the sole and exclusive property of Galaxy. Galaxy shall defend, indemnify, and hold Delegator harmless from any third-party claim alleging that Delegator’s authorized use of the unmodified Platform or
Website, as provided to Delegator, infringes an intellectual property right, but only to the extent caused by the Platform or Website; provided, however, that Galaxy shall have no obligation to the extent such claim arises from (i) use not in
accordance with this Agreement, (ii) modifications not made by Galaxy, or (iii) combinations with items not provided by Galaxy. Galaxy shall control the defense of any such indemnified claim. Galaxy may settle any indemnified claim that involves only
the payment of money without Delegator’s consent. For any other settlement, Galaxy will seek Delegator’s consent, which shall not be unreasonably withheld, conditioned, or delayed.
Delegator shall not and will not authorize, permit, or encourage any third party to: (i) reverse engineer, decompile, disassemble, or
otherwise attempt to discern the source code or interface protocols of the Platform or the Website; (ii) modify, adapt, or translate the Platform or the Website; (iii) make any copies of the Platform or the Website; (iv) resell, distribute, or
sublicense the Platform or the Website; (v) remove or modify any proprietary marking or restrictive legends placed on the Platform or the Website; (vi) use the
Platform or Website (A) in violation of any Law or regulation, (B) to build a competitive product or service, or (C) for any purpose other
than to perform this Agreement; or (vii) introduce, post, upload, transmit, or otherwise make available to or from the Platform or the Website any Prohibited Content.
|
|13.
|
REPRESENTATIONS AND WARRANTIES; DISCLAIMER
13.1 Mutual Representations and Warranties. Each Party represents and warrants to the other Party, as of the Effective Date and each date on which Delegator
delegates Token Rights to Galaxy, that:
|
|(a)
|
The Party is duly organized and existing in good standing under the laws of its jurisdiction of organization or formation, has all corporate or trust powers required to carry on its business as now conducted, and is
duly qualified to do business and is in good standing in each jurisdiction where such qualification is necessary;
|
|(b)
|
The Party has all required capacity, authority, and power to enter into and perform its obligations under this Agreement, and this Agreement constitutes a legal, valid and binding obligation of the Party enforceable
against the Party in accordance with its terms, except as limited by bankruptcy, insolvency or other laws of general application relating to or affecting the enforcement of creditors' rights generally and principles of equity;
|
|(c)
|
The Party is, to the best of its knowledge, in material compliance with all applicable Laws including licensing requirements governing its operations and activities;
|
|(d)
|
The execution, delivery, and performance of this Agreement by the Party (i) will not, to the best of such Party’s knowledge, conflict with or violate in any material manner any Law, and (ii) will not constitute or
result in a violation or breach of, and will not conflict with or constitute a default under, any contract, agreement, or commitment binding upon it;
|
|(e)
|
Neither the delegation of Token Rights by Delegator to Galaxy, nor Galaxy’s performance of this Agreement (i) represents or
constitutes a loan or a contribution of capital to, or other investment in, Galaxy; (ii) provides Delegator with any ownership interest, equity, security, or right to or interest in the assets, rights,
properties, revenues or profits of, or voting rights whatsoever in, Galaxy; or (iii) creates or implies any fiduciary or other agency relationship between Galaxy (or
any of its Representatives) and Delegator or entitles Delegator to any fiduciary duty or similar duty on the part any of the foregoing Persons; and
|
|(f)
|
Neither Party hereto, nor such Party’s Representatives, is, or is a Person that is owned in part or in whole or controlled by any Person that is, or is conducting any activities on behalf of any Person that is
(i) the subject of any economic or trade sanctions administered or enforced by any governmental authority or otherwise designated on any list of prohibited or restricted parties (including but not limited to the United Nations Security
Council, the European Union, His Majesty’s Treasury of the United Kingdom of Great Britain and Northern Ireland (the “UK Treasury”), and the U.S.
Department of Treasury), or (ii) located, organized or resident in a jurisdiction or territory that is the subject of comprehensive country-wide, territory-wide, or regional economic sanctions by the United Nations, European Union, any EU
country, the UK Treasury, or the United States, including without limitation Cuba, the Crimea, Donetsk, and Luhansk regions of Ukraine, Iran, North Korea, Russia, Syria, or Yemen (a “Restricted
Territory”).
|
|13.2
|
Representations and Warranties of Delegator. In addition to the representations and warranties
set forth in Section 13.1, Delegator represents and warrants to Galaxy, as of the Effective Date and each
date on which Delegator delegates Token Rights to Galaxy, that:
|
|(a)
|
Delegator has all right, title and interest in and to the Tokens;
|
|(b)
|
Delegator has sufficient authority to delegate the staking of Tokens;
|
|(c)
|
Delegator is not entering into this Agreement for the purpose of making an investment with respect to Galaxy or its securities, but instead, and only, to receive the
Services from Galaxy;
|
|(d)
|
Delegator and its Representatives, as applicable, are in compliance with the Foreign Corrupt Practices Act of 1977 (United States), and where applicable, similar Laws of
other jurisdictions;
|
|(e)
|
Delegator and its Representatives, where applicable, are in compliance with anti-money laundering obligations, and anti-terrorist financing obligations under the Law of the United States, and if applicable to
Delegator, similar Laws of other jurisdictions;
|
|(f)
|
Neither Delegator nor, to the best of its knowledge, its Representatives have been convicted of, nor have agreed to enter into a pretrial diversion or similar program in connection with the prosecution of, a
criminal offense involving theft, dishonesty, breach of trust, money laundering, the illegal manufacture, sale, distribution of or trafficking in controlled substances, or substantially equivalent activity in a domestic, military, or foreign
court;
|
|(f)
|
Delegator is not (i) a Sanctioned Person, (ii) located, organized or resident in a Restricted Territory, or (iii) engaged in any dealings or transactions with any such Person described in (i) or (ii) above; without
limiting the generality of the foregoing, none of Delegator and its Representatives is owned or controlled by, or acting on behalf of, any Person who is, a Sanctioned Person or located, organized or resident in any Restricted Territory;
|
|(g)
|
Delegator is sophisticated and experienced in using and evaluating the relevant Supported Blockchains and applicable protocols and related technologies. Delegator has conducted and will conduct its own due
diligence and analysis of the relevant Supported Blockchains and the matters provided under this Agreement in order to determine whether Delegator wishes to enter into this Agreement to have Galaxy
perform the Services;
|
|(h)
|
Delegator is capable of evaluating the merits and risks of the Services provided hereunder and protecting its own interests in the transactions contemplated hereunder; Delegator
has not relied upon any information, statement, omission, representation or warranty, express or implied, written or oral, made by or on behalf of Galaxy in connection with the entering into and
performance of this Agreement by the Parties except those matters that are explicitly set forth herein; and
|
|(i)
|
to the best of its knowledge, Delegator’s Tokens are not derived from, and do not otherwise represent the proceeds of, any activities done in violation or contravention of any applicable Law.
