ANNEX D: FINANCIAL SERVICES ADDENDUM

This Annex D "Financial Services Addendum" (the "FSA") forms part of the GTC and any Order Form(s) executed thereunder, including the relevant Schedule(s), concluded between Service Provider and Customer. 

1. PURPOSE AND SCOPE

   1. This FSA only applies to the Agreement to the extent (a) Customer is a Regulated Entity and its use of the Services is subject to Financial Law and/or (b) Customer's Authorized Affiliate is a Regulated Entity and its use of the Services is subject to Financial Law, provided that nothing contained in the foregoing (b) shall authorize an Authorized Affiliate to exercise a right or seek any remedy against Service Provider, except as required by law, and, in any event. The applicability of this FSA shall not depend on express selection in an Order Form. Any reference to the FSA in an Order Form shall be declaratory only.

   2. The rights granted by Service Provider in this FSA may solely be exercised to the extent required and appropriate for Customer and/or its Auhorized Affiliate's compliance with applicable Financial Law, and in a manner that shall not exceed what is necessary to achieve the objectives of applicable Financial Law including, where applicable, in accordance with the principle of proportionality. For clarity, Customer and/or its Authorized Affiliates are exclusively responsible at all times for compliance with applicable Financial Law.  
      
      

2. DEFINITIONS

   Capitalised terms used but not defined herein shall have the meaning given to them in the Agreement. The following definitions apply to this FSA:

   "Authorized Affiliate" means a Customer Affiliate which is permitted to use the Services pursuant to the Agreement, but which has not signed its own Order Form with Service Provider and is not a "Customer" as defined under the Agreement.

   "Critical Service" means any Service that supports any critical or important function of a Regulated Entity.

   "Cyber Incident" means a security breach of the Services that takes place as a result of external or internal actors exploiting vulnerabilities or circumventing protective measures resulting in an adverse impact on the availability, authenticity, confidentiality or integrity of Customer Data and/or on the availability or integrity of Services provided to Customer, as applicable.

   "DORA" means the EU Digital Operational Resilience Act (Regulation (EU) 2022/2554).

   "Financial Law" means all laws and regulations (including any successor or update thereto that comes into force during the term of the Agreement) which regulate the use of third-party services by Regulated Entities, including, without limitation, DORA and FINMA Circulars and ordinances, and any other Swiss and European laws and regulations that apply to Regulated Entities. 

   "FINMA" means the Swiss Financial Market Supervisory Authority. 

   "FINMA Circulars" means any circulars issued by FINMA and applicable to the Regulated Entity, in particular Circular 2018/3 on "Outsourcing" published by FINMA on 21 September 2017 and Circular 2023/1 on "Operational risks and resilience" published by FINMA on 07 December 2022, or any successor or update thereto (subject to such successor or update thereto).

   "ICT" means information and communication technology.

   "Regulated Entity" means an entity that provides banking, credit, insurance and reinsurance, payment, electronic money, investment, stock brokering or stock exchanges services, and that is subject to the supervisory authority of one or more Regulator(s). 

   "Regulator" means a financial or prudential authority (including any successor authority) having binding supervisory authority over Customer and/or its Authorized Affiliates under Financial Law, including, without limitation, FINMA for Switzerland. 

   "Services" means, for the purposes of this FSA, the services provided by Service Provider to Customer under the Agreement.  

   "Threat-Led Penetration Testing" or "TLPT" means a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of Customer's critical live production systems.
   
   

3. INFORMATION SECURITY

   Service Provider shall:

   1. implement and maintain appropriate technical and organizational measures designed to protect the confidentiality, integrity, authenticity and availability of Customer Data and to ensure the resilience, continuity and availability of the Services, including those further detailed in this FSA (including this Section III) and in Exhibit A (Technical and Organizational Measures) of the DPA in Annex C (Data Processing Agreement) of the GTC; 

   2. comply with the provisions on professional secrecy as set out in the DPA in Annex C (Data Processing Agreement) of the GTC;

   3. continuously monitor and test the systems and back-up facilities used to provide the Services to detect any vulnerability, security breach, unauthorized intrusion or suspicious activity involving Customer Data for their proper functioning in terms of information security at regular intervals, and at least annually, and take immediate steps to remedy to any identified information security deficiency;

