### Section 3.1 - Mandatory Service Provider Framework #### Section 3.1.1 - Designated Internal Service Providers 1. **Exclusive Service Designation**: The Company hereby designates the following series as exclusive internal shared service providers for all TSYS Group entities: a. **Information Technology Services Provider**: Known Element Enterprises (series) LLC shall serve as the Company's exclusive provider of all IT Services as defined in Article 2 and further detailed in Schedule A to this Agreement. b. **Financial Services Provider**: The Campus Trading Company (series) LLC shall serve as the Company's exclusive provider of all Transaction and Treasury Services as defined in Article 2 and further detailed in Schedule B to this Agreement. 2. **Service Provider Independence**: Each designated service provider shall maintain: a. Operational independence regarding service delivery methodologies b. Technology selection autonomy within Board-approved parameters c. Resource allocation flexibility to meet established service levels d. Staffing and personnel management authority e. Implementation discretion for approved service initiatives 3. **Term of Designation**: These service provider designations shall: a. Remain in effect for the duration of this Agreement b. Be reviewed by the Board at least every three (3) years c. Be subject to revocation only under the extreme failure provisions of Section 3.1.3(2)(d) d. Be transferable to successor entities only with Board approval 4. **Regulatory Compliance Obligations**: Each designated service provider shall: a. Maintain all licenses, certifications, and registrations required by applicable law for their services b. Implement and maintain compliance programs appropriate to their service offerings c. Conduct annual compliance risk assessments d. Provide quarterly compliance reports to the Technology Oversight Committee e. Promptly notify the Company Committee of any regulatory inquiries, investigations, or compliance issues f. Maintain documentation of compliance with industry standards and regulations g. Conduct annual compliance training for all service provider personnel #### Section 3.1.2 - Mandatory Use Requirement 1. **Primary Provider Obligation**: All series shall utilize the designated internal service providers as their exclusive service solution providers for the services described in Section 3.1.1, subject to the following conditions: a. **Performance Standards**: Internal service providers must meet or exceed the service level agreements (SLAs) established by the Technology Oversight Committee, which shall: i. Be documented in writing and incorporated by reference into this Agreement ii. Include specific, measurable performance metrics for each service category iii. Establish response time requirements for various service priorities iv. Define availability requirements for critical systems v. Include remediation timelines for service disruptions vi. Specify reporting requirements and cadence vii. Be reviewed and updated at least annually viii. Include security standards and compliance requirements ix. Establish escalation procedures for service issues x. Define problem severity classification and associated response times xi. Include customer satisfaction measurement requirements xii. Establish change management procedures and notice requirements xiii. Include data protection and privacy requirements xiv. Specify disaster recovery and business continuity standards xv. Define incident response protocols and timeframes b. **Competitive Pricing**: Internal service providers must offer services at pricing comparable to market rates for equivalent services, as verified by: i. Annual independent third-party audit ii. Benchmark comparison against at least three comparable external providers iii. Transparent cost-accounting as described in Section 4.6.5 iv. Quarterly pricing reviews by the Audit and Finance Committee v. Documentation of all cost allocation methodologies vi. Publication of rate cards to all series members vii. Advance notice of at least sixty (60) days for any rate increases viii. Cap on annual price increases tied to relevant industry indexes ix. Volume discounting mechanisms for large series x. Regular market comparison reporting to all series 2. **Enforcement Mechanism**: The Company Committee shall be responsible for enforcing the mandatory use requirement and shall: a. Conduct quarterly compliance reviews b. Promptly investigate any reported violations c. Issue formal findings within 30 days of any compliance investigation d. Recommend appropriate remedial actions to the Board e. Maintain a centralized compliance tracking system f. Publish anonymized compliance reports to all series g. Establish escalating penalties for repeated non-compliance h. Implement a confidential reporting system for compliance concerns i. Provide compliance training resources to all series j. Conduct annual compliance audits of all series and service providers 3. **Service Provider Dispute Resolution**: Disputes between service providers and series regarding service delivery shall be resolved through: a. Initial attempt at resolution between operational leaders of the service provider and series b. If unresolved within 15 days, escalation to the Technology Oversight Committee c. Formal mediation process as