diff --git a/src/TXSOS-Registered-ForProfit/TurnkeyNetworkSystemsLLC/TurnkeyNetworkSystemsLLC-OperatingAgreement.md b/src/TXSOS-Registered-ForProfit/TurnkeyNetworkSystemsLLC/TurnkeyNetworkSystemsLLC-OperatingAgreement.md index e9c0518..ffff9a3 100644 --- a/src/TXSOS-Registered-ForProfit/TurnkeyNetworkSystemsLLC/TurnkeyNetworkSystemsLLC-OperatingAgreement.md +++ b/src/TXSOS-Registered-ForProfit/TurnkeyNetworkSystemsLLC/TurnkeyNetworkSystemsLLC-OperatingAgreement.md @@ -368,217 +368,259 @@ The Company hereby designates the following series as exclusive internal shared a. **Performance Standards**: Internal service providers must meet or exceed the service level agreements (SLAs) established by the Technology Oversight Committee, which shall: - i. Be documented in writing and incorporated by reference into this Agreement; + i. Be documented in writing and incorporated by reference into this Agreement - ii. Include specific, measurable performance metrics for each service category; + ii. Include specific, measurable performance metrics for each service category - iii. Establish response time requirements for various service priorities; + iii. Establish response time requirements for various service priorities - iv. Define availability requirements for critical systems; + iv. Define availability requirements for critical systems - v. Include remediation timelines for service disruptions; + v. Include remediation timelines for service disruptions - vi. Specify reporting requirements and cadence; and + vi. Specify reporting requirements and cadence - vii. Be reviewed and updated at least annually. + vii. Be reviewed and updated at least annually + + viii. Include security standards and compliance requirements b. **Competitive Pricing**: Internal service providers must offer services at pricing comparable to market rates for equivalent services, as verified by: - i. Annual independent third-party audit; + i. Annual independent third-party audit - ii. Benchmark comparison against at least three comparable external providers; + ii. Benchmark comparison against at least three comparable external providers - iii. Transparent cost-accounting as described in Section 4.6.5; and + iii. Transparent cost-accounting as described in Section 4.6.5 - iv. Quarterly pricing reviews by the Audit and Finance Committee. + iv. Quarterly pricing reviews by the Audit and Finance Committee 2. **Enforcement Mechanism**: The Company Committee shall be responsible for enforcing the mandatory use requirement and shall: - a. Conduct quarterly compliance reviews; + a. Conduct quarterly compliance reviews - b. Promptly investigate any reported violations; + b. Promptly investigate any reported violations - c. Issue formal findings within 30 days of any compliance investigation; and + c. Issue formal findings within 30 days of any compliance investigation - d. Recommend appropriate remedial actions to the Board. + d. Recommend appropriate remedial actions to the Board + +3. **Service Provider Dispute Resolution**: Disputes between service providers and series regarding service delivery shall be resolved through: + + a. Initial attempt at resolution between operational leaders of the service provider and series + + b. If unresolved within 15 days, escalation to the Technology Oversight Committee + + c. Formal mediation process as outlined in Schedule H if not resolved within 30 days + + d. Final binding decision by the Company Committee if mediation is unsuccessful #### 3.1.3 - Service Provider Failure Remedies 1. **Failure Determination**: An internal service provider shall be deemed to have failed if it: - a. Fails to meet established performance standards for two consecutive quarters as documented by the Technology Oversight Committee; + a. Fails to meet established performance standards for two consecutive quarters as documented by the Technology Oversight Committee b. Experiences a catastrophic service disruption lasting more than: - i. 48 hours for non-critical services; + i. 48 hours for non-critical services - ii. 24 hours for important services; or + ii. 24 hours for important services - iii. 4 hours for mission-critical services as designated in the applicable SLA; + iii. 4 hours for mission-critical services as designated in the applicable SLA - c. Commits a material breach of its SLA obligations that remains uncured for 30 days after written notice; or + c. Commits a material breach of its SLA obligations that remains uncured for 30 days after written notice - d. Receives substantiated service quality complaints from more than 50% of its series customers within any six-month period. + d. Receives substantiated service quality complaints from more than 50% of its series customers within any six-month period + + e. Experiences a material security or data breach that compromises sensitive information or critical infrastructure 2. **Remedies for Service Provider Failure**: Upon determination of a service provider failure, the following remedies shall be available: a. **Initial Remediation Period**: The service