|
|13.3
|
Artificial Intelligence (AI). Galaxy shall not (a) provide or otherwise make available any AI Tools to Delegator under this Agreement (whether provided as a service or
deliverable or sourced from a third party), (b) materially use any AI Tools to provide services or materially process any data of Delegator, or (c) otherwise materially connect any AI Tools with the Delegator’s information
technology environment. “AI Tools” means any software, systems, algorithms, and technologies that can be used to perform
intelligent functions or to substitute, augment, or replace the activities, roles, responsibilities, or functions performed by human beings, but excluding any software, systems, algorithms, and technologies that merely use rules directly defined
solely by natural persons to automatically execute operations.
|
|13.4
|
Disclaimer. Except as expressly set forth herein, the Services, the Platform, the Website, their components, and any other materials provided
hereunder are provided “as is” and “as available”, and Galaxy does not make any warranties with respect to the same or otherwise in connection with this Agreement (except as explicitly provided in this
Agreement) and hereby disclaims any and all express, implied, or statutory warranties, including any warranties of non-infringement, merchantability, fitness for a particular purpose, availability, error-free or uninterrupted operation, and
any warranties arising from a course of dealing, course of performance, or usage of trade. To the extent that Galaxy may not as a matter of Law disclaim any implied warranty, the scope and duration of
such warranty will be the minimum permitted under such Law. Without limiting the foregoing, Galaxy makes no representations or warranties with regard to the potential market for the Services or the
amount of Rewards that may be generated under this Agreement.
|
|14.
|
LIMITATION OF LIABILITY
14.1 In no event will Galaxy or Delegator be liable to the other Party or any other Person for any incidental, indirect, consequential, special, exemplary or punitive damages or losses of
any kind arising from or relating to this Agreement, regardless of whether the relevant party was advised, had other reason to know, or in fact knew of the possibility thereof. Each Party’s aggregate liability
for direct damages under this Agreement will not exceed the amount equal to the sum of the Service Fee and Slashing Reimbursements paid to Delegator under this Agreement during the period twenty four (24)
months prior to the event giving rise to the liability.
14.2 In no event will Galaxy be liable to Delegator or any other Person for any Missed Reward, Slashing Penalties or any other damages or losses caused
solely by protocol-wide malfunction of a Supported Blockchain.
14.3 For Missed Rewards: where Rewards were missed due to Galaxy’s failure to perform the Services as required by the terms of this Agreement, Galaxy’s
total liability shall be limited to the total amount of Missed Rewards, unless such Missed Rewards were due to a protocol-wide malfunction of a relevant Supported Blockchain in which case Galaxy shall not be
liable.
15.1 Delegator (in such capacity, the “Delegator Indemnifying Party”) shall defend, indemnify, and hold harmless Galaxy and its Representatives (together, the “Galaxy Indemnified Parties”), from all liabilities, damages, costs, and reasonable expenses (including reasonable attorneys' fees) incurred by such Galaxy Indemnified Parties in connection with any unaffiliated third-party action,
claim, proceeding, or other damage, cost or liability (each, a “Galaxy Claim”) arising from the Delegator Indemnifying Party's breach of its covenants and
representations and warranties under this Agreement, in each case, except to the extent caused by the gross negligence, fraud, or willful misconduct of any Galaxy Indemnified Parties; provided that the foregoing obligations shall be subject to the
relevant Galaxy Indemnified Party: (i) promptly notifying the Delegator Indemnifying Party in writing of the Galaxy Claim; (ii) providing the Delegator Indemnifying Party, at the expense of the Delegator Indemnifying Party, with reasonable
cooperation in the defense of the Galaxy Claim; and (iii) providing the Delegator Indemnifying Party with control over the defense and negotiations of the Galaxy Claim for a settlement or other resolution, subject
to reasonable ongoing notice to the relevant Galaxy Indemnified Parties with respect to strategy and direction of the defense and negotiations of
the Galaxy Claim.