outlined in Schedule H if not resolved within 30 days d. Final binding decision by the Company Committee if mediation is unsuccessful e. Documentation of all disputes and resolutions in the electronic records system f. Quarterly dispute trends analysis and reporting to the Board g. Implementation of dispute reduction strategies based on trend analysis h. Establishment of proactive relationship management protocols i. Joint service improvement planning between service providers and series j. Emergency escalation pathway for critical service disputes 4. **Service Level Agreement Governance**: a. SLAs shall be: i. Developed with input from all series ii. Reviewed and approved by the Technology Oversight Committee iii. Published in the electronic records system iv. Monitored through automated performance measurement systems v. Subject to quarterly performance reviews b. SLA modifications shall: i. Require Technology Oversight Committee approval ii. Include a comment period for series feedback iii. Provide at least 60 days' notice before implementation iv. Include transition support for material changes #### Section 3.1.3 - Service Provider Failure Remedies 1. **Failure Determination**: An internal service provider shall be deemed to have failed if it: a. Fails to meet established performance standards for two consecutive quarters as documented by the Technology Oversight Committee b. Experiences a catastrophic service disruption lasting more than: i. 48 hours for non-critical services ii. 24 hours for important services iii. 4 hours for mission-critical services as designated in the applicable SLA c. Commits a material breach of its SLA obligations that remains uncured for 30 days after written notice d. Receives substantiated service quality complaints from more than 50% of its series customers within any six-month period e. Experiences a material security or data breach that compromises sensitive information or critical infrastructure f. Fails to implement required security patches or updates within timeframes specified in the SLA g. Demonstrates a pattern of repeated service deficiencies that, while individually not constituting failures, collectively indicate systemic issues h. Violates applicable regulatory requirements resulting in material penalties or compliance issues i. Fails to maintain required certifications or qualifications j. Loses key personnel without adequate succession planning and replacement 2. **Remedies for Service Provider Failure**: Upon determination of a service provider failure, the following remedies shall be available: a. **Initial Remediation Period**: The service provider shall be granted a 60-day remediation period to: i. Correct performance deficiencies ii. Restore service levels to required standards iii. Submit a detailed improvement plan to the Technology Oversight Committee iv. Implement enhanced monitoring and reporting v. Engage third-party expertise if necessary vi. Conduct root cause analysis of failures vii. Implement preventative measures viii. Establish interim service arrangements if necessary ix. Provide regular progress reports x. Compensate affected series according to SLA terms b. **Enhanced Oversight**: During the remediation period, the service provider shall be subject to: i. Weekly performance reviews by the Technology Oversight Committee ii. Implementation of additional controls and monitoring iii. Potential leadership changes as recommended by the Board iv. Requirement to provide daily status reports to affected series v. Temporary management augmentation with qualified personnel vi. Independent third-party oversight of remediation efforts vii. Additional resource allocation requirements viii. Temporary suspension of new service initiatives ix. Mandatory executive briefings to the Board x. Implementation of emergency escalation procedures c. **Failure to Remediate**: If the service provider fails to remediate within the 60-day period, the Technology Oversight Committee may: i. Grant a single 30-day extension if substantial progress is evident ii. Implement a service provider replacement plan iii. Authorize temporary external service providers for affected services iv. Recommend restructuring of the service provider to the Board v. Appoint temporary executive leadership vi. Accelerate training of backup personnel vii. Implement contingency service arrangements viii. Adjust pricing to reflect reduced service levels ix. Impose financial penalties as specified in the SLA x. Develop long-term service provider transition plan d. **Extreme Failure**: In cases of extreme failure involving critical systems, the Board may: i. Immediately authorize use of external service providers ii. Remove and replace service provider leadership iii. Implement emergency continuity plans iv. Take any other actions necessary to protect the TSYS Group v. Establish an emergency governance committee vi. Suspend normal approval processes for emergency actions vii. Allocate emergency funding for service restoration viii. Engage specialized crisis management expertise ix. Implement rapid knowledge transfer protocols x. Authorize extraordinary measures to protect data and assets 3. **Service Continuity Protection**: To ensure continuity of critical services: a. Each service provider shall maintain: i. Comprehensive business continuity