provider shall be granted a 60-day remediation period to: - i. Correct performance deficiencies; + i. Correct performance deficiencies - ii. Restore service levels to required standards; + ii. Restore service levels to required standards - iii. Submit a detailed improvement plan to the Technology Oversight Committee; and + iii. Submit a detailed improvement plan to the Technology Oversight Committee - iv. Implement enhanced monitoring and reporting. + iv. Implement enhanced monitoring and reporting b. **Enhanced Oversight**: During the remediation period, the service provider shall be subject to: - i. Weekly performance reviews by the Technology Oversight Committee; + i. Weekly performance reviews by the Technology Oversight Committee - ii. Implementation of additional controls and monitoring; + ii. Implementation of additional controls and monitoring - iii. Potential leadership changes as recommended by the Board; and + iii. Potential leadership changes as recommended by the Board - iv. Requirement to provide daily status reports to affected series. + iv. Requirement to provide daily status reports to affected series c. **Failure to Remediate**: If the service provider fails to remediate within the 60-day period, the Technology Oversight Committee may: - i. Grant a single 30-day extension if substantial progress is evident; + i. Grant a single 30-day extension if substantial progress is evident - ii. Implement a service provider replacement plan; + ii. Implement a service provider replacement plan - iii. Authorize temporary external service providers for affected services; or + iii. Authorize temporary external service providers for affected services - iv. Recommend restructuring of the service provider to the Board. + iv. Recommend restructuring of the service provider to the Board d. **Extreme Failure**: In cases of extreme failure involving critical systems, the Board may: - i. Immediately authorize use of external service providers; + i. Immediately authorize use of external service providers - ii. Remove and replace service provider leadership; + ii. Remove and replace service provider leadership - iii. Implement emergency continuity plans; and + iii. Implement emergency continuity plans - iv. Take any other actions necessary to protect the TSYS Group. + iv. Take any other actions necessary to protect the TSYS Group #### 3.1.4 - Innovation Exception Process 1. **Exception Basis**: A series may request an exception to the mandatory use requirement only on the grounds of: - a. Specialized technical requirements that cannot be met by the internal service provider; + a. Specialized technical requirements that cannot be met by the internal service provider - b. Demonstrable competitive advantage requiring specialized external solutions; + b. Demonstrable competitive advantage requiring specialized external solutions - c. Regulatory or compliance requirements that necessitate specialized external providers; or + c. Regulatory or compliance requirements that necessitate specialized external providers - d. Client or customer contractual requirements that mandate specific external solutions. + d. Client or customer contractual requirements that mandate specific external solutions + + e. Significant cost savings (exceeding 30%) that can be achieved through an external provider while maintaining equivalent security and quality standards 2. **Exception Request Process**: - a. Requests must be submitted in writing to the Technology Oversight Committee; + a. Requests must be submitted in writing to the Technology Oversight Committee b. Requests must include: - i. Detailed description of the required service; + i. Detailed description of the required service - ii. Documentation of business necessity; + ii. Documentation of business necessity - iii. Analysis of competitive advantage; + iii. Analysis of competitive advantage - iv. Proposed external provider information including due diligence materials; + iv. Proposed external provider information including due diligence materials - v. Security and compliance assessment; + v. Security and compliance assessment - vi. Data integration and protection plan; + vi. Data integration and protection plan - vii. Implementation timeline; and + vii. Implementation timeline - viii. Cost-benefit analysis comparing the external solution to internal alternatives. + viii. Cost-benefit analysis comparing the external solution to internal alternatives - c. The Technology Oversight Committee must respond within 45 days for standard requests and within 15 days for requests designated as time-sensitive with appropriate justification. + c. The Technology Oversight Committee must respond within 45 days for standard requests and within 15 days for requests designated as time-sensitive with appropriate justification - d. The Technology Oversight Committee must provide written justification for any denial. + d. The Technology Oversight Committee must provide written justification for any denial + + e. Appeals of denied exception requests may be made to the Company Committee