15.2 Galaxy (in such capacity, the “Galaxy Indemnifying Party”) shall defend, indemnify, and hold harmless Delegator and its Representatives (together, the “Delegator
Indemnified Parties”), from all liabilities, damages, costs, and reasonable expenses (including reasonable attorneys' fees) incurred by such Delegator Indemnified Parties in connection with any unaffiliated third-party action, claim,
proceeding, or other damage, cost or liability (each, a “Delegator Claim”) arising from the Galaxy Indemnifying Party's breach of its covenants and representations and warranties under this Agreement, in each
case, except to the extent caused by the gross negligence, fraud, or willful misconduct of any Delegator Indemnified Party; provided that the foregoing obligations shall be subject to the relevant Delegator Indemnified Parties: (i) promptly
notifying the Galaxy Indemnifying Party in writing of the Delegator Claim; (ii) providing the Galaxy Indemnifying Party, at the expense of the Galaxy Indemnifying Party, with reasonable cooperation in the defense of the Delegator Claim; and (iii)
providing the Galaxy Indemnifying Party with control over the defense and negotiations of the Delegator Claim for a settlement or other resolution, subject to reasonable ongoing notice to the relevant Delegator Indemnified Parties with respect to
strategy and direction of the defense and negotiations of the Delegator Claim.
|
|(a)
|
Headings. The headings in this Agreement are for reference only and will not affect the interpretation of this Agreement.
|
|(b)
|
References to Agreements. The term “Agreement” and any reference to this Agreement or any other agreement or document includes, and is a reference to, this Agreement or such other agreement or document as it
may have been, or may from time to time be, amended, restated, replaced, supplemented or novated.
|
|(c)
|
Non-Strict Construction. The language used in this Agreement is the language chosen by the Parties to express their mutual intent, and no rule of strict construction will be applied against a Party.
|
|(i)
|
The words “including”, “includes”, and “include” mean “including (or includes or include) without limitation”.
|
|(ii)
|
Any reference in this Agreement to a Person includes his, her, or its heirs, administrators, executors, legal representatives, successors, and permitted assigns, as applicable.
|
|(iii)
|
Any reference in this Agreement to gender includes all genders, and words importing the singular number only include the plural and vice-versa.
16.2 Assignment. Neither Party shall assign or otherwise transfer any of its rights or obligations under this Agreement without the prior written consent of the other Party;
provided that Galaxy may assign or otherwise transfer this Agreement: (i) to any of its Affiliates with at least thirty (30) calendar days’ prior
written notice to Delegator; or (ii) in connection with a change of control transaction (whether by merger, consolidation, sale of equity
interests, sale of all or substantially all assets, or otherwise), provided further that in all cases, the assignee is, upon the assignment or transfer, bound by the terms and conditions of this Agreement. Any assignment or other transfer in
violation of this Section will be null and void. Subject to the foregoing, this Agreement will be binding upon and inure to the benefit of the Parties and their successors and permitted assigns.
16.3 Waiver. No failure or delay by either Party in exercising any right or remedy under this Agreement shall operate or be deemed as a waiver of any such right or
remedy. Without limiting the generality of the foregoing, Galaxy shall not be deemed to have waived any of the conditions described in Section 6.1(b) to and including (e), or waived or released any claim,
right, power, privilege or remedy related thereto, by virtue of providing Services to Delegator while having no specific knowledge that such condition is not satisfied with respect to Delegator.
16.4 Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of New York, without regard for the internal choice of law provisions
thereof.
16.5 Exclusive Forum; Jury Trial Waiver. The Parties hereby irrevocably and unconditionally consent to the exclusive jurisdiction of the courts of the State of New York and the
United States District Court for the Southern District of New York, in each case located in the Borough of Manhattan, for any action, suit or proceeding arising out of or relating to this Agreement, and agree not to commence any action, suit or
proceeding related thereto except in such courts. TO THE EXTENT NOT PROHIBITED BY APPLICABLE LAW THAT CANNOT BE WAIVED, THE PARTIES HEREBY WAIVE, AND AGREE THAT THEY WILL NOT ASSERT (WHETHER AS PLAINTIFF,
DEFENDANT OR OTHERWISE), ANY RIGHT TO TRIAL BY JURY IN ANY ACTION, SUIT OR PROCEEDING DESCRIBED HEREIN. THE PARTIES AGREE THAT EITHER OF THEM MAY FILE A COPY OF THIS PARAGRAPH WITH ANY COURT AS WRITTEN EVIDENCE OF THE KNOWING, VOLUNTARY AND
BARGAINED-FOR AGREEMENT BETWEEN THE PARTIES IRREVOCABLY TO WAIVE THEIR RIGHT TO TRIAL BY JURY IN ANY SUCH ACTION, SUIT OR PROCEEDING AND THAT ANY SUCH ACTION, SUIT OR PROCEEDING WILL INSTEAD BE TRIED BY A JUDGE SITTING WITHOUT A JURY.
16.6 No Class Action. Without limiting the foregoing, each Party may only make a claim or proceeding against the other Party in the first Party’s individual capacity and shall not as
a plaintiff or class member in any purported class or representative action or proceeding.
16.7 Notices. All notices required under this Agreement (other than routine operational communications) must be in writing and delivered to the personnel designated below. Such
notices shall be effective upon actual delivery to the other Party, if delivered in person or by e-mail.
To Galaxy:
Galaxy Blockchain Infrastructure LLC
c/o Legal Department
300 Vesey Street, 13th Floor
New York, N.Y. 10282
Email: StratOps@galaxydigital.io ; with a mandatory copy to: legal-compliance@galaxydigital.io
To Delegator:
Invesco Galaxy Solana ETF
3500 Lacey Road, Suite 700
Downers Grove, IL 60515
rudolf.reitmann@invesco.com
16.8 Independent Contractors. The Parties are independent contractors. Neither Party shall be deemed to be an employee, agent, partner, joint venturer, or legal representative of
the other for any purpose, and neither shall have any right, power, or authority to create any obligation or responsibility on behalf of the other.
16.9 Severability. If any provision of this Agreement is found invalid or unenforceable by a court of competent jurisdiction, that provision shall be amended to
achieve as nearly as possible the same economic effect as the original provision, and the remainder of this Agreement shall remain in full force and effect. Any provision of this Agreement, which is unenforceable in any jurisdiction, shall be
ineffective only as to that jurisdiction, and only to the extent of such unenforceability, without invalidating the remaining provisions hereof.