and disaster recovery plans ii. Documented systems and operational procedures iii. Knowledge transfer protocols for critical functions iv. Cross-training programs for essential personnel v. Backup systems and redundancies for critical infrastructure vi. Geographically distributed infrastructure to mitigate regional disruptions vii. Regularly tested incident response procedures viii. Alternative service delivery methods for emergency situations ix. Secure offline backups of critical data and configurations x. Emergency communication protocols and systems b. The Technology Oversight Committee shall: i. Conduct annual disaster recovery testing ii. Maintain relationships with qualified backup service providers iii. Regularly review and update continuity plans iv. Ensure proper escrow of critical system information v. Validate recovery time and point objectives vi. Coordinate cross-series business continuity planning vii. Establish emergency decision-making protocols viii. Maintain emergency contact information for all key personnel ix. Implement crisis management training for leadership x. Develop communications templates for various disruption scenarios 4. **Security Incident Response Protocol**: a. Upon detection of any security incident, service providers shall: i. Immediately activate the incident response team ii. Contain and mitigate the incident according to established procedures iii. Notify the Technology Oversight Committee within timeframes specified in the SLA iv. Document all aspects of the incident and response v. Conduct forensic analysis to determine scope and impact vi. Implement required remediation measures vii. Provide detailed post-incident reports viii. Update security controls based on lessons learned ix. Conduct additional security testing as needed x. Comply with all regulatory notification requirements b. The Technology Oversight Committee shall: i. Review all security incidents and response activities ii. Ensure appropriate remediation measures are implemented iii. Determine if the incident constitutes a service provider failure iv. Coordinate communications regarding the incident v. Oversee regulatory compliance related to the incident #### Section 3.1.4 - Innovation Exception Process 1. **Exception Basis**: A series may request an exception to the mandatory use requirement only on the grounds of: a. Specialized technical requirements that cannot be met by the internal service provider b. Demonstrable competitive advantage requiring specialized external solutions c. Regulatory or compliance requirements that necessitate specialized external providers d. Client or customer contractual requirements that mandate specific external solutions e. Significant cost savings (exceeding 30%) that can be achieved through an external provider while maintaining equivalent security and quality standards f. Emerging technology that provides substantial business advantage not available through internal providers g. Temporary capacity limitations of internal providers during high-growth periods h. Specialized expertise requirements for limited duration projects i. Unique geographical requirements not efficiently served by internal providers j. Legacy systems integration requirements that internal providers cannot efficiently support 2. **Exception Request Process**: a. Requests must be submitted in writing to the Technology Oversight Committee b. Requests must include: i. Detailed description of the required service ii. Documentation of business necessity iii. Analysis of competitive advantage iv. Proposed external provider information including due diligence materials v. Security and compliance assessment vi. Data integration and protection plan vii. Implementation timeline viii. Cost-benefit analysis comparing the external solution to internal alternatives ix. Risk assessment for the proposed exception x. Transition plan to internal providers if applicable xi. Metrics for measuring success of the exception xii. Governance controls for the external provider relationship xiii. Detailed vendor security assessment including SOC 2 reports or equivalent xiv. Data processing requirements and compliance documentation xv. Exit strategy and data retrieval procedures c. The Technology Oversight Committee must respond within 45 days for standard requests and within 15 days for requests designated as time-sensitive with appropriate justification d. The Technology Oversight Committee must provide written justification for any denial e. Appeals of denied exception requests may be made to the Company Committee within 15 days of denial f. The Company Committee shall render a final decision within 30 days of appeal receipt g. Denials that substantially impact business operations may be further appealed to the Board in extreme circumstances h. The Board shall establish an expedited review process for critical exception appeals i. All decisions shall be documented in the electronic records system j. Precedential decisions shall be published as guidance for future requests 3. **Exception Implementation**: a. If approved, the exception shall: i. Be documented in the electronic records system ii. Include specific scope and duration limitations iii. Require quarterly reviews and renewal evaluation iv. Include a transition plan for eventual migration to internal services