within 15 days of denial 3. **Exception Implementation**: a. If approved, the exception shall: - i. Be documented in the electronic records system; + i. Be documented in the electronic records system - ii. Include specific scope and duration limitations; + ii. Include specific scope and duration limitations - iii. Require quarterly reviews and renewal evaluation; + iii. Require quarterly reviews and renewal evaluation - iv. Include a transition plan for eventual migration to internal services if feasible; and + iv. Include a transition plan for eventual migration to internal services if feasible - v. Include compliance monitoring to ensure continued adherence to security and integration requirements. + v. Include compliance monitoring to ensure continued adherence to security and integration requirements - b. The Technology Oversight Committee shall maintain a registry of all approved exceptions and provide quarterly reports to the Board. + b. The Technology Oversight Committee shall maintain a registry of all approved exceptions and provide quarterly reports to the Board #### 3.1.5 - Service Division Operations 1. **Operational Requirements**: Each service division shall: - a. Operate as a cost center pursuant to Section 4.6.5; + a. Operate as a cost center pursuant to Section 4.6.5 - b. Maintain transparent cost accounting with quarterly reporting to all series; + b. Maintain transparent cost accounting with quarterly reporting to all series - c. Be subject to Board oversight through appropriate committees; + c. Be subject to Board oversight through appropriate committees - d. Select and manage external vendors as needed following procurement guidelines established by the Board; + d. Select and manage external vendors as needed following procurement guidelines established by the Board - e. Develop and maintain appropriate service standards and SLAs; + e. Develop and maintain appropriate service standards and SLAs - f. Conduct annual customer satisfaction surveys among series; + f. Conduct annual customer satisfaction surveys among series - g. Implement continuous improvement processes with measurable objectives; + g. Implement continuous improvement processes with measurable objectives - h. Maintain appropriate cybersecurity and compliance certifications; + h. Maintain appropriate cybersecurity and compliance certifications - i. Establish disaster recovery and business continuity plans; + i. Establish disaster recovery and business continuity plans - j. Conduct quarterly technology and service reviews; and + j. Conduct quarterly technology and service reviews - k. Provide monthly service performance metrics to all series. + k. Provide monthly service performance metrics to all series + + l. Undergo annual security audits by qualified third-party firms + + m. Maintain compliance with all relevant industry standards and regulations + + n. Provide regular training to personnel on security and operational best practices 2. **Board Oversight Responsibilities**: The Board of Directors, through its committees, shall establish and oversee: - a. Performance metrics and reporting requirements; + a. Performance metrics and reporting requirements - b. Service level frameworks; + b. Service level frameworks - c. Cost allocation methodologies; + c. Cost allocation methodologies - d. Technology and service strategies; + d. Technology and service strategies - e. Vendor selection criteria; + e. Vendor selection criteria - f. Quality control measures; + f. Quality control measures - g. Dispute resolution procedures for service conflicts; + g. Dispute resolution procedures for service conflicts - h. Compliance standards and monitoring; + h. Compliance standards and monitoring - i. Cybersecurity requirements and testing; and + i. Cybersecurity requirements and testing - j. Other operational parameters as needed. + j. Other operational parameters as needed 3. **Service Roadmap Requirements**: Each service provider shall: - a. Maintain a three-year service development roadmap; + a. Maintain a three-year service development roadmap - b. Conduct quarterly roadmap reviews with all series; + b. Conduct quarterly roadmap reviews with all series - c. Incorporate series feedback into roadmap updates; + c. Incorporate series feedback into roadmap updates - d. Align roadmap priorities with overall TSYS Group strategic objectives; + d. Align roadmap priorities with overall TSYS Group strategic objectives - e. Include specific technology innovation initiatives; + e. Include specific technology innovation initiatives - f. Establish clear timelines for major service enhancements; and + f. Establish clear timelines for major service enhancements - g. Document resource allocation for strategic initiatives. + g. Document resource allocation for strategic initiatives + + h. Include contingency planning for emerging technologies and market shifts + + i. Identify potential security and regulatory challenges + +4. **User Experience and Feedback System**: Each service provider shall: + + a. Implement a structured