16.10 Force Majeure. Neither Party shall be deemed to be in breach of this Agreement for any default or delay in the performance of its obligations under this
Agreement, if and to the extent such default or delay is caused directly or indirectly by an event of force majeure, such as war, terrorist attacks, cyber-attacks, riots, forces of nature or fire, sabotage, epidemics, quarantine, government
sanctions, blockades, collective actions, strike, disruption of provision of services in the supply chain, failure of telecommunications carriers, electric power disruptions, utility company failures or any other similar causes beyond the reasonable
control of a Party (each, a “Force Majeure Event”).
16.11 Non-Exclusivity. This Agreement is non-exclusive. Galaxy may perform staking services for other delegators and Delegator
may engage with other staking providers.
16.12 Third-Party Beneficiaries. Except as set forth in Section 15, there are no other third-party beneficiaries under this Agreement.
16.13 Entire Agreement. This Agreement constitutes the final and complete agreement between the Parties regarding the subject matter hereof, and supersedes any prior or contemporaneous
communications, representations, or agreements between the Parties, whether oral or written. No term included in any confirmation, acceptance, or any other similar document from Delegator in connection with this Agreement will apply to this
Agreement or have any force or effect.
16.14 Modifications. Any modification or amendment to this Agreement must be in writing signed by both Parties or is null and void.
16.15 Paramountcy. Without limiting the foregoing, if there would otherwise be any legally binding agreement involving Delegator and Galaxy that is implied by or embodied in the protocols of any Supported Blockchain that conflicts or is inconsistent with this Agreement, this Agreement shall prevail over such other agreement to the extent of the inconsistency.
16.16 Currency. All dollar ($) amounts identified in this Agreement are denominated in United States dollars.
16.17 Counterparts. This Agreement may be executed in counterparts, each of which shall be deemed an original, but all of which shall constitute the same agreement. One or more
counterparts of this Agreement may be delivered by facsimile or pdf electronic transmission, with the intention that they shall have the same effect as an original counterpart hereof.
16.18 Limitations of Liability of the Shareholders. It is expressly acknowledged and agreed that the obligations of the Delegator hereunder shall not be binding upon any shareholder,
sponsor, officer, employee or agent of the Delegator, personally, but shall bind only the trust property of the Delegator, as provided in its Amended and Restated Declaration of Trust and By-Laws.
16.19 Liability of Sponsor. It is expressly understood and agreed by the Parties that the to the extent that the Agreement has been executed by Invesco Capital Management LLC, as
sponsor (“Sponsor”) of the Delegator that (a) this Agreement is executed and delivered on behalf of the Delegator by the Sponsor, not individually or personally, but solely as the Delegator’s Sponsor in the
exercise of the powers and authority conferred and vested in it; (b) the representations, covenants, undertakings and agreements herein made by the Delegator are made and intended not as personal representations, covenants, undertakings and
agreements by the Sponsor but are made and intended for the purpose of binding only the Delegator; (c) nothing herein contained shall be construed as creating any liability on the Sponsor, individually or personally, to perform any covenant of the
Delegator either expressed or implied herein, all such liability, if any, being expressly waived by the Parties hereto and by any person claiming by, through or under the Parties hereto; and (d) except for those obligations expressly assumed by the
Sponsor, under no circumstances shall the Sponsor be personally liable for the payment of any the Delegator’s indebtedness or expenses or be liable for the breach or failure of any obligation, duty, representation, warranty or covenant made or
undertaken by the Delegator under this Agreement or any other related document.
[The remainder of this page is intentionally left blank].
IN WITNESS WHEREOF, the Parties have caused this Agreement to be executed and delivered as of the Effective Date:
INVESCO GALAXY SOLANA ETF
BY INVESCO CAPITAL MANAGEMENT LLC, NOT IN ITS INDIVIDUAL CAPACITY BUT SOLELY AS SPONSOR
By: _____________________________
Print Name: ______________________
Title: ____________________________
GALAXY BLOCKCHAIN INFRASTRUCTURE LLC
By: _____________________________
Print Name: ______________________
Title: ____________________________
SCHEDULE A
SUPPORTED BLOCKCHAIN TERMS
[attached]
SCHEDULE B
SERVICE LEVEL AGREEMENT
|
|•
|
Quality assurance and testing of all included subsystems (monitoring, logging, balancing)
|
|•
|
Full hardware / software maintenance and servicing upgrades and deployments within twenty-four (24) hours
|
|•
|
Individual Node uptime of 99.9%
|
|•
|
On-call support - 24/7 direct access to Galaxy via several channels
|
|•
|
Log Collection & display - standard UI component, available for full review and audit
Nodes. Galaxy shall ensure that its Nodes have an Actual Uptime of at least 99.9% during each rolling thirty (30) calendar day period.
Definitions. For the purposes of this SLA:
“Actual Uptime” shall mean Total Scheduled Availability minus Downtime.
“Critical Defect” means any demonstrable Defect in the Node that: (a) causes the Node to have a significant loss of utility of intended function; (b) causes
or is likely to cause data to be lost or destroyed; or (c) prevents the Node from being accessed by the Delegator.
“Defect” means a failure of the Node to perform substantially in accordance with the relevant Blockchain Protocol.
“Downtime” shall mean time (in minutes) that an individual Node is not accessible to Delegator or is not functioning materially as expected for reasons other
than Maintenance or Force Majeure.
“Low Defect” means any demonstrable Defect that: (a) causes a function to not execute as documented without a significant loss of utility of intended
functionality; or (b) disables one or more nonessential functions.