if feasible v. Include compliance monitoring to ensure continued adherence to security and integration requirements vi. Specify data security and access controls vii. Establish service level requirements for the external provider viii. Define clear exit criteria and termination procedures ix. Establish integration requirements with existing systems x. Include knowledge transfer provisions to internal providers xi. Specify contract provisions required for external providers xii. Include mandatory security provisions for vendor contracts xiii. Require right-to-audit clauses for all external provider agreements xiv. Include business continuity requirements for external providers xv. Specify data ownership and return provisions upon termination 4. **Exception Renewal and Termination**: a. All exceptions shall have a defined term, not to exceed one (1) year unless specifically approved by the Board b. Renewal requests must be submitted at least 60 days prior to exception expiration c. Renewal requests shall include: i. Performance assessment of the external provider ii. Continued justification for the exception iii. Analysis of any changes in internal provider capabilities iv. Updated security and compliance assessment v. Documentation of ongoing business necessity vi. Evaluation of transition feasibility to internal providers vii. Updated cost-benefit analysis viii. Review of security and compliance incidents d. Exceptions may be terminated prior to expiration if: i. The external provider fails to meet service requirements ii. Internal provider capabilities evolve to meet the requirement iii. The business need for the exception no longer exists iv. Security or compliance concerns arise v. The series fails to comply with exception conditions vi. The Board or Company Committee determines termination is in the best interest of the Company vii. The external provider experiences a material security breach viii. Regulatory requirements necessitate termination 5. **Exception Registry and Oversight**: a. The Technology Oversight Committee shall maintain a registry of all exceptions that includes: i. Exception scope and justification ii. Approval date and expiration iii. External provider details iv. Performance metrics v. Review history vi. Renewal status vii. Documented exceptions to standard requirements viii. Security assessment status ix. Integration documentation x. Compliance verification b. The Company Committee shall: i. Receive quarterly reports on all exceptions ii. Review any exceptions with security or compliance concerns iii. Provide oversight for exception volume and patterns iv. Identify trends that may indicate internal service provider gaps v. Review strategic implications of exceptions #### Section 3.1.5 - Service Division Operations 1. **Operational Requirements**: Each service division shall: a. Operate as a cost center pursuant to Section 4.6.5 b. Maintain transparent cost accounting with quarterly reporting to all series c. Be subject to Board oversight through appropriate committees d. Select and manage external vendors as needed following procurement guidelines established by the Board e. Develop and maintain appropriate service standards and SLAs f. Conduct annual customer satisfaction surveys among series g. Implement continuous improvement processes with measurable objectives h. Maintain appropriate cybersecurity and compliance certifications i. Establish disaster recovery and business continuity plans j. Conduct quarterly technology and service reviews k. Provide monthly service performance metrics to all series l. Undergo annual security audits by qualified third-party firms m. Maintain compliance with all relevant industry standards and regulations n. Provide regular training to personnel on security and operational best practices o. Establish and maintain risk management frameworks appropriate to service offerings p. Implement formal change management processes for service modifications q. Document all service procedures and maintain operational manuals r. Establish quality control procedures with measurable outcomes s. Participate in industry benchmarking and best practice forums t. Maintain appropriate insurance coverage for service operations u. Implement privacy and data protection measures aligned with global best practices v. Maintain environmental sustainability practices for services and infrastructure w. Develop and implement service accessibility standards x. Engage in technology forecasting and future-proofing strategies y. Maintain service knowledge bases for user self-service 2. **Board Oversight Responsibilities**: The Board of Directors, through its committees, shall establish and oversee: a. Performance metrics and reporting requirements b. Service level frameworks c. Cost allocation methodologies d. Technology and service strategies e. Vendor selection criteria f. Quality control measures g. Dispute resolution procedures for service conflicts h. Compliance standards and monitoring i. Cybersecurity requirements and testing j. Other operational parameters as needed k. Capital investment approval thresholds and procedures l. Strategic technology alignment with Company objectives m. Innovation funding and initiatives n. Risk management standards and assessment methodologies o. Succession planning for critical service