Terms and Agreements – Four Seasons

1. CSI General Terms and Conditions

By executing the MSA, you (“Company,” “you”) agree that these General Terms and Conditions (“General Terms”) govern your use of the Services (as defined below) and form a part of your agreement with globalVCard LLC d/b/a Corporate Spending Innovations (“CSI” “we” “us” “our”) (collectively, the MSA, these General Terms, and the Service Agreements are referred to herein as the “Agreement”). Capitalized words not otherwise defined herein have the meaning set forth in the MSA.

1. Services.

a) General. CSI will provide the commercial payments services subscribed to by Company in the MSA and as part of Company’s set up and implementation process with CSI including, as selected by Company in the MSA and as made available by CSI via CSI’s Paysystems® for accounts payable and business payment transactions (the “Program”), which may include: (i) virtual and lodged commercial cards, (ii) network/ACH, (iii) check, (iv) Direct Bank ACH, and/or (v) other payment solutions as may be offered by CSI from time to time (each individually a “Service,” and collectively, the “Services”). Company will be provided a CSI Paysystems account (the “Account”) which gives Company access to the Services and features they have elected to use, enabling them to view and manage payments, vendors, reports, and users according to the permissions their Account has been configured to support. Associated with the Company’s Account is also a ledger of the funds deposited and available for payment transactions.

b) Commencement/Continued Use. Unless otherwise set forth in the applicable Service Agreement, the “Commencement Date” of a Service not in effect as of the effective date of the MSA is the date agreed to by the parties in writing. CSI may postpone implementation, suspend use of a Service, or require additional information or documentation, if Company (i) fails to timely provide required information, (ii) fails to implement the Service within 180 days of submission of the MSA, or (iii) ceases using a Service for a period of more than 180 days.

c) Authorized Third Parties. Company may be accessing the Program or utilizing the Services via a third-party integration (such as an ERP system) or permitting a third-party service provider to access the Program on behalf of the Company (such as a managed service provider). To the extent applicable, Company hereby grants such third parties identified/confirmed by Company (each an “Authorized Third Party”) access to the Program and Services, as necessary, on behalf of the Company. NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS OR ANY OTHER AGREEMENT, CSI SHALL NOT BE LIABLE FOR, AND COMPANY HOLDS CSI HARMLESS FROM, THE ACTS AND OMISSIONS OF ANY SUCH AUTHORIZED THIRD PARTY.

d) CSI Responsibilities. CSI will provide Company with (i) availability of the Service in accordance with these General Terms and the applicable Service Agreement; and (ii) with standard reporting, if any, associated with use of the Service. CSI shall perform the Services in all material respects in compliance with applicable laws. CSI may delay performance until Company has paid all applicable fees required under the Service Agreement. CSI may subcontract the performance of certain Services or portions thereof to a third party (each a “Subcontractor”), provided, that CSI shall remain responsible to Company in accordance with these General Terms for the Services performed by any Subcontractor (the “Subcontracted Services”) to the same extent as if the Subcontracted Services were performed by CSI. Other than Subcontractors, CSI is not responsible for and does not control any third parties in conjunction with the Services. CSI shall at all times be in compliance with the Payment Card Industry Data Security Standards (PCI-DSS).

e) Company Responsibilities. Company will: (i) except as otherwise provided in this Agreement, assume all risk and liability associated with transactions, including any risk of counterfeit, charged-back or fraudulent transactions; (ii) use each Service in accordance with the MSA, these General Terms, and the applicable Service Agreement; (iii) timely deliver any data or other information necessary for the provision of the Service in an electronic form and format approved by CSI; (iv) be solely responsible for providing any information or cooperation required from its payees, customers, or other third parties in order to commence or continue the Service; (v) have sole responsibility for verifying the accuracy, completeness or authenticity of any data furnished by Company or a third party; (vi) be responsible for all charges made via Company’s Account for goods or services purchased by or paid on behalf of Company or anyone authorized to use Company’s Account as more particularly detailed in the applicable Service Agreement; (vii) be solely responsible for the acts, omissions (including delays), and training of its employees and authorized users; (viii) monitor and comply with all laws applicable to Company’s use of a Service, including but not limited to those laws relating to automated clearing house transfers, network associations, electronic funds transfer, and privacy (“Legal Requirements”) and (ix) appoint an individual to serve as Company’s administrator (“Account Administrator”) with complete authority to administer and manage the use of the Services on Company’s behalf.

f) Payees. CSI cannot guarantee the timing of any payee’s application of payments made through the Service, and CSI will not be liable for any late payment fees assessed or any disrupted services between such payee and Company that may result from the failure of a payee to timely apply any amounts sent on Company’s behalf.

g) Erroneous and Disputed Payment. Company acknowledges that CSI cannot “stop payment” on any transaction. For any erroneous or disputed transaction, Company should refer to the applicable service agreement and must follow the disputed transaction process as posted on the CSI website.

h) Changes to Services. CSI may change any features, functions, card brand, third party provider, or attributes of a Service, or any element of its systems or processes, from time to time. Except as may be required by Card Network rules or applicable law, such changes shall not have a material adverse impact on the functionality or performance of a Service. Company acknowledges and agrees that the card network utilized to provide transactions under this Agreement shall be selected by CSI in its sole discretion.

i) Business Purpose. Company represents and warrants that it will use the Services only for lawful business purposes and that the Services will not be used for personal, family or household purposes.

j) ACH Authorization. If requested, Company authorizes CSI to initiate ACH debit entries to the account identified in such authorization form, including micro-deposits used to verify the account during set-up. This authorization shall remain in effect for the banking information provided with the MSA unless and until CSI has received written notification from Company that this authorization has been terminated in such time and manner to allow CSI to act on such instructions. The Company hereby represents and warrants that the person submitting the banking information with the MSA is an authorized signatory on the account provided and all information regarding the account is true and correct. Company acknowledges that any ACH debits returned must be resolved directly with its bank.

2. Information.

a) Company Identification Program. To help the government fight the funding of terrorism and money laundering activities, federal law requires all financial institutions to obtain, verify, and record information that identifies each person or business entity that establishes an account. The foregoing applies to CSI as a third-party service provider and, as such, when Company establishes an Account, Company must provide CSI or Issuing Bank, with Company’s business entity name, principal and local (if different) address, date of formation, employer identification number and other information reasonably requested by CSI or Issuing Bank. Company agrees that CSI or Issuing Bank may seek information about Company from third parties to confirm Company’s identity or for other Account related purposes. CSI is required to follow these procedures even if Company is already a customer of CSI. In addition, Company will be required to provide all information required by CSI and the Issuing Bank to perform know your customer (“KYC”) and due diligence requirements, including such information related to Company’s personnel who are intended to administer, monitor, or otherwise oversee Services, and such additional information as may be required by CSI or Issuing Bank. If Company fails to provide such information, documents, or otherwise successfully complete the onboarding process, CSI may decline to provide Services to Company without fault or liability.

b) Information CSI Requires. Before CSI can make any Service available to Company, Company is required to complete a set up and implementation process and complete any forms or documents reasonably necessary for CSI to provide the Service. This process includes the selection of important features and options available in conjunction with the Service, and the designation of persons with authority to act for Company (each an “Authorized Person”). In addition, CSI may require information or the execution of documents at various times throughout the duration of the Agreement. Company agrees to provide any information and to execute such documents that CSI reasonably requires in connection with the Program.

3. Data.

a) Customer Data. Company shall ensure the validity, accuracy and completeness of all information, data and instructions provided to CSI (including Personal Information, or data exchanged with or provided to CSI on Company’s behalf) (collectively “Company Data”), which CSI may rely on without verification. CSI is not required to act on instructions provided by Company if CSI reasonably doubts any instructions, or Company’s compliance with these General Terms or any Legal Requirements. CSI, Authorized Third Parties, Issuing Bank, and Subcontractors, as defined below, may use Company Data to perform the Services, as required or permitted under applicable law, for reasonable business purposes, including, without limitation transaction monitoring, intelligent payment decisioning and programs relating to the Services, and other lawful purposes. CSI may use Company Data in connection with research and development or creation of data and analytics tools and products in accordance with applicable law. CSI or its affiliates shall own all right, title or interest in or to any information, products, services or intellectual property arising from such use. CSI’s use of information, including the development of commercial products as a result of or in connection with such research and development activities, will not be a violation of the Agreement. CSI shall not sell Company Data or provide Company Data to any third party except as provided herein.

b) Data Sharing. Company hereby authorizes CSI to share Account information with any Authorized Third Party, including but not limited to providing Account balances, transaction and card usage information, and reporting, as necessary under any Service Agreement. Company hereby confirms that is has provided permission to the Authorized Third Party to use such information as is necessary to obtain the Services.