   4. provide reports in relation to the Services in such form, containing such information and at such frequency as is set out in the Agreement and/or Financial Law or as otherwise agreed between the Parties from time to time. The reports shall be delivered by such medium, which may include the Customer Portal at https://hashgraph.atlassian.net/helpcenter/thgsupport/ , as further specified by Service Provider; 

   5. ensure that its personnel and subcontractors who has privileged access to Customer Data, even if only temporarily, (i) has been carefully selected and trained, (ii) is supervised (including by way of audit trails that are regularly reviewed for anomalies), and (iii) in the case that such Customer Data is deemed to be "critical" as per FINMA Circulars, can be identified towards Customer upon request; 

   6. ensure that its personnel involved in the provision of the Services participate, at Customer's cost, in programs offered or suggested by Customer to raise awareness of ICT security and training on digital operational resilience.
      
      

4. BUSINESS CONTINUITY MANAGEMENT

   1. Service Provider shall have in place a business continuity program, including an associated disaster recovery plan ("DRP") focusing on the recovery of ICT resources, commensurate with the nature, scope and complexity of the Services, including any Critical Service ("Business Continuity Plan" or "BCP"). The BCP shall be designed to minimize the adverse effect of any reasonably foreseeable event on the ability of Service Provider to perform the Services and to the business continuity of the outsourced functions. Service Provider shall make those parts of its BCP relevant to the provision of the Services available for review by Customer upon request, subject to an adequate confidentiality undertaking. Service Provider shall ensure that its personnel and sub-contractors receive regular training in executing the BCP. 

   2. The BCP is tested at least annually, and Service Provider shall provide Customer with reports on these tests performed upon request. Service Provider shall remedy any findings of non-compliance with this Section IV within an adequate period of time.

   3. Service Provider shall promptly notify Customer of: 

      (i) any test finding that may materially affect the performance of the Services; and

      (ii) any significant changes in Service Provider's BCP.

   4. Changes to Service Provider's BCP shall not result in a reduction of the level of protection provided by it.

   5. Service Provider shall, at Customer's cost, provide any reasonably requested support to Customer in establishing and testing of its own business continuity and operational resilience measures as may be required under Financial Law.  

5. PENETRATION TESTING and TLPT

   1. Service Provider shall make available to Customer the summaries of the most recent penetration testing that has been performed on the applicable Services of the Agreement through the Customer Portal at https://hashgraph.atlassian.net/helpcenter/thgsupport/.

   2. Where Customer is a Regulated Entity receiving Critical Service from Service Provider and where such Customer is identified by the Regulator as needing to conduct TLPT or expected to conduct such TLPT involving Service Provider, Service Provider shall, upon Customer's written request, participate and cooperate in the TLPT, subject to agreeing on the scope and modalities in advance to protect Service Provider's operational environment and the confidentiality of its other customers. Customer shall reimburse Service Provider for all reasonable fees, costs and expenses (including personnel), arising from Service Provider's participation in the TLPT as per this Section V.b).
      
      

6. AUDIT AND SUPERVISION

   1. Service Provider shall grant Customer, Customer's internal and external auditors (bound by an adequate statutory or contractual confidentiality undertaking) and any competent Regulator (together, the "Auditors") full and unhindered audit and inspection rights in relation to the functions outsourced by Customer to Service Provider, which shall include in particular the Services provided by Service Provider under the Agreement. This includes the rights to audit and verify, at Customer's cost, (i) the functions outsourced by Customer to Service Provider (including on-site), (ii) Service Provider's operations, documentation, data and systems used for performing the Services as well as audit reports concerning the outsourced functions commissioned by or on behalf of Service Provider (or its subcontractors), and to take copies of (iii) relevant documentation on-site if they are critical to the operations of Service Provider. Insofar as a Swiss Regulated Entity is at issue, Auditors may enforce the foregoing audit rights directly against Service Provider. 

   2. Service Provider will assist in such audit, and provide any reasonably requested and available access, documentation and information to the Auditors. An audit or verification may not (i) without good reasons interfere with the operations of Service Provider and (ii) interfere with third party data protection, secrecy and intellectual property rights. An audit or verification shall be announced reasonably in advance and coordinated with Service Provider. These restrictions shall, however, not be interpreted as a limitation of the right to audit as provided for, or required under, Financial Law with regard to Auditors other than Customer's.