“Maintenance” shall mean time (in minutes) that an individual Node is not accessible to Delegator or is not functioning materially as expected due to
maintenance of the Node or Platform, including for maintenance and upgrading of the software and hardware used by Galaxy to provide the Node or emergency maintenance to prevent an anticipated outage or reduction in performance. Scheduled maintenance
shall only be performed on no less than three calendar days’ prior notice.
“Medium Defect” means any demonstrable Defect in the Node that causes the Node to operate improperly, but which error does not rise to the level of a
Critical Defect.
“Total Scheduled Availability” shall mean 24 hours a day, 7 days a week, 365/6 days a year,
excluding Maintenance and Force Majeure.
In the event that the Actual Uptime for any Node is less than 99.9% of Total Scheduled Availability in any calendar month, Galaxy shall provide a credit to Delegator against Service Fees payable to
Galaxy hereunder for the following invoicing cycle based on the Actual Uptime achieved for any such month (each, a “Service Credit).
Defects shall be reported by the Delegator and categorized by Galaxy as Critical Defects, Medium Defects or Low Defects. If the Delegator disagrees with Galaxy’s classification, the Delegator shall
advise Galaxy of such disagreement and the parties shall use commercially reasonable efforts to resolve the conflict.
Galaxy shall use commercially reasonable efforts to adhere to the following response and restoration time frames:
|
Defect Type
|
Response
|
Interim Resolution
|
Permanent Solution
|
Update Frequency
|
Critical
|
30 Minutes
|
12 Hours
|
2 Days
|
Hourly for the first 12 Hours
|
Medium
|
1 Day
|
2 Days
|
1 Week
|
N/A
|
Low
|
3 Days
|
30 Days
|
Next Release
|
N/A
SCHEDULE C
Security and Resiliency Requirements
[Any reference herein to “Supplier” shall mean “Galaxy” and any reference to “Company” shall mean “Delegator”]
Definitions
Availability means the ability of an authorized person to use or access objects, resources, data, or information when needed, without undue delay.
Company Data means the data pertaining to Company that is stored, processed, transferred, or accessed by the Supplier on behalf of Company.
Confidentiality means and includes the property that data or information is not made available or disclosed to unauthorized people or processes.
Disaster means an unplanned event which results in a material and sustained loss of access to and use of the Third-Party products or services resulting in
the observed and material disruption or degradation in the processes of one or more Third Party Companies, excluding force majeure events. To avoid doubt, fire, flood, earthquake, wind, power, outage, network outages (other than collapse of the
Internet backbone), and catastrophic failure of Third Party’s infrastructure are not force majeure events.
Encryption means to modify or code data so that it is illegible without a specific key to decode it.
Force Majeure is an unforeseen circumstance that prevents the fulfillment of contract.
Integrity means the property that data or information has not been altered or destroyed in an unauthorized manner.
Important Business Service refers to a service provided by an organization that, if disrupted, could cause significant harm to the organization itself, its
customers, or the broader market.
Impact Tolerance is the maximum tolerable level of disruption to an important business service before intolerable harm occurs to the organization, its
stakeholders, or its customers.
Malicious Software means software that is intentionally distributed with the intent to cause damage, disrupt, or gain unauthorized access to networks,
systems, devices, servers and/or data.
Personal Data is any information that relates to an identified or identifiable individual where they can be identified directly or indirectly from such
information
Recovery Point Objective (“RPO”) means the maximum targeted period in which data might be lost from a Service due to a major incident.
Recovery Time Objective (“RTO”) means the targeted duration of time and a service level within which a business process must be restored after a disaster (or
disruption) to avoid unacceptable consequences associated with a break in business continuity.
Risk means the possibility of suffering harm or loss.
Security Incident is one or more cyber events that actually or potentially jeopardize confidentiality, integrity, authenticity, or availability of
information. Security incidents usually involve attempts to gain unauthorized access to, disrupt, misuse, or steal Company data, systems, or assets.
Subcontractors are any third-party entities or individuals engaged by the supplier to perform services, deliver goods, or otherwise fulfill any
portion of the Supplier’s obligation under this agreement. This includes but is not limited to sub-contractors, agents, consultants, or service providers contracted directly or indirectly by the supplier.
Supplier Relationship Owner (SRO) is the Company employee primarily responsible and accountable for managing Company’s relationship with a supplier.
Suppliers must protect the Confidentiality, Integrity, authenticity, and Availability of Company systems and data entrusted to them and restrict their activities to legitimate
business purposes only. Under no circumstances is a Supplier authorized to use Company’s applications, systems, networks, and/or electronic data for activities that are illegal under applicable local, state, federal or international law.
Supplier shall implement data classification to classify data based on its sensitivity, value, and criticality to the organization. Security mechanisms for storage,
transmission, handling, resiliency, and destruction must be implemented in correlation with the Supplier’s classification of the data. Suppliers shall provide their classification of any Company Data accessed, processed, or stored by the Supplier.
|1.3.
|
Cooperation and Ready Availability of Company Information
Suppliers will ensure that Company Data is always readily available to the Company upon request, at no additional cost. Additionally, Supplier agrees to cooperate with Company
in preserving, accessing, searching, or producing Company Data as needed, including undertaking commercially reasonable efforts to develop and implement a joint litigation response plan, all at no additional cost to Company.
|
|2.
|
Security Program and Management
2.1 Information Security Program
Supplier agrees to maintain documented and management approved information security policies consistent with best practice (i.e., ISO 27001) and all applicable regulations that
include administrative, physical, and technical safeguards to protect the Company. Supplier warrants that it has an established risk management process to identify and manage security risks and exceptions to the information security policies.
Supplier shall have an established Information Security program governed by a senior member of security leadership (i.e., Chief Information Security Officer) with clearly established accountability and ownership of the program. This shall include
assigned specific roles and responsibilities for management along with proper staffing and financial resources.