4. Fees and Other Charges.

a) Fees. Company will pay CSI for all fees, additional service fees and special fees, costs and charges permitted under this Agreement, as set forth on the Fee Schedule, Exhibit B of the MSA (collectively, “Fees”). CSI reserves the right to modify the Fees applicable to the Services from time to time in accordance with the terms of Section 14(a) hereof.

b) Taxes. Except for CSI’s income tax, Company will pay, or reimburse CSI for, any and all applicable sales, use, excise, franchise or other taxes (collectively, “Taxes”), whether federal, state or local, however designated, which are levied or imposed with respect to Company’s use of the Services.

5. Fraud.

CSI may, in its discretion, suspend or terminate the Services, without notice to Company, if CSI reasonably suspects fraudulent, illegal, or improper activity. Company shall cooperate with CSI to prevent and detect fraudulent activity in connection Company’s use of the Services. Company shall promptly provide documentation and information which may be reasonably requested by CSI in connection with its investigation of any suspected fraudulent, illegal, or improper activity.

6. Intellectual Property.

Except as expressly provided herein, these General Terms do not grant either party any right, title, interest, or license (express or implied) to any patent, trademark, service mark, copyright, trade secret or proprietary right associated with, on the part of CSI, the Services, or, on the part of either CSI, or Company, applications or business methods of the other party (or those of such party’s affiliates) required or provided in connection with the Services (whether owned or licensed by such party or its affiliates or a third party); or arising from CSI or its affiliates’ research and development activities. CSI may use Company’s name and logo in publicity indicating that Company and CSI have entered into a contractual relationship.

7. Confidentiality.

a) Confidential Information. “Confidential Information” means all data or information that is competitively sensitive and/or not generally known to the public; including, but not limited to, information which is marked confidential or proprietary, customer lists, technology, inventions, systems, operations, facilities, products, services, discoveries, ideas, concepts, research, development, processes, operating procedures, marketing, business and development plans, pricing, policies and financial information. Confidential Information does not include information which: (i) is or becomes part of the public domain through no fault of the receiving party; (ii) was already known to the receiving party prior to its disclosure; (iii) is lawfully obtained from a third party without obligations of confidentiality; or (iv) is independently developed by the receiving party without reference to any Confidential Information of the other party.

b) Disclosure and Use Restrictions. Neither party will disclose, reproduce, transfer or use the other party’s Confidential Information; provided, however, that (i) CSI and its employees, affiliates, agents, advisors, Issuing Bank, or Subcontractors may access and use Company’s Confidential Information and information provided by Company, which may include Personal Information (as defined below), in order to provide the Services, provided that such third party agents and Subcontractors will comply with the confidentiality provisions of the Agreement, (ii) as applicable, each Authorized Third Party has been authorized by Company to access and use Company’s Confidential Information or Personal Information (defined below) in connection with the Services, and (iii) either party may disclose Confidential Information as may be required by law, regulation, court order, or subpoena, provided the disclosing party uses reasonable efforts to notify the other party prior to disclosure (unless such notification is prohibited by law, regulation, court order or subpoena) so such party may, at its own cost, seek to prevent or limit such disclosure.

c) Company’s Information Security. Company is responsible for the security of all non-public or personally identifiable information, including usernames and passwords, which are on the systems or equipment under Company’s control. Company will maintain information security practices, which comply with applicable law and are reasonably designed to prevent unauthorized access to, use, disclosure, or alteration of, Personal Information. In the event of a breach of Company systems or equipment, Company will take such steps as may be necessary and appropriate to secure its systems and prevent further unauthorized access and shall comply with applicable law and card network requirements. CSI does not require the download of any software and as such is not responsible for any computer viruses (including, without limitation, programs commonly referred to as “malware,”, or “spyware”), problems or malfunctions resulting from any computer viruses, and CSI is not responsible for any damage to Company’s computer or operating systems or for loss of data that results from the download of any such material, whether due to any computer virus or otherwise. CSI is not responsible for any errors or failures resulting from defects in or malfunctions of any software installed on Company’s operating systems.

d) Equitable Relief. CSI and Company agree there is no adequate remedy at law for a breach of the confidentiality, disclosure, use, safeguarding and ownership requirements (collectively, the “Confidentiality Requirements”) related to Confidential Information and Personal Information herein. A breach of the Confidentiality Requirements may cause irreparable harm for which non-breaching party may not have an adequate remedy at law; and, therefore, the non-breaching party will be entitled to seek injunctive relief (without posting a bond or other security) against the breaching party in addition to any other rights or remedies available at law or in equity.

e) CSI Data Security. CSI shall comply with the data privacy and security policies as set forth in the attached Data Processing Addendum (the “DPA”), to the extent it is consistent with industry standards and applicable law.

8. Representations and Warranties.

a) Each party represents and warrants that: (i) it has the right, power, and ability to enter into and perform under the Agreement; (ii) the execution of the MSA and provision or use (as applicable) of the Services described herein does not violate any law or contract applicable to such party; and (iii) it will comply with applicable law in connection with its performance under this Agreement.

b) Company additionally represents and warrants that, if applicable, Company has a valid agreement with the Authorized Third Party to use the Program and permits the Authorized Third Party to utilize the Services for and on behalf of the Company.

9. No Use of Services for Illegal or Unapproved Purposes.

Company shall not use the Services in connection with any product, service or activity that is illegal under applicable federal or state law, Card Network rules, or prohibited by restrictions imposed by the bank that issues the commercial cards under the program or holds any related funds (the “Issuing Bank”). Specifically, Company agrees not to use the Service in connection with any business of placing, receiving or otherwise knowingly transmitting bets or wagers by any means which involves the use, at least in part, of the Internet, or for any other transaction which is prohibited by Federal Reserve Regulation GG – Unlawful Internet Gambling Enforcement Act of 2006.

10. Information to Issuing Bank; Audit.

Upon request, Company shall furnish to CSI, or Issuing Bank, information pertaining to Company’s access to and use of the Program and Services. Company understands such information may be subject to review and audit by the Issuing Bank and its regulators and auditors (“Auditing Parties”). Company agrees to fully cooperate with each Auditing Party in conjunction with any review or audit by such Party. This Section 9 shall survive the termination or expiration of the Agreement to the extent required by applicable law.

11. Disclaimer of Warranties.

COMPANY ACKNOWLEDGES AND AGREES THAT COMPANY’S USE OF THE SERVICES SHALL BE AT COMPANY’S SOLE RISK, AND THAT THE SERVICE IS PROVIDED BY CSI ON AN “AS IS,” “AS AVAILABLE” BASIS. EXCEPT AS OTHERWISE PROVIDED HEREIN, CSI DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, IN CONNECTION WITH THE SERVICES, INCLUDING (WITHOUT LIMITATION) ANY WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, QUALITY, ACCURACY, OR SUITABILITY, AND ANY SUCH WARRANTIES ARE HEREBY EXPRESSLY EXCLUDED. COMPANY AGREES THAT NO ORAL OR WRITTEN ADVICE OR REPRESENTATION OBTAINED FROM ANY CSI EMPLOYEE OR REPRESENTATIVE SHALL CREATE A WARRANTY OR REPRESENTATION FOR PURPOSES OF THIS AGREEMENT. CSI DOES NOT WARRANT THAT THE SERVICES WILL BE ERROR FREE OR THAT THE USE OF THE SERVICES WILL BE UNINTERRUPTED.

12. Limitation of Liability.

a) NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS OR ANY OTHER AGREEMENT, CSI SHALL BE LIABLE ONLY FOR DAMAGES SOLELY AND PROXIMATELY CAUSED BY ITS GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, AND CSI’S LIABILITY SHALL IN NO EVENT EXCEED THE TOTAL FEES PAID BY COMPANY TO CSI FOR THE SERVICES FOR THE PERIOD OF SIX MONTHS IMMEDIATELY PRECEDING THE DATE OF EVENT GIVING RISE TO THE DAMAGES.

b) IN NO EVENT SHALL CSI BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, EXEMPLARY, PUNITIVE OR INCIDENTAL DAMAGES, LOSSES OR INJURIES (INCLUDING, WITHOUT LIMITATION, LOST PROFITS) ARISING OUT OF, OR RELATED TO, THE USE BY COMPANY OF THE SERVICE EVEN IF CSI HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, LOSSES OR INJURIES.

13. Relationship.

CSI is an independent service provider and neither CSI nor any of its representatives are an employee, partner, or joint venturer of Company. Except as expressly stated in the Agreement, neither party shall be an agent of the other, nor have any authority to represent the other in any matter.