feedback system accessible to all series + + b. Conduct quarterly user experience reviews + + c. Maintain a transparent issue tracking system + + d. Report on issue resolution metrics monthly + + e. Incorporate user feedback into service improvements + + f. Establish a user advisory group with representation from different series ### Section 3.2 - Electronic Records Requirement @@ -588,256 +630,359 @@ All records of the Company and its series shall be maintained exclusively in ele 1. **Corporate Records**: - a. Articles of organization and amendments; + * Articles of organization and amendments - b. Operating agreements (Company and series); + * Operating agreements (Company and series) - c. Board and committee meeting minutes and resolutions; + * Board and committee meeting minutes and resolutions - d. Series establishment documentation; + * Series establishment documentation - e. Regulatory filings and correspondence; + * Regulatory filings and correspondence - f. Annual reports and compliance documents; + * Annual reports and compliance documents - g. Consents and certifications; and + * Consents and certifications - h. Governance policies and procedures. + * Governance policies and procedures 2. **Financial Documentation**: - a. Financial statements and reports; + * Financial statements and reports - b. Tax returns and supporting documents; + * Tax returns and supporting documents - c. Bank statements and reconciliations; + * Bank statements and reconciliations - d. Audit reports and working papers; + * Audit reports and working papers - e. Budget and forecasting documents; + * Budget and forecasting documents - f. Expense documentation and approvals; + * Expense documentation and approvals - g. Investment records and valuations; and + * Investment records and valuations - h. Capital transactions and funding documentation. + * Capital transactions and funding documentation 3. **Member Information**: - a. Series membership records; + * Series membership records - b. Ownership transfer documentation; + * Ownership transfer documentation - c. Member contact information; + * Member contact information - d. Voting records and proxies; + * Voting records and proxies - e. Distribution documentation; + * Distribution documentation - f. Membership interest certificates; + * Membership interest certificates - g. Accredited investor verification materials; and + * Accredited investor verification materials - h. Member communications and notices. + * Member communications and notices 4. **Contracts and Agreements**: - a. Service provider agreements; + * Service provider agreements - b. Vendor contracts; + * Vendor contracts - c. Client agreements; + * Client agreements - d. Employment and contractor agreements; + * Employment and contractor agreements - e. Non-disclosure and confidentiality agreements; + * Non-disclosure and confidentiality agreements - f. License and permit documentation; + * License and permit documentation - g. Insurance policies and claims; and + * Insurance policies and claims - h. Settlement agreements and releases. + * Settlement agreements and releases 5. **Operational Records**: - a. Business plans and strategic documents; + * Business plans and strategic documents - b. Marketing materials and communications; + * Marketing materials and communications - c. Intellectual property documentation; + * Intellectual property documentation - d. Regulatory compliance records; + * Regulatory compliance records - e. Standard operating procedures; + * Standard operating procedures - f. Risk assessments and mitigation plans; + * Risk assessments and mitigation plans - g. Service level agreements and performance reports; and + * Service level agreements and performance reports - h. Incident reports and resolution documentation. + * Incident reports and resolution documentation + +6. **Legal and Compliance Records**: + + * Litigation documents and correspondence + + * Regulatory inquiries and responses + + * Compliance certifications and attestations + + * Legal opinions and memoranda + + * Compliance monitoring reports + + * Investigation documentation + + * Whistleblower reports and resolutions + + * Regulatory examination materials #### 3.2.2 - Electronic Record System Requirements 1. **System Architecture Requirements**: - a. Cloud-based primary storage with geographic redundancy across at least three separate regions; + * Cloud-based primary storage with geographic redundancy across at least three separate regions - b. Real-time backup and disaster recovery systems with recovery time objective of less than four hours and recovery point objective of less than 15 minutes; + * Real-time backup and disaster recovery systems with recovery time objective of less than four hours and recovery point objective of less than 15 minutes - c. Multi-factor authentication access controls for all users; + * Multi-factor authentication access controls for all users - d. Minimum AES-256 encryption at rest and TLS 1.3 encryption in transit; + * Minimum AES-256 encryption at rest and TLS 1.3 encryption