2.2 Background Checks
Supplier will ensure that reasonable and appropriate background checks are conducted on all personnel in accordance with applicable laws and regulations and include identity proofing. Personnel must pass Supplier’s background check requirements prior to being assigned to positions in which they will, or Supplier expects them to, have access to Company Data.
2.3 Subcontractors
Supplier will implement a third-party risk management program to ensure that any third parties or subcontractors utilized to provide services will maintain adequate physical, technical, organizational,
and administrative controls in accordance with this best practices (i.e., ISO 27001) and applicable regulations. Supplier will appropriately maintain an inventory of their subcontractors and manage risks associated
with subcontractors in accordance with their risk management program. Supplier will appropriately disclose any third parties or subcontractors that are utilized to provide services to Company or have access to Company
data. Supplier will implement an offboarding or exit process for sub-contractors that includes the decommissioning, disposal, or return of Company data as appropriate.
2.4 Security Awareness and Training
Supplier will implement and maintain a comprehensive security awareness and training program to ensure that all personnel understand their individual responsibilities in
safeguarding against security incidents and preventing unauthorized access to or use of Company Data. This program will include, at a minimum, mandatory annual security awareness training for all personnel and subcontractors, as appropriate. The
training will cover the Supplier’s Information Security Program, employee responsibilities, phishing awareness, and consequences of non-compliance. The Supplier will also provide periodic updates and refresher training to address emerging threats,
changes in policy, and lessons learned from security events. Participation in this training will be documented and monitored to ensure compliance and continuous improvement.
|
|3.
|
Logical and Technical Safeguards
3.1 Access Controls
Suppliers will maintain a formal access control policy and employ a centralized access management system to control personnel and machine identity access to
environments where Company data is accessed, processed or stored. Supplier will utilize role-based access controls and authorize access with the principle of least privilege. Supplier will ensure that individual user accounts are created for
accountability and non-repudiation. Multi-factor authentication (MFA) must be globally implemented for access to the network and associated applications. Privileged users are required to authenticate through MFA prior to accessing production
environments. Supplier will ensure periodic access reviews are performed for end users at least annually and for privileged accounts at least quarterly. Supplier will ensure that access to systems is timely removed upon user termination or when no
longer required per their role. Identity verification procedures must be established prior to user account changes and granting access. Suppliers will implement a password policy that aligns to industry’s best practices, requires complexity, and
periodic password changes.
3.2 Secure Software Development and Code Reviews
Supplier shall maintain a formal Software Development Lifecycle (SDLC) that incorporates secure coding practices aligned with OWASP and other recognized industry standards. Supplier shall implement
consistent, documented software delivery processes to reduce risk, ensure integrity of deliverables, and utilize trusted components. These processes shall include measures to harden software during build and deployment by removing unnecessary tools
and software. Supplier shall perform regular manual and automated code reviews using both static and dynamic application security testing (SAST and DAST). Production changes must be reviewed to confirm appropriate use of deployment pipelines and
completion of code reviews. Significant issues identified during review shall be tracked and resolved prior to release into production. Development and test environments must be logically segregated from production, and Company data shall not be used
in non-production environments without prior written authorization. Supplier shall maintain and follow a documented change control process, including back-out procedures for all production releases. Application Programming Interfaces (APIs) shall be
tested for security vulnerabilities prior to release. Supplier shall implement and maintain
a Software Bill of Materials (SBOM) or equivalent process to inventory software components, libraries, and dependencies.
3.3 Antivirus and Malicious Software Protection
Suppliers will ensure that systems are appropriately protected against malicious software (including code) through implementation and configuration of anti-virus
software and regular assessment of software. Processes must be in place to initiate cyber response plans in case potentially harmful code is identified. Antivirus software must be updated regularly to identify newfound threats and known exploited
vulnerabilities. Open-Source or third-party libraries used within applications must be inventoried and regularly assessed for malicious code, disclosed vulnerabilities, or unwanted functionality.
3.4 Network Security Protection
Supplier will maintain a defense-in-depth approach to hardening the Production Environment against exposure and external attacks. Supplier will maintain an
isolated Production Environment that includes network management controls such as load balancers, firewalls, intrusion detection systems distributed across production networks, and malware protections. Supplier will implement 24/7/365 security
monitoring to identify anomalies of network behavior and traffic. Prevention and detection technologies shall monitor all activity generated and send risk-based alerts to the relevant security groups. Suppliers shall implement data loss and leakage
prevention techniques, and policy driven controls designed to guard against accidental or unauthorized disclosure of Confidential Information.
3.5 Audit and Logging Procedures
Supplier will use and maintain an auditing and logging mechanism that captures and records successful and failed events (with a date and time stamp, user ID,
application name, and pass/fail indicator). User access activities will be logged and audited periodically to identify unauthorized access and to investigate root causes. All application components that have logging capabilities (such as operating
systems, databases, web servers, and applications) will be configured to produce a security audit log. Audit logs will be configured for sufficient log storage capacity, and Access to security log files will be limited to authorized Personnel.