14. Term and Termination.

a) This Agreement (including any applicable Service Agreements) shall commence on the later of the date of the last signature on the MSA, or CSI’s approval of the MSA (for which CSI will provide notice to Company) and shall remain in full force and effect for five (5) years (the “Initial Term”), provided that the Initial Term shall automatically renew for successive periods of one (1) year each (each a “Renewal Term”), unless either party provides not less than ninety (90) days’ notice of non-renewal prior to the next Renewal Term.

b) In addition to any other remedies, either party may terminate this Agreement if the other party: (i) is dissolved, becomes insolvent, generally fails to pay or admits in writing its general inability to pay its debts as they become due; (ii) makes a general assignment or agreement with or for the benefit of its creditors; (iii) files a petition in bankruptcy or institutes any action under federal or state law for the relief of debtors; (iv) seeks or consents to the appointment of an administrator, receiver, custodian, or similar official for the wind up of its business; (v) becomes the subject of an involuntary petition in bankruptcy or any involuntary proceeding related to insolvency, receivership, liquidation or composition for the benefit of creditors, and such proceeding is not dismissed or stayed within thirty (30) days; (vi) fails to pay any obligation when due or payments to CSI are returned or reversed for any reason; (vii) violates any applicable law in connection with the Agreement or Service; or (viii) except with respect to breaches by Company of subsections (vi) or (vii) hereof, breaches a material representation, warranty, term, condition or obligation under the Agreement, and fails to cure such breach within thirty (30) days after receiving written notice of such breach. CSI may terminate the Agreement at any time, effective upon written notice to Company, in the event CSI reasonably believes that Company is misusing the Services or that its continued access to the Services is likely to lead to fraud, misuse or unreasonable damage or risk to CSI, the Issuing Bank or Card Network.

c) The termination of this Agreement will not affect Company’s responsibility to pay, or CSI’s right to recover, any amounts for which Company is liable under the Agreement, and upon termination, Company shall immediately pay all such amounts then owed in connection with the Agreement, without set-off or deduction. CSI will be entitled to recover all costs of collection, including without limitation attorneys’ fees, in the event such amounts are not so paid.

15. Miscellaneous.

a) Amendments. CSI may amend, supplement, or change (each, a “revision”) the terms of the Agreement by providing written or electronic notice to Company. Company shall have thirty (30) days from receipt of such revision notice to terminate this Agreement without penalty, absent which, Company’s use of the Service after the date set forth in the notice, or thirty (30) days, whichever is later, shall constitute consent to the revision.

b) Delay in Enforcement. CSI may at any time and in its sole discretion delay or waive enforcing any of its rights or remedies under this Agreement or under applicable law without losing any of such rights or remedies. Even if CSI does not enforce its rights or remedies at any specific time, it may enforce them later. For example, we may accept late payments or payments that are marked “payment in full” or with other restrictive endorsements without losing any of our rights under this Agreement or applicable law.

c) Notices. Other than as set forth in the DPA, any notice required hereunder shall be given by first class U.S. mail, postage prepaid, by receipted hand delivery, or electronically. If, by mail, to CSI, at the address set forth below and, if to Company, at the address provided at the beginning of this Agreement. Any notice mailed shall be presumed received on the third business day after mailing thereof.

globalVCard, LLC
Attn: Chief Financial Officer
3301 Bonita Beach Road, Ste. 300
Bonita Springs, FL 34134

d) Publicity. Company hereby grants CSI permission to issue any press release, case study, or disseminate similar publicity or marketing materials, respecting this Agreement, including, without limitation, by means of the Internet and, in conjunction with such publicity, CSI is permitted to use any trademark, service mark, trade name, or other commercial symbol of Company.

e) Force Majeure. Neither Party shall be responsible for any failure, error, malfunction or delay in carrying out any of its obligations under this Agreement if any such failure, error, malfunction or delay results from causes beyond its reasonable control, including without limitation, fire, casualty, breakdown in equipment or failure of telecommunications or third party data processing services, internet disruptions, lockout, strike, accident, pandemic, act of God, act of terrorism, riot, war or the enactment, issuance or operation of any adverse governmental law, ruling, regulation, order or decree, or an emergency that prevents it from operating normally.

f) Assignment. This Agreement shall be binding upon and shall inure to the benefit of the parties and their respective successors and permitted assigns. Company may not sell, assign or transfer the Agreement or any of its rights or obligations under this Agreement without the prior written approval of CSI. CSI may sell, assign or transfer the Agreement or Account, without Company’s consent.

g) Entire Agreement. The MSA, together with the Fee Schedule, General Terms, any Service Agreement, constitutes the complete and exclusive Agreement between the parties with respect to the Service and the Account, and supersedes all prior or contemporaneous proposals, discussions or agreements between the parties with respect to the Service and the Account. In addition, all applicable reference guides, policies, or procedures made available from time to time, govern your use of the Service.

h) Severability. If performance of the Service in accordance with the terms of the Agreement would result in a violation of any present or future statute, regulation or government policy to which we are subject, and that governs or affects the Service or any transactions contemplated by this Agreement, then this Agreement shall be deemed amended to the degree necessary to comply with such statute, regulation or policy, and we shall incur no liability to you as a result of such violation or amendment. If any provision of this Agreement is deemed to be illegal, invalid, void or unenforceable by a court of competent jurisdiction, or by any governmental agency with jurisdiction in such matter, such provision shall continue enforceable to the extent permitted by that court or agency, and the remainder shall be deemed stricken from this Agreement. All other provisions shall remain in full force and effect.

i) Disputes, Governing Law; Venue. The Agreement shall be governed and construed in accordance with the laws of the state of Florida, without regard to internal principles relating to conflict of laws. Any dispute, difference, controversy or claim arising out of or relating to the Agreement shall exclusively be settled by binding arbitration before a single arbitrator in Lee County, Florida in accordance with the Commercial Arbitration Rules (including Procedures for Large, Complex Commercial Disputes) of the American Arbitration Association. Judgment on any resulting award may be entered into by any court having jurisdiction over the parties or their respective property. The arbitrator shall decide any issues submitted in accordance with the provisions and commercial purposes of the Agreement and shall not have the power to award damages other than those described in the Agreement. The prevailing party in any dispute arising out of the Agreement shall be entitled to, and the arbitrator shall have jurisdiction to award, the recovery of reasonable attorneys’ fees, costs and expenses.

j) Waiver of Jury Trial. Subject to the arbitration provisions set forth in Section 14 i) herein, Company agrees that any suit, action or proceeding, whether as part of a claim or counterclaim, brought or instituted by it on or with respect to this Agreement or any event, transaction or occurrence arising out of or in any way connected with this Agreement shall be tried only by a court and not by a jury. YOU EXPRESSLY, KNOWINGLY AND VOLUNTARILY WAIVE ANY RIGHT TO A TRIAL BY JURY IN ANY SUCH SUIT, ACTION OR PROCEEDING. Company agrees, to the fullest extent allowed by law, that claims arising hereunder will not under any circumstances be pursued in class action proceedings and Company waives the right to bring or to participate in class action proceedings against CSI.

k) Headings. The Section headings used in these General Terms are for convenience only, and do not in any way limit or define your or our rights or obligations under the Agreement.

l) Survival. Termination of the Agreement, including the MSA or any Service Agreement or Service shall not impact any right or obligation arising prior to termination, and in any event, Sections 1.d) – 1.j), 3.b), 4, 6 – 15 of these General Terms shall survive termination of the Agreement, including the MSA or any Service Agreement.

2. CSI Commercial Card Agreement

This CSI Commercial Card Agreement (“Card Agreement”) is a part of the CSI Master Services Agreement (“MSA”) and is governed by the General Terms and Conditions (“General Terms”). Capitalized words not otherwise defined herein have the meaning set forth in the MSA or General Terms. This Card Agreement is entered into by and between CSI and Company and sets forth the terms and conditions pursuant to which CSI shall provide Company with CSI’s commercial card services. By entering into this Card Agreement, Company hereby agrees to receive the CSI commercial card services pursuant to the MSA and General Terms as modified and amended by the terms and conditions set forth in this Card Agreement.

In consideration of the mutual promises contained herein and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, CSI and Company, intending to be legally bound, do hereby agree as follows:

CSI Description of Services – Subject to the terms, provisions and conditions of this Card Agreement, CSI shall provide a commercial card accounts payable service (the “Service”) consisting of the establishment of an Account (as defined in Section 4.a below), the Virtual Cards (as defined in Section 1 below) and the related services described in this Card Agreement. The Service may only be used for business or commercial purposes and not for personal, family, household or other consumer purposes.

1. Card Programs.

The Service is designed to handle an organization’s accounts payable, purchasing, and, where available, travel and related expense needs through a commercial card payment platform. CSI, in accordance with Company’s request, shall provide Company with virtual or lodged commercial payment cards (“Virtual Cards”) which are issued by a financial institution which is party to an agreement with CSI, as may be determined by CSI in its discretion (the “Issuing Bank”).

2. Representatives.

CSI will rely on the information provided by an Authorized Person or Company’s other agents, officers, employees and representatives (“Representatives”) in providing the Service to Company. Any changes in Representatives or to the information Company provided to CSI must be promptly communicated to CSI and given or promptly confirmed in writing although CSI may, in its sole discretion, act on oral requests for changes. CSI may request separate documents, certificates or resolutions from Company to establish the authority of Company’s Representatives. Any change shall be effective only after CSI receives the proper request for such change and CSI has had a reasonable opportunity to act on the request. Until then, CSI may rely on Company’s Representatives as previously provided to CSI. Company agrees that CSI may refuse to comply with requests from any person until CSI receives documentation reasonably satisfactory to CSI confirming the person’s authority to bind Company. CSI shall not be liable or responsible to Company for any Authorized Person or Representative who exceeds the limits of his or her authority.