   3. Service Provider may provide Customer with reports of audits commissioned by Customer or its subcontractors concerning the outsourced function or other aspects of the Services. In such case, Customer agrees to, where reasonably possible and permitted, first consult with such audit reports before initiating individual information requests or otherwise exercising its audit rights. This in particular applies with regard to cloud and other service providers Service Provider may use in providing its Services. 

   4. Customer shall reimburse Service Provider for all reasonable fees, costs and expenses (including personnel), arising from the exercise of an audit as per this Section VI. Customer shall, when engaging an external Auditor, ensure that the external Auditor complies with the terms applicable to the audit, and is responsible for the acts and omissions of its external Auditor. For the avoidance of doubt, where the audit is conducted through an external Auditor, the costs of the external Auditor shall not be borne by Service Provider. 
      
      

7. NOTIFICATION OBLIGATIONS

   1. Service Provider shall notify Customer, without undue delay, (i) any successful or partially successful Cyber Incident that affects Customer and the Services, and (ii) any material breach of confidentiality, integrity, authenticity or availability of Customer Data. In case of a Cyber Incident requiring notification to a Regulator under Financial Law, initial notification to Customer shall occur not later than 24 hours from detection (and insofar FINMA Circulars apply: not later than 18 hours). For each Cyber Incident and any other incident that may have a material adverse impact on the Services or on Customer Data, Service Provider shall provide Customer with regular updates, a root cause analysis and any other information and assistance reasonably requested by Customer to deal with the incident, including any information required for Customer to complete regulatory incident reports that is reasonably available to Service Provider. If such incident occurred within the sphere of responsibility of Service Provider, it shall do so at its own cost. Otherwise, it may charge for its assistance on a time and materials basis at its standard rates.

   2. Service Provider shall notify Customer after becoming aware of developments that may have a material impact on Service Provider's ability to provide its Services, including Service Provider's ability to perform the Services in accordance with the service levels and/or leading to disruptions or outages of the Services. 

   3. Upon request, Service Provider shall provide Customer with information on the countries where Customer Data is stored and processed and where Services are provided, unless this is already agreed in the Agreement. Service Provider shall notify Customer reasonably in advance of a change to these locations.
      
      

8. REGULATORY COMPLIANCE CHANGE PROPOSALS

   1. Customer and/or its Authorized Affiliate shall remain responsible (i) for compliance with applicable contractual, legal and regulatory requirements regarding its business and the use of the Services, in particular, applicable Financial Law, (ii) for any interactions with Regulators and other public authorities to which it is subject, and (iii) for obtaining the permissions from, and undertake notifications and registrations with, competent Regulators and other public authorities as necessary for engaging Service Provider to perform its obligations under the Agreement. Furthermore, Customer and/or its Authorized Affiliate shall remain solely responsible for complying with Financial Law in respect of its business and the use of the Service in the conduct of its business vis-à-vis its End-Customers, employees and other business partners. 

   2. Upon the respective written instruction of Customer and/or its Authorized Affiliate, Service Provider undertakes to fully cooperate with Customer's and/or its Authorized Affiliate's competent Regulator or resolution authority (including, as applicable, FINMA) and any persons appointed by them concerning Customer's and/or an Authorized Affiliate's use of the Services. The foregoing obligation shall not be subject to any limitation or exclusion of liability agreed in the Agreement.

   3. Customer agrees and undertakes that it and its Authorized Affiliate shall indemnify, defend, and hold Service Provider harmless against any liability arising from or in connection with violations of Section VIII.a), in particular, such indemnification shall include any damages, costs, claims or expenses incurred by Service Provider as a consequence of such violations.

   4. If Customer and/or its Authorized Affiliate is of the reasonable opinion that the Services do not adequately enable Customer to comply with Financial Law, it may notify Service Provider thereof in writing, giving reasonable details on how to improve or amend the Services to better enable Customer to comply with such Financial Law (a "Regulatory Change Proposal"). Service Provider will consider such Regulatory Change Proposal and may, in its own reasonable discretion, decide whether, and if so, when, to amend the Services. For the avoidance of doubt, Service Provider shall not be under an obligation to amend any of the Services because of a Regulatory Change Proposal.