in transit - e. Comprehensive API integration capabilities for authorized systems; + * Comprehensive API integration capabilities for authorized systems - f. Automated compliance monitoring and reporting; + * Automated compliance monitoring and reporting - g. System availability of at least 99.9% measured monthly; and + * System availability of at least 99.9% measured monthly - h. Automated system health monitoring with real-time alerts for anomalies. + * Automated system health monitoring with real-time alerts for anomalies + + * Data segregation mechanisms to ensure series isolation at the data level + + * Zero-trust security architecture with least privilege access controls 2. **Audit Trail Requirements**: - a. Immutable version control with blockchain verification; + * Immutable version control with blockchain verification - b. Comprehensive change logging with user identification; + * Comprehensive change logging with user identification - c. Cryptographically secured time and date stamping; + * Cryptographically secured time and date stamping - d. Complete document access history retention; + * Complete document access history retention - e. Detailed modification tracking with before/after comparisons; + * Detailed modification tracking with before/after comparisons - f. User activity logs retained for a minimum of seven years; + * User activity logs retained for a minimum of seven years - g. Tamper-evident logging mechanisms; and + * Tamper-evident logging mechanisms - h. Regular audit trail verification procedures. + * Regular audit trail verification procedures + + * Separation of audit trail storage from primary document storage + + * Real-time anomaly detection for suspicious activity 3. **Access Control Requirements**: - a. Role-based access management with principle of least privilege; + * Role-based access management with principle of least privilege - b. Granular permission settings at the document and field level; + * Granular permission settings at the document and field level - c. Secure user authentication with biometric options; + * Secure user authentication with biometric options - d. Automatic session monitoring and timeout after 15 minutes of inactivity; + * Automatic session monitoring and timeout after 15 minutes of inactivity - e. Comprehensive remote access protocols with enhanced security; + * Comprehensive remote access protocols with enhanced security - f. Quarterly access rights review and certification; + * Quarterly access rights review and certification - g. Privileged access management with enhanced monitoring; and + * Privileged access management with enhanced monitoring - h. Separation of duties for critical functions. + * Separation of duties for critical functions + + * Emergency access protocols with required post-access reviews + + * Continuous monitoring of access patterns to detect anomalies 4. **Retention and Archiving Requirements**: - a. Automated retention scheduling based on document type; + * Automated retention scheduling based on document type - b. Secure archiving protocols with integrity verification; + * Secure archiving protocols with integrity verification - c. Legal hold implementation capabilities; + * Legal hold implementation capabilities - d. Defensible destruction procedures with verification; + * Defensible destruction procedures with verification - e. Archive access controls with separate authentication; + * Archive access controls with separate authentication - f. Retention periods compliant with all applicable regulations; + * Retention periods compliant with all applicable regulations - g. Annual retention policy reviews; and + * Annual retention policy reviews - h. Secure backup archives maintained in geographically separate locations. + * Secure backup archives maintained in geographically separate locations + + * Immutable storage for critical records to prevent tampering + + * Regular retrieval testing to ensure archive accessibility + +5. **Data Privacy Requirements**: + + * Compliance with all applicable data privacy laws and regulations + + * Data minimization and purpose limitation controls + + * Data subject access request management capabilities + + * Consent tracking and management + + * Privacy impact assessment documentation + + * Cross-border data transfer compliance mechanisms + + * Data classification and handling procedures + + * Privacy by design implementation in system architecture #### 3.2.3 - Compliance and Security Standards 1. **Required Compliance Standards**: The electronic records system shall comply with: - a. SOC 2 Type II standards; + * SOC 2 Type II standards - b. ISO 27001 Information Security standards; + * ISO 27001 Information Security standards - c. NIST Cybersecurity Framework; + * NIST Cybersecurity Framework - d. GDPR and other applicable privacy regulations; + * GDPR and other applicable privacy regulations - e. HIPAA requirements for any protected health information; + * HIPAA requirements for any protected health information - f. Applicable industry-specific regulations; and + * Applicable industry-specific regulations - g. All federal, state, and local records retention requirements. + * All federal, state, and local records retention requirements + + * PCI-DSS compliance for payment card data if applicable + + * CCPA and similar state privacy laws + + * Records management standards (ISO 15489) 2. **Security Protocols**: - a. Quarterly vulnerability assessments; + * Quarterly vulnerability assessments - b. Annual penetration testing by independent third parties; + * Annual penetration testing by independent third parties - c. Continuous security monitoring; + * Continuous security monitoring - d. Incident response plan with testing; + * Incident response plan with testing - e. Employee security awareness training; + * Employee security awareness training - f. Data loss prevention controls; + * Data loss prevention controls - g. Endpoint security management; and + * Endpoint security management - h. Zero-trust network architecture implementation. + * Zero-trust network architecture implementation + + * Advanced threat protection measures + + * Regular phishing and social engineering testing + + * Secure development practices for system enhancements + + * Supply chain security assessment for third-party components 3. **System Administration**: - a. Centralized administration by Known Element Enterprises; + * Centralized administration by Known Element Enterprises - b. Documentation of all system configurations; + * Documentation of all system configurations - c. Change management processes for system modifications; + * Change management processes for system modifications - d. Segregation of duties for administrative functions; + * Segregation of duties for administrative functions - e. Backup administrator credentials securely stored with the Company Committee; + * Backup administrator credentials securely stored with the Company Committee - f. Automated system health monitoring; and + * Automated system health monitoring - g. Capacity planning and performance optimization protocols. + * Capacity planning and performance optimization protocols + + * Regular administrator access reviews and rotations + + * Privileged access monitoring and logging + + * Regular security training for system administrators #### 3.2.4 - Implementation and Verification 1. **System Implementation Timeline**: - a. Full implementation of all electronic record requirements within 90 days of the Effective Date; + * Full implementation of all electronic record requirements within 90 days of the Effective Date - b. Phased migration approach with priority for critical documents; + * Phased migration approach with priority for critical documents - c. Verification and testing of all system components before full deployment; and + * Verification and testing of all system components before full deployment - d. Post-implementation review within 30 days of completion. + * Post-implementation review within 30 days of completion + + * Remediation plan for any identified deficiencies with 15-day completion requirement 2. **Compliance Verification**: - a. Quarterly system compliance audits; + * Quarterly system compliance audits - b. Annual third-party security assessments; + * Annual third-party security assessments - c. Bi-annual disaster recovery testing; + * Bi-annual disaster recovery testing - d. Monthly backup verification procedures; and + * Monthly backup verification procedures - e. Continuous monitoring of compliance with regulatory requirements. + * Continuous monitoring of compliance with regulatory requirements + + * Regular penetration testing by qualified security professionals + + * Independent verification of encryption implementation + + * Periodic testing of access controls and segregation 3. **Documentation Requirements**: - a. Comprehensive system documentation maintained and updated; + * Comprehensive system documentation maintained and updated - b. User manuals and training materials for all series members; + * User manuals and training materials for all series members - c. Recovery procedures clearly documented and tested; and + * Recovery procedures clearly documented and tested - d. Compliance certifications maintained and renewed as required. - + * Compliance certifications maintained and renewed as required + + * Security incident response procedures + + * Business continuity plans + + * System architecture diagrams + + * Data flow maps +4. **Operational Resilience**: + * Regular business impact analysis to identify critical functions + + * Multiple redundancy layers for critical systems + + * Periodic failover testing to secondary systems + + * Distributed denial of service (DDoS) attack mitigation measures + + * Alternative access methods for emergency situations + + * Incident response simulations at least twice annually + + * Cross-training of key personnel for system recovery procedures + + * Vendor dependency assessment and alternative provider identification ### Section 3.3 - Mandatory Capital Raising Requirements #### 3.3.1 - Exclusive Capital Channel