3. Issuance of Virtual Cards.

a) Virtual Cards. Upon completion of the set-up process, CSI will establish the Account, against which Virtual Cards may be created in accordance with this Card Agreement and CSI’s procedures. Assuming sufficient funds have been placed on the Company Account, all transactions with a Virtual Card will be honored unless the Virtual Card or the Account has been effectively blocked as provided in this Card Agreement or as otherwise determined by CSI or Issuing Bank. Unless and until a Virtual Card has been blocked, the Virtual Card is valid and may be used for transactions, and renewal or replacement Virtual Cards and associated account numbers may be generated and issued as appropriate. Once issued as requested by Company and subject to the provisions of this Card Agreement, Company is solely responsible for the use of the Virtual Card and associated account number and for imposing and enforcing any limits or restraints Company imposes on the use of the Virtual Card.

b) Responsibility for Transactions. Company is responsible for the use of each Virtual Card and Account number by Company, any Account Administrator (as defined below), and any other of Company’s personnel. As part of this responsibility, Company agrees to: (i) limit use of all Virtual Cards to business or commercial purposes on Company’s behalf; (ii) to impose internal controls and procedures to prevent fraud and unauthorized use of a Virtual Card; and (iii) to daily review and reconcile all Account activity and transactions as further described below.

c) Transactions. Unless otherwise restricted by CSI, Company Virtual Cards and the Account may be used to effect accounts payable transactions and other commercial purchasing transactions via the Service. Where available, and if requested by Company, the Virtual Cards and the Account may also be used to effect travel and other commercial expense transactions. CSI is not responsible for the failure or refusal of anyone to honor a Virtual Card. Subject to the express limitations set forth in this Card Agreement, Company is responsible for all uses of each Virtual Card and Account number regardless of the means by which the transaction is affected and regardless of whether it is authorized by Company or violates Company’s internal policies, controls or restrictions. Merchant category and velocity controls, when properly implemented and used by Company and reported by the merchant, can be effective in controlling transaction activity.

4. Account Administrator.

The Account Administrator has the authority to: (i) designate personnel with access to some or all of the administrative features of the Service; (ii) designate persons Authorized Users to use Virtual Cards to effect transactions; (iii) block a Virtual Card and change the Virtual Card limit associated with a Virtual Card; (iv) select, create and maintain templates through the online features that implement available spending controls; (v) monitor, and obtain information and reports about Account and Virtual Card use; and, (vi) accept and act on all communications from us regarding the Service. CSI may, without further inquiry, rely on, deal with and accept instructions related to the Service from any person who identifies himself or herself as the person designated by Company as the Account Administrator.

5. Company Transactions.

a) Obligation. Company shall be responsible for all payments made from the Account.

b) Foreign Currency and Cross-Border Transactions. To convert transactions made in foreign currencies into U.S. dollars, the relevant card association or its affiliate (“Card Association”) will use its then-current currency conversion rates and the procedures established by such Card Association in its sole discretion, as further defined in the Fee Schedule. Further, if a merchant’s country code applied to a transaction differs from Company’s country code, a cross-border fee will apply as further detailed in the Fee Schedule.

c) Disputed Transactions. If Company believes that a transaction on Company’s Account was unauthorized, Company must notify CSI as soon as possible but not more than sixty (60) days after the transaction appears on Company’s Account statement. Company will be required to provide CSI with reasonable information about the transaction to enable CSI to investigate the matter, and to reasonably cooperate with CSI in any investigation. The Card Association may offer a liability protection program; contact the Card Association for additional information.

6. Account Statements.

Account statements and reports are available securely on-line through the Program. Company understands and agrees that CSI may filter data received from merchants from time to time as necessary to provide complete reporting information to Company.

7. Prefunded Account Balance.

a) Account Funding. Company shall maintain sufficient funds in Company’s Account to support the transactions contemplated under this Card Agreement and any other Services. If Company does not have sufficient available funds in Company’s Account to cover the transaction amount, the transaction will be declined. Company acknowledges and agrees that the funds available to perform transactions are limited to the funds that have been added to Company’s Account that are not subject to a hold. Company is not authorized to use funds added to Company’s Account in error. Company is not authorized to access Company’s Account for the purpose of withdrawing funds; provided that Company may, however, request a return of funds through Company’s Account Administrator and such request will be processed and completed by CSI or the Issuing Bank as soon as is commercially practicable. Any transaction that could create a negative balance for Company’s Account is not permitted but may occur in limited circumstances. Adjustments may be made to Company’s Account to reverse an error, reflect a vendor adjustment, or resolve a dispute regarding a transaction posted to Company’s Account. These processing and adjustment entries could cause Company’s Account to have a negative balance. If Company’s Account has a negative balance, Company agrees: (i) that CSI may automatically apply any subsequent deposits to Company’s Account to satisfy the negative balance, and (ii) to fund Company’s Account on demand by a wire transfer, ACH, or other payment method authorized by CSI for the amount of the negative balance. If no future funds are added to Company’s Account, CSI may send Company a notice explaining the reason for the adjustment and requesting payment by wire transfer, ACH, or other payment method to satisfy the negative balance.

b) Authorization for Account Funding. All Account funding shall be made by wire transfer or Automated Clearing House (ACH) credits or debits from Company’s bank account with its financial institution designated by Company during the setup process. Company hereby authorizes CSI to initiate debit entries, by providing a separate ACH debit authorization form, from the bank account with the financial institution Company designates until Company has properly revoked the authorization. Company agrees to be bound by the Nacha Operating Rules with respect to these ACH transactions.

c) Changes. CSI may from time to time and in its sole discretion (i) block one or more Virtual Credit Cards, or (ii) limit the number and amount of transactions on the Virtual Credit Card or the Account. CSI will notify Company promptly in the event CSI decide to take such action on the Account. While CSI expressly reserves the discretion described in this paragraph, except for cases of known or suspected fraud, changes resulting from regulatory requirements or where CSI believes there exists a risk of loss, CSI will use commercially reasonable efforts to consult with Company in advance taking action on an Account.

8. Fee Schedule.

Company agrees to pay all fees and charges associated with the Account including those set forth in the fee schedule (Exhibit B) of the MSA (the “Fee Schedule”), which is incorporated into this Card Agreement by this reference. If a Fee Schedule is not so attached or accompanying the executed version of this Card Agreement, Company agrees to pay standard account fees and charges. The Fee Schedule may be revised as provided in the MSA. If there is any conflict between this Card Agreement and the Fee Schedule, this Card Agreement shall govern, but only to the extent reasonably necessary to resolve the conflict.

9. Account Controls.

a) Monitoring Obligation. Company is responsible for monitoring the use of the Virtual Cards, Account numbers and the Account, and detecting unauthorized or improper use. CSI offers online account management tools through the Online Features, as defined below, to assist Company in carrying out this responsibility, including access to transaction information and the means to block a Virtual Card or impose limits on the use of a Virtual Card.

b) Unauthorized Use. Company is responsible for blocking any misused Virtual Cards or lost or stolen Virtual Card Account numbers, or Virtual Cards or the Account that Company suspects may have been the subject of fraud, unauthorized use or misuse, and the Virtual Card (and associated authorization) of any personnel no longer authorized by Company to use a Virtual Card or Account number, whether as a result of termination of employment or otherwise. Company may also block or terminate a Virtual Card by calling or e-mailing CSI’s customer service center as soon as the need arises. Company understands that CSI will require a reasonable amount of time to act on any request made by telephone or e-mail.

c) CSI’s Programs. CSI may (but are not obligated to) apply software programs and other techniques to detect patterns and other indications of potential fraud and unauthorized use of the Account. These programs and techniques are not a substitute for proper Account management and the implementation and enforcement of Virtual Card controls by Company and cannot be relied upon to prevent fraud or unauthorized use. CSI’s techniques may, however, result in the denial of a transaction, reduction of limits or other actions as indicated by such programs and techniques.

10. Rebate Program Terms.

Depending on the application under which Company applied and account pricing, Company may qualify for a rebate program. The rebate incentive program, if applicable to the Account, is only available if the Account is open, in good standing, and is not in default of the payment terms provided within this Card Agreement. Please refer to Exhibit A, Rebate Incentive Agreement, of the MSA for specifics regarding rebates. CSI reserves the right to change or terminate the rebate program at any time and in any manner with prior notice. Changes may include, among other things, changing the benefits, imposing additional restrictions, or terminating the program. In addition, CSI reserves the right to remove any account from the rebate incentive program in the event of any fraud or abuse. Participation in the rebate incentive program will be suspended if the account is suspended. The Rebate Incentive Program is subject to modification or termination, at the option of the CSI, should any of the current structures between globalVCard LLC, CSI Enterprises, Inc., Issuing Bank, Processor change or if there are changes in card association interchange rates, and/or if legislation governing interchange rates is modified, as they may from time to time. Company is not entitled to incentive until Issuer funded and settled with CSI.