3.6 Vulnerability Scans and Patch Management
Supplier shall establish, document, approve, communicate, apply, evaluate, and maintain policies and procedures to identify, report, and prioritize the
remediation of vulnerabilities to protect systems against exploitation. These policies and procedures shall include technical and procedural measures to support both scheduled and emergency responses to vulnerability identification. Supplier shall
regularly scan (at least weekly) information systems using industry-standard vulnerability scanning tools and practices to remediate applicable critical, high, and medium risk vulnerabilities identified in provided technologies. Remediation shall
follow a defined schedule based on the risk and severity classification of the vulnerability, such as:
|
|a.
|
Critical / High - Within thirty (30) days of discovery of the vulnerability
|
|b.
|
Medium - Within sixty to Ninety (60-90) days of discovery of the vulnerability
|
|c.
|
Low - Within one hundred and eighty days (180) days of discovery of vulnerability
Additionally, Supplier shall provide, status and trends of open and patched high risk vulnerabilities upon request to Company.
|
|4.
|
Information Protection and Disposal
4.1 Encryption Protocols
Supplier shall implement and maintain strong cryptographic safeguards to protect Company Data across all environments. This includes the use of industry best-practice encryption
protocols—such as AES-256 or equivalent—for securing data at rest within production systems, backup repositories, portable devices, laptops, removable media, and backup tapes. Company Data in transit must be protected using at least Transport Layer
Security (TLS) version 1.3 or higher to ensure confidentiality and integrity during transmission. All electronic data exchanges between Supplier systems, networks, or applications must be conducted over secure, authenticated channels that align with
current industry standards.
4.2 Data Disposal and Destruction
Supplier storing Company Data must have a data destruction process in place which includes paper shredding and secure disposal of all electronic hardware. Prior
to disposal or redeployment of electronic device or media that contain Company Data, the Supplier must ensure that such data cannot be recreated or recovered. Supplier will implement industry recognized processes and procedures for data disposal and
secure media disposal in accordance with the guidelines identified in the National Institute of Standards’ Guidelines for Media Sanitization, SP800-88. Final disposition of electronic and/or devices must be documented and validated through
certification. All assets (including internal and external storage, data, etc.) belonging to the Company must be returned upon termination of the contract between the Supplier and the Company. With regards to Personal Data, Supplier is subject to the
disposal provisions outlined in the Data Protection Schedule.
4.3 Information Backup
Suppliers hosting Company Data must establish and implement procedures to create, maintain, and verify exact copies of Company Data, Company impact, government regulation,
business operations and security best practices. Supplier must ensure backup is stored in a secure manner and must be available in the event of a system failure or other Disaster.
|
|5.
|
Business Continuity and Resilience
5.1 Business Continuity and Disaster Recovery Plan
Supplier shall maintain written business continuity and disaster recovery plans (“plans”) with clear roles and responsibilities to ensure the ongoing availability of
Services during and after significant business disruptions. These plans shall address crisis management, plan activation, communication protocols, business recovery strategies, infrastructure, and system recovery. Supplier shall review their plans
periodically and update them as needed, provided such changes do not diminish its ability to safeguard Company Confidential Information or deliver Services under this Agreement. Supplier agrees to maintain a log of all business continuity
events and report material business continuity events to the Company upon Supplier becoming aware of any such event, as well as steps proposed to minimize any interruption to its Services here under. In the event of a
material disruption, the Supplier will cooperate with the Company in response to recovery efforts. The occurrence of a Force Majeure event does not relieve Supplier of its obligation to implement its plans and maintain necessary disaster recovery
services.
In the event of a failure of critical services or significant disruption, Supplier will promptly invoke its resiliency plans and restore critical service capability and the
production capability of critical information technology infrastructure of the Supplier services (including, but not limited to, data centers, hardware, software, power systems, and critical voice, data, and e-commerce communications links). Except
as otherwise provided in the applicable plan, Supplier will notify Company’s Supplier Relationship Owner or their delegate of disruptions in accordance with incident handling protocols outlined in this Exhibit. It is Supplier’s responsibility to
ensure any Subcontractors performing activities that could impact critical processes of Supplier services have plans in place that meet the same standards
and resiliency requirements.
Supplier agrees to provide Services with a stated Recovery Time Objective (RTO) and a Recovery Point Objective (RPO) to be mutually agreed upon between the parties and
incorporated within this Agreement. Supplier recovery capabilities will align with the Company’s relevant Important Business Service’s Impact Tolerances. Upon written request of Company, Supplier agrees to provide relevant details to Company on their
business continuity and disaster recovery plans.
5.2 Business Continuity and Disaster Recovery Testing
Suppliers shall implement testing procedures to ensure the design and effectiveness of Business Continuity and Disaster Recovery plans. Plans for critical business operations
shall be tested no less than annually with the ability of the Company to participate in the testing as deemed feasible. The Supplier shall provide the Company with the results of Business Continuity and Disaster Recovery testing on an annual basis
and, where unsuccessful tests or significant issues arise, provide sufficient evidence of remediation or resolution. In the event of a material business disruption associated with the Services outlined in this Agreement, Supplier agrees to cooperate
with Company in responding to, resolving, and/or recovering from the disruption. The occurrence of a Force Majeure event will not relieve Supplier of its obligation to implement the Disaster Recovery Plan and to provide the disaster recovery
services contained therein. Supplier shall participate in Company operational resilience tests, as necessary. Evidence of plan testing and any resulting remedial actions will be documented in the audit reports
referenced in Section 8.1 (Independent Assurances).
6.1 Physical Security Program
Suppliers must implement appropriate physical security measures designed to protect the physical copies or assets where Company Data is processed and to ensure continuous
monitoring of access to facilities. Physical security measures are aligned to industry’s best practices (e.g. ISO 27001) and periodically reviewed to align to industry’s best practices.
6.2 Office and Facility Access
Supplier will ensure that physical locations are restricted to only authorized users and access is reviewed regularly. Visitors to supplier facilities shall be escorted by
Supplier personnel with appropriate staff on site to monitor access. Physical access to facilities must be revoked upon termination of Supplier personnel's employment.
6.3 Data Center Safeguards
Supplier will use data center service providers and will ensure that all data centers conform to ISO 27001 or equivalent certification. At minimum, all data
centers must implement:
(a) Multi-factor physical security measures, including auditable entry/exit mechanisms that record physical access to the facility, must be
maintained.
(b) Access must be limited to authorized personnel and visitors must be escorted at all times by authorized personnel while in the data center.