      
      

9. SUBCONTRACTING

   1. To the extent permitted by Financial Law, Service Provider may delegate the performance of a material part of the Services to third parties (other than employees and other auxiliary persons), subject to the following provisions and provided such subcontractor is listed on its list of material subcontractors, which is available at https://www.hashgraph-group.com/contracts/sub-processors. 

   2. Service Provider shall ensure that any subcontractor is bound by written agreement to comply with relevant obligations at least as strict as those imposed on Service Provider under the Agreement (including this FSA), in particular with regard to information security, confidentiality, audit rights, and cooperation with Regulators. The use of reputable, widely used cloud and other service providers with their standard terms for financial institutions and financial service providers shall be deemed to meet this requirement. 

   3. If Service Provider wishes to engage a new subcontractor in relation to a material part of the Services and, or otherwise amend the list of material subcontractors, it shall notify Customer in text form in an appropriate manner at least sixty (60) days in advance (e.g. by means of an e-mail). Customer may object in writing within fifteen (15) days to the change of a subcontractor or appointment of a new subcontractor; it shall do so only for justified reasons under Financial Law or other applicable law. If the Parties cannot reach agreement within fifteen (15) days, Customer may extraordinarily terminate the affected Service of the Agreement, provided it shows that the objection is necessary under Financial Law or other applicable law. 

   4. With regard to subcontractors that act as sub-processors of Service Provider in relation to the Processing of Personal Data on behalf of Customer, the relevant provisions on sub-processing in Annex C (Data Processing Agreement) of the GTC apply. 

10. RESOLUTION AND INSOLVENCY

    Service Provider acknowledges that Customer, as a Regulated Entity, may be subject to resolution proceedings under Financial Law. In the event of a resolution or similar event concerning Customer, Service Provider shall:

    1. comply with the directions of the Regulator or the appointed resolution authority to the extent required by Financial Law (but without prejudice to any rights or remedies Service Provider has under the Agreement); 

    2. not terminate or suspend the Services solely due to the resolution event, provided Customer's substantive obligations under the Agreement (including payment obligations) continue to be met; 

    3. consent to the transfer of the Agreement to a successor entity, a bridge institution, or a third-party acquirer as part of the resolution, provided the transferee assumes all of Customer's obligations under the Agreement; and 

    4. provide for the access, recovery and return of all Customer Data, including personal and non-personal data, in an easily accessible and machine-readable format. 
       
       

11. ADDITIONAL CUSTOMER TERMINATION RIGHTS 
    
    

    1. The term and termination rights regarding the Agreement are set out in the respective Order Form(s), Schedules and GTC. In addition to the aforementioned rights, Customer may terminate the Agreement in full or in part, if any of the following circumstances arise: 

       (i) Service Provider failed to address a Customer's Regulatory Change Proposal pursuant to Section VIII.d) to the extent that the Services or their use no longer allow Customer and/or its Authorized Affiliates to comply with new/updated Financial Law and Customer has informed Service Provider thereof in writing and Service Provider still failed to adequately address the issue within a reasonable deadline set by Customer; 

       (ii) if Customer has been requested by a final and enforceable order of a Regulator or other competent authority to stop using the Services due to non-compliance with Financial Law; or

       (iii) if Customer is specifically and enforceably requested to terminate the Agreement by a competent Regulator and Customer has documented this to Service Provider.
       
       

    2. Customer may also terminate the Agreement in full or in part extraordinarily if any of the following circumstances arise:

       (i) Service Provider has committed a material breach of Financial Law (this does not apply to breaches of industry-specific requirements which must be observed by Customer) and fails to remedy such breach within a reasonable grace period of at least thirty (30) days after receiving Customer's written notice of the breach in accordance with the terms of the GTC;

       (ii) there is a material breach by Service Provider of any other provisions of this FSA that, if it can be remedied, has not been remedied within a reasonable grace period of at least thirty (30) days after receiving Customer's written notice of the breach in accordance with the terms of the GTC;

       (iii) circumstances identified throughout Customer's monitoring of ICT third-party risk that are objectively deemed capable of altering the performance of the outsourced functions provided under the Agreement, including material changes that affect the arrangement or the situation of Service Provider;

       (iv) there are proven significant weaknesses in Service Provider's overall ICT risk management and in particular in the way Service Provider ensures the availability, authenticity, integrity and confidentiality of data, whether personal or otherwise sensitive data, or non-personal data; or

       (v) where Customer's competent Regulator (including, as the case may be, FINMA) can no longer effectively supervise Customer as a result of the conditions of, or circumstances related to, the respective contractual arrangement with Service Provider, including the Agreement.
       