11. Online Features.

CSI offers online access features as part of the Service (“Online Features”) to enable Company to access information about, and administer and manage, the Account. The use of the Online Features is subject to the limitations and specifications CSI provides for the Online Features. Some or all of the Online Features may be hosted or provided by the Card Association or another third party and are also subject to any terms of use established by CSI or that third party. Updates and new features of the Online Features will be described, and any related terms of use will be posted on the applicable website; updates and features offered by CSI, and the related terms and conditions of use will become part of the Service and this Card Agreement upon first use by Company.

12. Exclusivity.

Company agrees that CSI will be Company’s exclusive provider of the Service, and Company will not use the services of any third party that are substantially similar or competitive with CSI for the Service provided under to this Card Agreement.

13. General Provisions.

a) Suppliers. CSI has no liability or responsibility for a supplier’s refusal to accept a payment made via the Service. If Company has a payment dispute with a supplier, CSI requires that Company first attempts to resolve the dispute directly with the supplier. If Company is unable to resolve the dispute, Company may request that CSI process a chargeback, subject to applicable Card Association rules. If CSI agrees to process the chargeback, Company will be required to complete a dispute form provided by CSI, provide any additional information CSI requests relating to the dispute and cooperate with CSI. Company is in all events responsible for any transactions made with Company’s Account or the Service.

b) Compliance with Law. CSI and Company each agree to comply with and be responsible for all applicable state, local and federal statutes, rules, regulations, orders, directives, policies and other laws, and the rules and regulations of any applicable Card Associations or payment clearing system.

3. Data Processing Addendum

1. INTRODUCTION

1.1 This Addendum sets out the additional terms, requirements, and conditions on which CSI (the Vendor) will process Four Seasons Personal Data when providing the Services under the Master Services Agreement entered into with any Property (collectively, the “Agreement” within this DPA).

1.2 In addition to terms defined within this Addendum and Schedules, the definitions and other provisions in Schedule 2 apply throughout. A reference to a Clause, Section, or Schedule is a reference to a Clause, Section, or Schedule of or to this Addendum, unless otherwise noted. The Schedules form part of this Addendum.

2. ROLES AND RESPONSIBILITIES

2.1 The Four Seasons management entity (Property) is responsible for determining the purposes and means by which Four Seasons Personal Data is processed at the property. Vendor acknowledges that it will process Four Seasons Personal Data solely on behalf of Property. For the avoidance of doubt, it is the parties’ mutual understanding that: (a) Property is a controller of Four Seasons Personal Data; and (b) Vendor is a processor of the same.

2.2 Vendor acknowledges that the Customer (Owner Entity) has entered into this Addendum for the benefit of Property. The rights granted to Property under this Addendum shall be directly enforceable by Owner Entity on behalf of Property. Without limiting the foregoing, a person who is not a party to this Addendum may not otherwise enforce any of its terms unless expressly stated in this Addendum or the Agreement. If and to the extent Owner Entity is not able to recover a loss incurred by Property under this Addendum on the basis a claim to recover that loss is not, by operation of law or decision of a court, deemed to be enforceable by Owner Entity itself, then Property shall be entitled to enforce this Addendum against Vendor in its own right, subject always to the provisions of this Addendum and the Agreement.

2.3 Vendor and Property shall comply with their respective obligations under Data Protection Laws in relation to the processing of Four Seasons Personal Data under, or in connection with the performance of, this Addendum and related Agreement. Nothing in this Addendum shall relieve either Vendor or Property of its own responsibilities and liabilities under Data Protection Laws.

3. VENDOR USE OF FOUR SEASONS PERSONAL DATA

3.1 Compliance with instructions. Vendor shall:

  • (a) only process Four Seasons Personal Data in accordance with the Agreement and any written instructions provided by Property from time to time; not collect, process, retain, use or disclose Four Seasons Personal Data for any commercial purpose other than as set forth in and pursuant to the Agreement;
  • (b) not sell, disclose, release, transfer, make available or otherwise communicate any Four Seasons Personal Data to any third party without the prior written consent of Property, except where specifically permitted under Section 7 or where required by applicable law
    (in such cases, Vendor shall comply with its obligations under Clauses 6.3 and 6.4). To obtain such consent, Vendor shall send an email to corporate.it.security@fourseasons.com; and
  • (c) promptly notify Property if it is unable to follow Property’s instructions, or if, in Vendor’s opinion it would be unable to process Four Seasons Personal Data without breaching Data Protection Laws.

3.2 Sub-processor instructions. Subject to Section 7, Property authorizes Vendor to instruct sub-processors to process Four Seasons Personal Data for the purpose of exercising Vendor’s rights and performing its obligations under this Addendum and the Agreement.

3.3 Purpose limitation, accuracy, and duration of processing. Vendor shall process Four Seasons Personal Data in accordance with, and only for the purposes specified in, Schedule 1. Vendor further agrees that processing shall only take place for the duration specified in Schedule 1. Vendor shall inform Property if it becomes aware that any Four Seasons Personal Data is inaccurate or has become outdated. Such notice shall be sent to privacy.officer@fourseasons.com.

4. SECURITY OF PROCESSING

4.1 Maintain appropriate technical and organizational security. Vendor shall, considering the state of the art and the nature, scope, context, and purpose of processing, as well as the potential risk to the rights and freedoms of natural persons due to the processing, implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk with respect to Four Seasons Personal Data and other Confidential Information. Such assessment shall account for the risk of unauthorized or unlawful processing of, as well as the accidental or unlawful loss, alteration, unauthorized disclosure, or destruction of, Four Seasons Personal Data and other Confidential Information.

4.2 Sensitive data. If Vendor’s processing involves Four Seasons Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (Sensitive Data), Vendor shall apply any additional safeguards included in the Security Measures (Schedule 3) for Sensitive Data.

4.3 Adherence to Security Measures. Without limiting Clauses 4.1 or 4.2, Vendor shall always implement at least the measures set out in the Security Measures (Schedule 3).

4.4 Vendor Personal Data Breach response. Upon becoming aware of an actual or suspected Personal Data Breach, the Vendor shall take reasonable steps to investigate, and mitigate the effects of, the Personal Data Breach. Vendor shall notify Property of the incident pursuant to Clause 4.5. Property shall have sole control over the content, timing, and method of distribution of any notice sent to any data subject(s), supervisory authority(ies), and/or regulator(s) (collectively, Notice Recipients). Except as required by applicable law or regulation, Vendor may not send notifications to any Notice Recipients without Property’s express written approval. At Property’s request, Vendor shall notify data subject(s) on behalf of Property and Vendor shall function as the primary contact point for inquiries and complaints related to the Personal Data Breach.

4.5 Notification of Personal Data Breach to Property. Vendor shall notify Property without undue delay, and in any event within 48 hours, after becoming aware of or having reasonable suspicion of an actual or suspected Personal Data Breach involving Four Seasons Personal Data. Vendor shall first attempt to notify Property by calling Four Seasons’ incident response hotline at +1 613 416 8000. If Vendor cannot reach Property over the phone, the initial notice must be sent via email to corporate.it.security@fourseasons.com and privacy.officer@fourseasons.com. That initial notice sent via e-mail should only inform Property of the potential Personal Data Breach and include contact information for an individual from whom Property can obtain additional details of the incident. Vendor shall be prepared to provide the following information regarding the Personal Data Breach, including, if available, details of: (a) how the incident occurred and the facts surrounding it; (b) the categories of Four Seasons Personal Data and number of data records affected, (c) details of individuals and the approximate number of individuals and records affected including, where possible, the country of residency of the affected data subjects; (d) the likely consequences of the incident, if known; and (e) the measures taken or proposed to be taken to address the incident, prevent future occurrence and to mitigate its possible adverse effects. Where it is not possible to provide all information at the same time, further information shall be provided subsequently as it becomes available. Property shall be entitled at any time, but only on request, to require the Vendor to provide the foregoing details in a written report.

4.6 Cooperation with Property’s review. Upon Property’s written request, Vendor shall provide Property with co-operation and assistance (including access to appropriate facilities, employees, records, information, and systems) reasonably requested by Property related to a Personal Data Breach to enable Property to (a) take appropriate remedial measures Property deems prudent; (b) send notices to Notice Recipients; and (c) respond to any subsequent review by or inquiries from any relevant Data Protection Authority, any other public authority, or any other third party concerned, regardless of whether such responses are required by applicable law.