(c) Environmental security measures that include temperature and humidity controls, fire suppression systems, and periodic inspections by a
safety official.
|
|7.
|
Incident Handling, Tracking, and Response
7.1 Incident Response Program
Supplier will maintain an incident response program, which will be managed and run by a dedicated incident response team. The Supplier’s incident response program must follow documented incident
management policies and procedures to ensure timely detection, investigation, evidence preservation, notification, and remediation of any Security Incidents. Supplier’s incident response program will include, at a minimum: initial detection; initial
tactical response; initial briefing; incident briefing; refined response; communication and message; formal containment, eradication, and recovery; formal incident report; and postmortem/trend analysis.
7.2 Security Incident Notification
Supplier will comply with all applicable security incident notification laws and regulations in its provision of Supplier services. Supplier will notify Company without undue delay
(and in any event, within 48 hours) upon becoming aware of any (potential, suspected, or actual) incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Company Data. If Supplier is aware a
security incident has impact to Company Data, the notification period is within 24 hours. Notification must be made via a phone call or email to the designated Supplier Relationship Owner (SRO) and a secure email to infosecurity@invesco.com.
The initial notification must include:
(a) a problem statement or description,
(b) the expected resolution time (if known),
(c) notification of Invesco impact (if known),
(d) the name and phone number of the Supplier representative responsible for providing updates.
7.3 Ongoing Communication, Mitigation, and Cooperation
The Supplier must take reasonable measures to mitigate the root cause of any incident and implement corrective actions to prevent recurrence. The Supplier is also required to provide
timely updates, respond to Company inquiries, and cooperate fully in any related investigations or legal proceedings. As additional information becomes available—and unless prohibited by law—the Supplier must share relevant details about the nature
and impact of the incident to support the Company’s obligations to notify affected individuals, regulatory bodies, or credit bureaus.
|
|8.
|
Independent Audits and Assurances
8.1 Independent Audits
Supplier is responsible for conducting annual independent audits, in accordance with industry best practices, of their information security controls relevant to the access,
storage, or processing of Company information within the Supplier’s environment. The independent audits shall include testing of the design and operating effectiveness of the information technology and security controls. Supplier is to provide
Company with copies of any relevant independent SSAE 18/SOC 1 and SOC 2 audits.
8.2 Independent Penetration Testing
Supplier is responsible for conducting penetration testing after major changes or at least annually by an independent party against their external facing network and applications.
Penetration testing shall be conducted utilizing both manual and automated techniques in alignment with industry best practices to ensure the security against external threats of the Supplier network and external facing applications. Critical or
high-risk findings identified from penetration testing shall be remediated within 30 days.
Supplier shall perform appropriate testing to verify remediation effectiveness and report status of remediation to Company if there are critical or high-risk findings are open
beyond 30 days of discovery. At minimum, Supplier must provide an attestation or executive summary that includes the scope, methodology, date, and summary of the testing results. If requested, Supplier shall provide Rules of Engagements or equivalent
that outlines the parameters for Customer penetration testing based on the responsibility model of the Supplier service.
8.3 Remediation and Response Timeline
In the event Supplier’s administrative, physical or technical safeguards do not satisfy Supplier’s obligations under this Agreement, non-compliance shall be remediated by Supplier
within a commercially reasonable time this includes but is not limited to responding to assessments, providing responses to findings and implementing necessary preventative and/detect controls. If any audit reveals material non-compliance, Supplier
shall promptly develop and implement a remediation plan, at its own expense, to address the deficiencies within a mutually agreed-upon timeframe.
8.4 Company Right to Audit
Company, at no added expense and with reasonable notice, may inspect Supplier’s information security practices and safeguards relevant to the Services provided upon reasonable
request from Company.
Any audits conducted by Company pursuant to this Exhibit must:
(i) conducted during reasonable times and be of reasonable duration.
(ii) not unreasonably interfere with Supplier’s day-to-day operations; and
(iii) be conducted under mutually agreed upon terms and in accordance with Supplier’s security policies and procedures.
Supplier reserves the right to limit an audit of configuration settings, sensors, monitors, network devices and equipment, files, or other items if Supplier, in its reasonable
discretion, determines that such an audit may compromise the security of Supplier Services or the data of other Supplier clients.
In the event Company conducts an audit through an independent auditor, such auditors must enter into a non-disclosure agreement containing confidentiality provisions substantially
similar to those set forth in the Agreement to protect Supplier’s confidential information. Company must promptly provide Awareness with any audit, security assessment, compliance assessment reports, and associated findings prepared by it or its
independent auditors for comment and input prior to formalization and/or sharing such information with a third party.
|
|9.
|
Operational Resilience
Supplier shall maintain a documented operational resilience program, with defined roles and responsibilities, that is approved by leadership and reviewed on a periodic basis. The
program shall identify the Supplier’s Important Business Service’s Impact Tolerances relevant for the services provided to Company and meet Company’s Impact Tolerance of 24-48 hours. Supplier shall identify critical systems supporting the services
provided to Company that ensure redundancy and failover mechanisms, vulnerability management, and performance monitoring. Supplier is responsible for service continuity and appropriate regulatory compliance. Supplier recovery capabilities will align
with the Company’s relevant Important Business Service’s Impact Tolerances. Appropriate incident management response and notification procedures shall be in place for incidents impacting Important Business Services in accordance with section 7.2 of
this Exhibit. Subcontractors supporting the provided services are subject to the resiliency program requirements. If requested by Company, Supplier shall provide an annual attestation of operational resilience program effectiveness and testing
summary or attestation.
|
|10.
|
Termination of Agreement
Any failure to perform or breach of this Schedule by Supplier will be deemed a material breach of the Agreement and the Company may terminate (in whole or in part) the Agreement as set forth in
Section 8.3(a) of the Agreement.