       

    3. If the Agreement is terminated in full or in part in accordance with this Section XII, Customer will pay any unpaid fees covering the remainder of the term of the applicable Order Forms(s) to the extent permitted by applicable law. In no event will termination relieve Customer of its obligation to pay any fees payable to Service Provider for the period prior to the effective date of termination.

    4. If the Agreement is terminated in full or in part in accordance with this Section XII, Service Provider shall provide for the access, recovery and return of all Customer Data, including personal and non-personal data, in an easily accessible and machine-readable format.
       
       

12. EXIT STRATEGY AND ASSISTANCE

    1. Customer may notify Service Provider in writing without unreasonable delay and in any event not later than fifteen (15) days prior to the effective date of the termination or expiry of the Agreement (except in the event of extraordinary termination of the Agreement), if Customer requires Service Provider to continue to provide the Services for an additional six (6) month period after the effective date of termination or expiry of the Agreement (the "Transition Period") with a view to reducing the risk of disruption to Customer or to ensure its effective resolution and restructuring, and to allow Customer to migrate to another ICT third-party service provider or change to in-house solutions consistent with the complexity of the Services provided by Service Provider.

    2. Where termination of an Agreement results from a Customer breach of the Agreement, Service Provider's provision of the Services during the Transition Period will be subject to (i) Customer's breach not having been the result of intentional misconduct, and (ii) Customer having cured the breach giving rise to such termination before the commencement of the Transition Period or having committed in good faith and in writing to promptly and without undue delay cure the breach giving rise to such termination provided the breach can be objectively cured and Service Provider agrees with the committed timeline (which shall not be unreasonably withheld), and not committing the same breach during the Transition Period. For clarity, this is provided that such Customer breach does not make it impossible or impractical for Service Provider to reasonably continue offering its Services during the Transition Period. During the Transition Period, Service Provider will cooperate with Customer in good faith on the development of Customer's exit plan by providing relevant information about the Services as reasonably required by Customer.

    3. Service Provider shall provide the Services during the Transition Period in accordance with the Agreement (notwithstanding its termination or expiry), on a time and materials basis at its standard rates, subject to the following:

       (i) Customer shall pay a 20% price increase during the Transition Period as applied immediately before the termination date;

       (ii) Customer shall execute an Order Form for such continued Services before the effective date of termination or expiry of the Agreement; 

       (iii) Service Provider shall provide for the access, recovery and return of all Customer Data, including personal and non-personal data, in an easily accessible and machine-readable format; and

       (iv) where termination results from a Customer's breach of the Agreement, Customer having cured the breach giving rise to such termination.
       
       

    4. Any additional assistance to be provided by Service Provider to Customer that goes beyond the scope of the Services during the Transition Period shall be subject to the Parties entering into a professional services agreement and related statement of work or other agreement governing such assistance (on similar terms as the Agreement).

    5. Notwithstanding any termination or expiry of the Agreement, the terms of the Agreement shall continue to govern Service Provider's provision of the Services during the Transition Period as if it had not been terminated.

13. OTHER PROVISIONS 

    Furthermore, the Parties agree as follows:

    a) Customer and/or its Authorized Affiliates shall provide Service Provider all information required by Service Provider to fulfil its contractual obligations under this FSA without undue delay. 

    b) Amendments to this FSA must be made in writing and duly signed by authorized representatives of the Parties. 

    c) All prior terms and conditions regarding compliance with regulatory requirements under Financial Law between the Parties are deemed superseded by this FSA as of its effective date. 

    d) In the event of a conflict between the provisions of this FSA and the provisions of the GTC, the provisions of this FSA shall prevail to the extent they relate to compliance with regulatory requirements under Financial Law. 

February 2026