4.7 Costs associated with Personal Data Breach. Vendor agrees to reimburse Property for costs necessarily incurred with Property’s response to a Personal Data Breach impacting Four Seasons Personal Data when such breach relates to the Vendor’s, or Vendor’s sub-processors, processing of Four Seasons Personal Data (Data Breach Costs). For the avoidance of doubt, such Personal Data Breach includes the unauthorized acquisition of or access to Four Seasons Personal Data processed on Vendor’s or Vendor’s sub-processor’s systems. Vendor agrees to reimburse Data Breach Costs related to Property’s review and remediation of the incident, notification to Notice Recipients, provision of identity protection or fraud protection services to impacted data subjects (at Property’s discretion), fines imposed by Data Protection Authorities related to the Personal Data Breach, and professional fees incurred related to the breach, including reasonable attorney’s fees and fees from public relations vendors, customer notification service providers, and forensic investigators. Vendor will not be obligated to reimburse Property for costs identified in this Clause 4.7 if the Personal Data Breach is caused by Property’s negligence or misconduct. The maximum amount of Data Breach Costs that Vendor will be liable to reimburse Property for hereunder will be limited to $1 million U.S. dollars, provided that Vendor’s aggregate liability to all Properties managed by Four Seasons (including the Property) shall not exceed $2 million US dollars (Data Breach Costs Cap).

4.8 Non-Exclusive Remedies for Breach. Vendor’s failure to meet the requirements in this Addendum with respect to the security of Four Seasons Personal Data or other Confidential Information, including the requirements outlined in the Security Measures (Schedule 3) is a material breach of the Agreement for which Owner Entity, at its option, may terminate the Agreement on written notice to Vendor in accordance with the Agreement.

5. COMPLIANCE DOCUMENTATION, ASSISTANCE, AND AUDIT

5.1 Assistance with Property’s privacy assessments. Upon Property’s written request, Vendor shall provide reasonable assistance to Property regarding the assessment of the privacy impact related to Vendor’s processing of Four Seasons Personal Data when such assessment is either: (a) required or prudent under Data Protection Laws; or (b) conducted by Property to comply with its internal processes and procedures. Such assistance may include providing information to Data Protection Authorities upon Property’s request.

5.2 Demonstrate compliance with this Addendum. Subject to compliance with applicable laws, Vendor shall, upon Property’s written request, provide all information necessary to demonstrate compliance with this Addendum, including information provided by sub-processors. Property may request to receive information verbally, or in writing; such information includes, but is not limited to, details regarding the technical and organizational measures employed by Vendor and/or a sub-processor related to the processing of Four Seasons Personal Data. Such information regarding technical and organizational measures includes, without limitation, a summary of a routine assessment conducted by the Vendor to determine if its information security program complies with the SSAE 18 standard, ISO/IEC 27001, or other alternative standards that are substantially equivalent to those standards. Property shall maintain all information related to such assessments, including any written summaries, as Vendor’s Confidential Information and will not distribute or allow any third party (other than Property’s independent auditors) to use any such information without the prior written consent of Vendor, unless required by applicable law.

6. INDIVIDUAL RIGHTS, DATA PROTECTION AND PUBLIC AUTHORITY INQUIRIES

6.1 Notice of individual rights request. If an individual makes a written, electronic, or verbal request to Vendor to exercise any of their rights under Data Protection Laws in relation to Four Seasons Personal Data, Vendor shall forward the request to Property promptly and in each case within three days from the date on which Vendor received the request. Notification must be sent to privacy.officer@fourseasons.com. Vendor shall not respond to such requests itself unless it has been authorized to do so by Property in writing or is otherwise required by applicable law or regulation.

6.2 Assistance related to rights requests. Upon Property’s reasonable written request, Vendor shall provide Property with all co-operation and assistance requested by Property in relation to any individual request to exercise their rights under Data Protection Laws. This includes, but is not limited to, implementing appropriate technical and organizational measures to fulfil and respond to such requests.

6.3 Notification of and assistance with Data Protection Authority inquiry. Vendor shall immediately notify Property if it is subject to any inspection or investigation conducted by any Data Protection Authority regarding the processing of Four Seasons Personal Data. Notification must be sent to privacy.officer@fourseasons.com. Vendor shall assist Property in responding to any investigation, inspection, notice, or communication from any Data Protection Authority or other authority in relation to the processing of Four Seasons Personal Data.

6.4 Notice of request from other public authority. Vendor shall keep Four Seasons Personal Data confidential in accordance with the terms of this Addendum except where disclosure is required by applicable law, in which case the Vendor shall, where not prohibited by applicable law, immediately notify Property of any such requirement (and in any event before such disclosure).

7. SUB-PROCESSORS

7.1 General written authorization. Notwithstanding any provisions governing the appointment of sub-contractors in the Agreement, Property provides general authorization for Vendor to engage other processors (each a sub-processor) to process Four Seasons Personal Data. Vendor shall:

  • (a) before disclosing Four Seasons Personal Data to any sub-processor, enter into a contract with that sub-processor containing terms equivalent to those in this Addendum;
  • (b) be responsible for all acts and omissions of any sub-processor as fully as if they were the acts and omissions of Vendor or its employees or agents; and
  • (c) except where expressly provided otherwise, be Property’s sole point of contact for the performance of Vendor and Vendor’s sub-processor’s obligations under this Addendum.

An agreed list of sub-processors can be found in Schedule 1. Vendor shall inform Property no less than 60 days in advance of any intended changes concerning the addition or replacement of sub-processors to those already approved, so giving Property the opportunity to object. Such notifications must be sent to corporate.it.security@fourseasons.com. If Property notifies Vendor in writing that it objects to Vendor’s proposed appointment of an additional or alternative sub-processor, Property may terminate the Agreement.

7.2 Confidentiality obligation. Before disclosing Four Seasons Personal Data to any of its agents or sub-processors, Vendor shall ensure that those persons:

  • (a) have taken appropriate training in data protection; and
  • (b) are bound to hold the Four Seasons Personal Data in confidence, to at least the same standard as required under this Addendum.

8. Intentionally deleted

9. CONSEQUENCES OF TERMINATION AND EXPIRY

9.1 Unless expressly stated otherwise in this Addendum or the Agreement, upon termination or expiry of the Agreement, Vendor shall, and shall procure that each sub-processor shall immediately cease to use Four Seasons Personal Data; and

  • (a) at Property’s option and in accordance with Property’s instructions:(i) return Four Seasons Personal Data to Property; and/or(ii) delete the Four Seasons Personal Data and other Confidential Information, as well as all copies and extracts of Four Seasons Personal Data and other Confidential Information unless required to retain a copy in accordance with applicable laws or any written data retention policy, but only for as long as is set forth in such policy. Vendor shall destroy all data in a fashion that renders it unrecoverable, and which adheres to NIST SP 800 88 Rev 1 (or a successor standard) or equivalent data destruction standard. Data destruction shall be completed on all forms of data and in all locations excluding system backups. A confirmation of data destruction will be provided to Property upon written request;
  • (b) if Four Seasons Personal Data is contained in an electronic file created pursuant to any routine backup or archiving procedure which renders it inaccessible or incapable of deletion, anonymize such file wherever possible; if anonymization is not possible, the data may be retained in line with Vendor’s retention periods so long as it is not generally accessible beyond the need for disaster recovery or similar operations or to comply with applicable law; and
  • (c) to the extent that any Four Seasons Personal Data or other Confidential Information remains in the possession of Vendor following a request for return or destruction of same from Property, Vendor shall continue to process that Property data in accordance with applicable law and this Addendum.

9.2 Survival. On expiry or termination of this Addendum, this Section 9 shall survive and continue in full force and effect. Vendor shall continue to ensure compliance with this Addendum until the Four Seasons Personal Data and Confidential Information is deleted or returned in accordance with this Section 9.

10. GOVERNING LAW AND JURISDICTION

10.1 Governing law. Subject to the UK SCCs, or EU SCCs (if applicable), this Addendum and any non-contractual obligations arising out of or in connection with it or its subject matter or formation shall be governed by, and construed in accordance with, the law specified in the Agreement.

11. MISCELLANEOUS

11.1 No transfer of rights. The parties to the Agreement acknowledge that nothing in this Addendum constitutes a transfer or assignment of any rights in Four Seasons Personal Data (including any intellectual property rights) unless otherwise expressly set out in the Agreement.

11.2 Hierarchy. If there is any conflict or inconsistency between a term in the body of this Addendum and a term in the Agreement, or in any of the Schedules or other documents referred to or otherwise incorporated into this Addendum, the term in the body of this Addendum shall take precedence.

11.3 Variability. Subject to any change control procedure contained in the Agreement, any variation of this Addendum shall not be binding on the parties to the Agreement unless set out in writing, expressed to vary this Addendum, and signed by authorized representatives of Vendor and Owner Entity.

11.4 Severability. The provisions contained in each Section and Clause of this Addendum shall be enforceable independently of each of the others and their validity shall not be affected if any of the others are invalid. If any of those provisions is void but would be valid if some part(s) of the provision were deleted, the provision in question shall apply with such modification as may be necessary to make it valid.

 

SCHEDULE 1

DESCRIPTION OF PROCESSING AND TRANSFERS

ONCE IN TIME APPLICATION SUBMISSIONS:

 

VENDOR PAYMENT DETAILS

 

SCHEDULE 2: DEFINITIONS

In this Addendum, the terms controller, personal data, processing, and processor shall have the meaning given to them in Data Protection Laws. Other defined terms are as follows:

Confidential Information is defined pursuant to the Agreement;

Data Protection Authority means the relevant competent authority responsible for data privacy and protection, which may or may not be where Property or Vendor is established;

Data Protection Laws means any law, enactment, regulation, or order concerning the processing of data relating to living persons including each to the extent applicable to the activities or obligations of Property, Owner Entity, and Vendor under or pursuant to this Addendum;

Data Recipient means the Vendor or a third party who receives Four Seasons Personal Data from, or is given access to Four Seasons Personal Data by, the Data Sender under, or in connection with, the terms of this Addendum;

Data Sender means Property, or Vendor, in cases where the entity transfers (via international transfer or otherwise) Four Seasons Personal Data to a Data Recipient or provides access to Four Seasons Personal Data to a Data Recipient under or in connection with this Addendum;

Four Seasons Personal Data means any personal information or personal data (each as defined in applicable Data Protection Laws) which is: (i) supplied by or on behalf of Property to Vendor (including where Vendor has access to personal data held by Property or a processor on its behalf), (ii) which Vendor collects, generates, or otherwise processes on behalf of Property; or (iii) which Vendor otherwise processes under or in connection with providing the Services or performing an obligation under the Agreement, as further described in Schedule 1;

Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Four Seasons Personal Data transmitted, stored, or otherwise processed by the Vendor or Vendor’s sub-processors;
;
Security Measures means the security measures outlined in Schedule 3; and

Services mean the services provided under the Agreement.

 

SCHEDULE 3

SECURITY MEASURES

Throughout the term of the Agreement, and at all times in connection with its actual or required performance of the Services thereunder and in compliance with all applicable laws, Vendor shall maintain and enforce an information security program, including incident response, escalation, and physical, technical, organizational, and contractual security policies and procedures with respect to its processing of Property’s Confidential Information (including Four Seasons Personal Data) that meet or exceed Property’s data security requirements set forth in this Schedule, the Addendum, and the Agreement. Any such practices and standards must be at least as protective as industry standards in all jurisdictions where Property and Vendor carry on activities under the Agreement. Without limiting the foregoing, Vendor agrees that it has in place, and will have in place during the term of the Agreement, the following security measures:

  • 1) Security monitoring and governance. Vendor shall maintain measures to effectively monitor, detect and mitigate attacks, break-ins, potential threats, and other malicious activities launched against any electronic systems, including without limitation, its network, its operating system, all databases, and any and all applications and underlying technologies (collectively, the Systems), associated with providing the Services. These measures include, without limitation, collecting, managing, and protecting audit logs (Audit Logs) and following up on all anomalies detected. Vendor represents and warrants that its Audit Logs: (a) track all actions taken in connection with the Systems, including without limitation, all changes to configuration of servers, networks, databases, and/or business applications containing Four Seasons Personal Data, including changes to the Four Seasons Personal Data itself (each an Action); (b) with respect to each Action, track, at a minimum, the time, date, and type of Action taken; (c) are configured such that all Actions can be traced to an individual; and (d) are kept for at least one (1) year and protected on separate, dedicated storage devices.
  • 2) Logical access controls. Vendor shall control access to its Systems through at least the following means: (a) adhering to policies and procedures that comply with PCI-DSS Requirement 8 (available at www.pcisecuritystandards.org); (b) restricting access to all Systems, granting access only to those users that have a need for such access in order to perform their roles; (c) having a process for on-boarding and off-boarding staff to appropriately control and restrict access to all Systems; (d) with respect to employees, contractors, agents, or other representatives (Personnel) who have a material role in processing Four Seasons Personal Data, submitting such Personnel to background verification (as permitted by local laws, regulations, ethics, and contractual constraints); (e) creating all accounts using the “least privilege” principle, and granting all users only the necessary privilege required for their role; and (f) using Multi-Factor Authentication to protect all accounts that have administrative privilege to access the Systems used to provide the Services.
  • 3) Physical access controls. Vendor shall have in place, and will have in place during the length of the Agreement, measures to ensure physical security controls are in place for all data centres, hosting providers, corporate offices or any location where Four Seasons Personal Data may reside, and will ensure that physical access to such non-public locations is restricted and closely monitored, including without limitation that Vendor (i) has, and will follow, policies and procedures that address the purpose, scope, roles, responsibilities and compliance measures required for physical and environmental security of its Systems, including without limitation that such policies and procedures address security perimeter and entry controls, working in secure areas, equipment security, cabling security, fire detection and suppression, and room temperature; and (ii) controls physical access to such facilities containing information systems, maintains records of access by approved personnel, requires sign-in sheets for all
    visitors, periodically reviews such logs, investigates all violations or suspicious activities, and takes action to address issues or concerns identified.
  • 4) Information security awareness. Vendor shall have in place an information security awareness program for all of its Personnel to protect its Systems and to ensure the confidentiality, integrity, and availability of data. Such program provides Personnel with training, reference materials, support, and reminders that enable them to appropriately protect data assets and obligates Personnel to understand and agree to abide by the policies that affect their areas of activity.
  • 5) Annual incident response testing. Vendor shall facilitate an annual incident response test and modify its related plans and/or policies in connection with the lessons learned from such tests, including that evidence of such testing and the modified plans and/or policies in consequence of such tests will be provided to Property upon request.
  • 6) Cryptographic standards and key management. Vendor shall utilize cryptographic standards mandating authorized algorithms, key length requirements, and key management processes that are consistent with or exceed then-current industry standards, including NIST recommendations, and utilize hardening and configuration requirements consistent in approach with then-current industry standards, which at a minimum shall be Center for Internet Security (CIS) recommendations. Vendor shall provide security key management and other facilities to ensure that encrypted data is not lost or irretrievable should the encryption keys become unavailable.
  • 7) Encryption in transit and at rest. Vendor shall ensure that Four Seasons Personal Data, whether in transit or at rest, including storage within databases, is protected at all times by using end to end cryptographic protocols, including without limitation that Vendor shall implement encryption in transit that supports the latest Transport Layer Security (TLS) protocol, and has the ability to block TLS protocols older than the current version minus 1 (e.g., if TLS 1.3 is the current version, TLS 1.1 can be blocked). For the avoidance of doubt, the in-transit encryption protocol requirements apply to all communication that transmits Four Seasons Personal Data and/or Confidential Information. Vendor shall, without limitation, encrypt data at rest using AES-256 encryption or the most recent industry standard level of encryption. Vendor shall never decrypt Four Seasons Personal Data in non-production systems and/or test environments.
  • 8) Vulnerability management program. Vendor shall execute (a) third-party penetration tests by an accredited vendor on an annual basis with all critical vulnerabilities patched within fifteen (15) days and high vulnerabilities patched no later than thirty (30) days after being identified by such tests; and (b) vulnerability assessments on an, at least, semi-annual basis with all critical and high vulnerabilities patched no later than thirty (30) days after being identified by Vendor. Upon request by Property, Vendor shall provide Property with evidence that an external network and applicable penetration tests have been completed and shall provide Property with an executive summary which includes the scope of the assessment, major findings, and remediation status. Such reports shall be considered Vendor’s Confidential Information.
  • 9) Change management. Vendor maintains a change management process to control any changes made to its products, services, and Systems, and to keep its Systems up-to-date with the latest upgrades, bug fixes, new versions, and other modifications in line with industry best practices. Vendor represents and warrants to Property that all changes (a) are documented, reviewed, tested, and approved in accordance with Vendor’s written policies; and (b) will be implemented in a seamless manner to avoid or minimize service degradation to Property.
  • 10) Routine maintenance. Vendor shall provide routine maintenance to its systems, including tasks necessary to correct ordinary defects in the systems, tasks necessary to ensure continued day-to-day operation of the systems, and tasks necessary to affect other minor modifications and improvements to the system.
  • 11) IT Service Continuity. Vendor shall have in place a defined and agreed recovery point objective (RPO) and recovery time objective (RTO) for their Services, and based on the RPO and RTO, shall maintain and will follow an at least industry standard disaster recovery and business continuity plan for the restoration of critical processes and operation of the Services (the BCP), which contemplates, without limitation, the provision and maintenance of necessary controls such as backup power to facilitate an orderly shutdown process, fire detection and suppression, temperature and humidity controls, water damage detection and mitigation, network availability, and infrastructure health controls. Any Force Majeure provisions of the Agreement shall not limit Vendor’s obligations in this Clause.
  • 12) Single Sign-On Support (if applicable to Vendor). In cases where Vendor will provide access to a platform wherein Property’s employees, contractors, or other individuals will access the platform via log-in credentials, Vendor will provide Property with federated single sign on capabilities (FSSO) that will allow Property to internally control the authentication process to the Vendor platform. Vendor shall accept the credentials (as more fully described below, the Identifying Credentials) of each participant as accurately identifying the participant and then provide the latter with access to the platform in accordance with the following: (a) Property shall be responsible for the establishment, implementation and oversight of the rules, requirements and procedures relating to the provisioning, de-provisioning, distribution, selection, use and safeguarding of the Identifying Credentials (such as the user ID and passwords) and for the verification of the identity of each participant and its respective level of access authorization for the platform and Property agrees that it shall utilize at least “standard industry practices” in regard to password policies, user provisioning and de-provisioning, and the creation of persistent, unique and static user ID’s, and therefore Vendor shall not have any responsibility to authenticate participants or otherwise verify their identity or authorized access levels; and (b) the FSSO shall utilize either the “Security Assertion Mark-up Language 2.0” (SAML), or another SSO methodology deemed acceptable by Property as evidenced by Property in writing (Vendor agrees to contact corporate.it.security@fourseasons.com to identify other acceptable SSO configurations and obtain such written approval). Property acknowledges it is responsible for procuring, at its expense, all hardware and software necessary to utilize the FSSO.
  • 13) Remote access (if applicable to Vendor). In cases where Vendor will access Property’s computer systems remotely, it will do so only using the remote access technology currently approved for use by Property. Contact corporate.it.security@fourseasons.com for more information.
  • 14) Administration of Property’s Systems (if applicable to Vendor). In cases where Vendor will administer Property’s computer systems, Vendor shall ensure that any accounts used to administer Property’s computer systems are unique to Property and are not shared across multiple clients.
  • 15) Provisions for Cardholder Data. Vendor shall adhere to the following requirements with respect to its’ storage, processing, handling or transmission of cardholder data in any manner, whether by Vendor itself, or through a sub-processor or other agent of Vendor. The term Cardholder Data refers to the number assigned by the card issuer that identifies the cardholder’s account, as well as all other data related to the payment card, including, but not limited to, expiration date and CVV code. Cardholder Data shall also include all of the cardholder’s Four Seasons Personal Data. Vendor: (a) shall at all times while accessing or holding Cardholder Data, comply with the current version of Payment Card Industry (PCI) requirements for Cardholder Data that are prescribed in the PCI Data Security Standard (PCI-DSS) – copies of the current PCI-DSS requirements documentation are available on the www.pcisecuritystandards.org website; (b) hereby represents and warrants that it has received certification and is and shall be and remain certified PCI compliant at all times throughout the Term of this Agreement; (c) acknowledges and agrees that it will have access to Cardholder Data and that such Cardholder Data may only be used for the purposes set out in this Agreement and Vendor will not copy, use, alter or delete Cardholder Data for any purpose except as herein required or as required by applicable law, and in such case, only after sending notice to Property at corporate.it.security@fourseasons.com; (d) will not transfer Cardholder Data outside the Property environment for any purpose; (e) shall, in the event of an attempt at access, a breach or intrusion of, or otherwise unauthorized access to, Cardholder Data, immediately notify Property pursuant to the terms in the Addendum; (f) shall maintain appropriate business continuity procedures and systems to ensure security and integrity of Cardholder Data in the event of a disruption, disaster or failure of Vendor’s primary data systems; (g) shall provide an Attestation of Compliance from an arm’s length third party approved by Property (Attestation) in the current form set by PCI-DSS within 30 days of execution of this Agreement and annually thereafter during the Term of this Agreement, upon written request; failure to provide any such Attestation is a material breach of the Agreement entitling Property to immediately terminate the Agreement without penalty or liability of any kind, and in such circumstances Property shall have no further obligations to Vendor; (h) agrees to manage and be fully responsible for the high level PCI requirements and the requirements as outlined in the chart at Annex 1 attached hereto and Vendor agrees that its Attestation shall include an audit of the obligations of Vendor set out in such chart; and (i) its successors and assigns shall comply with the PCI-DSS Requirements including after termination of this Agreement for as long as Cardholder Data is in the possession of Vendor, its successors or assigns.
  • 16) Multi-Factor Authentication (MFA) standards. Vendor will support the following requirements for MFA, provided that Vendor acknowledges that the MFA standards are subject to change on written notice from Property, in Property’s discretion: (a) Vendor will use the following authentication methods: offline time-based verification codes (TOTP); Hardware tokens, such as Yubico YubiKey; X.509–based certificates; Legacy authentication methods, such as SMS, security questions, or email; Open Standards Support; SAML; OpenID Connect; and OAuth2; and (b) Vendor will ensure it is capable of sending system logs for monitoring, including without limitation that it will: have the ability to send authorization events to a third-party SIEM solution, include out-of-the-box reports and audit trails, support effecting authorization system change based on authorization events, and provide real-time information about access attempts.
  • 17) Firewall/Perimeter defense requirements. Vendor represents, warrants and covenants, that throughout the Term, it will take the following measures to protect the Services (whether they are offered natively on a cloud platform or acquired through other means) from unauthorized use and/or access, distributed denial of service (DDoS) attacks, malicious actors, malware, and access through utilization of Cloud Security Services, including, without limitation by: (a) maintaining a firewall at all logical demilitarized zones (DMZ) and Internet connection points, with access control restricted to that required for authorized use of Vendor’s Systems; (b) implementing web application firewalls for all web applications to filter, monitor, and block HTTP traffic to and from all web applications; (c) using threat protection devices and analytic services, such as, Intrusion Detection Systems (IDS), Intrusion Prevention Devices (IPD) and Threat Analytics Platforms (TAP), as part of its network security strategy, in addition to the firewalls; (d) monitoring all threat detection logs on a regular basis to detect likely and/or actual unauthorized access attempts to Four Seasons Personal Data; (e) restricting and controlling wireless network access using industry standard wireless security protocols; (f) restricting and controlling remote network access and requiring the use of VPN with two-factor authentication; (g) maintaining secure network connections through the utilization of industry accepted protocols and configuration; and (h) using secure services, protocols and ports to connect to or interact with any environment that stores, processes or transmits Four Seasons Personal Data.
  • 18) Endpoint management. Vendor represents, warrants and covenants, that throughout the Term, it will take the following measures to regulate protection of its network, systems, and applications, to mitigate threats from all viruses, spyware, and other malicious code that are or should reasonably be detected, including without limitation that at a minimum, Vendor will deploy and maintain (so that all are up to date) the following security technologies: (a) encryption of hard disks on company assigned workstations; (b) MFA in accordance with the terms of this Agreement; (c) centrally managed anti-virus protection, including without limitation Endpoint Detection and Response solutions (EDR); (d) file integrity management solutions for workstations and servers; (e) Mobile Device Management (MDM) solutions; (f) egress Internet filtering solutions; (g) management and monitoring of all software to control authorized software installations; (h) Vendor supplied software updates as required from time to time to ensure that all applicable software updates are applied to Vendor’s systems; (i) login ID and password controls are implemented to authenticate to systems; (j) periodic review of endpoint security logs; and (k) e-mails are automatically scanned by anti-virus and anti-spam software.
  • 19) Audit. Notwithstanding any to the contrary in the Addendum, Vendor agrees to maintain an information security program for the Services that complies with the SSAE 18 standard, ISO/IEC 27001:2013 or other alternative standards that are substantially equivalent to these standards for the establishment, implementation, control and improvement of security standards. Certification/audit activities: (a) will be performed at least annually; (b) will be performed according to ISO/IEC 27001:2013, SSAE 18 standards or such other alternative standards that are substantially equivalent to SSAE 18, provided that the certification/audit includes the applicable controls of Vendor’s relevant to security, availability, processing integrity, confidentiality and privacy and includes both a test of design and a test of effectiveness; (c) will be performed by independent third-party security professionals at Vendor’s selection and expense; and (d) will result in the generation of an audit report, which will be deemed Vendor’s Confidential Information. Following completion of the implementation of any applicable Services, and on an annual basis, Vendor will, at Property’s request and at no charge, provide Property with copies of any routine Service Organization Control reports (SOC Reports) (or any successor reports thereto) that are both directly related to those Services provided hereunder for Property and already released to Vendor by the public accounting firm producing the report, including without limitation (i) SSAE18 / SOC1 Type II relating to the Services; and SSAE18 / SOC2 Type II relating to the Vendor technical team supporting the Services. SOC Reports are Vendor’s Confidential Information and Property will not distribute or allow any third party (other than its independent auditors) to use any such report without the prior written consent of Vendor. Property will instruct its independent auditors or other approved third parties to keep such report confidential and Property will remain liable for any unauthorized disclosure of such report by its independent auditors or other approved third parties. Vendor shall maintain complete and accurate records relating to its data protection practices and the security of any of Property’s Confidential Information, including any backup, disaster recovery, or other policies, practices or procedures relating to Property’s Confidential Information and any other information relevant to its compliance with this Section.

 

Annex 1

Vendor and Property Responsibility PCI Data Security Standard Matrix

Download