leadership positions p. Information security governance framework q. User experience standards and accessibility requirements r. Ethical technology use policies s. Data governance and management policies t. Technology procurement standards 3. **Service Roadmap Requirements**: Each service provider shall: a. Maintain a three-year service development roadmap b. Conduct quarterly roadmap reviews with all series c. Incorporate series feedback into roadmap updates d. Align roadmap priorities with overall TSYS Group strategic objectives e. Include specific technology innovation initiatives f. Establish clear timelines for major service enhancements g. Document resource allocation for strategic initiatives h. Include contingency planning for emerging technologies and market shifts i. Identify potential security and regulatory challenges j. Document required competency development for service evolution k. Establish metrics for measuring roadmap progress l. Identify capacity planning requirements for future growth m. Include technology retirement planning for legacy systems n. Document integration strategies with complementary technologies o. Align with industry standards and best practices p. Address environmental sustainability considerations q. Include accessibility enhancement initiatives r. Document risk mitigation strategies for roadmap elements s. Identify strategic partnerships required for implementation t. Include total cost of ownership projections 4. **User Experience and Feedback System**: Each service provider shall: a. Implement a structured feedback system accessible to all series b. Conduct quarterly user experience reviews c. Maintain a transparent issue tracking system d. Report on issue resolution metrics monthly e. Incorporate user feedback into service improvements f. Establish a user advisory group with representation from different series g. Maintain a knowledge base of common issues and solutions h. Publish service disruption post-mortems and remediation plans i. Implement a suggestion system for service improvements j. Develop service usage analytics to identify improvement opportunities k. Establish formal user acceptance testing for major changes l. Conduct annual service satisfaction benchmarking m. Implement training programs to optimize user adoption n. Create user communities for knowledge sharing and collaboration o. Recognize and reward user contributions to service improvement p. Develop user experience standards and guidelines q. Implement accessibility testing for all services r. Establish service personalization capabilities where appropriate s. Conduct regular usability testing t. Implement user journey mapping for key service interactions #### Section 3.1.6 - Service Quality Management 1. **Quality Assurance Framework**: Each service provider shall implement: a. Formal quality management systems with defined processes b. Regular internal audits of service quality c. Root cause analysis for service incidents d. Preventative action plans for recurring issues e. Service performance trend analysis and reporting f. Continuous service monitoring and alerting systems g. Regular process improvement reviews h. Customer impact assessment for all service changes i. Post-implementation reviews of major service changes j. Quality metrics aligned with business outcomes k. Quality control gates throughout service delivery processes l. Independent quality assurance function within the organization m. Regular assessment against industry frameworks such as ITIL, COBIT, and ISO standards n. Automated quality control mechanisms where applicable o. Defect tracking and remediation processes 2. **Continuous Improvement Requirements**: a. Each service provider shall establish annual improvement goals for: i. Service availability and reliability ii. Response and resolution times iii. Customer satisfaction ratings iv. Cost efficiency metrics v. Security posture and compliance vi. Operational efficiency vii. Technical debt reduction viii. Environmental sustainability ix. Accessibility compliance x. Innovation implementation b. Progress toward improvement goals shall be: i. Measured and reported quarterly ii. Reviewed by the Technology Oversight Committee iii. Incorporated into service provider performance evaluations iv. Tied to leadership compensation where applicable v. Communicated transparently to all series vi. Analyzed for patterns and trends vii. Used to inform subsequent improvement objectives viii. Benchmarked against industry standards ix. Documented with clear methodologies x. Subject to independent verification 3. **Service Provider Collaboration**: Service providers shall: a. Establish formal coordination mechanisms between providers b. Conduct joint planning for interdependent services c. Implement integrated incident management for cross-service issues d. Share expertise and resources for mutual improvement e. Develop and maintain integrated service catalogs f. Establish clear handoff procedures for cross-service processes g. Conduct joint disaster recovery exercises h. Develop integrated security frameworks i. Implement compatible technology standards j. Coordinate service maintenance windows k. Establish joint innovation initiatives l. Harmonize user experience across service boundaries m. Implement compatible data governance frameworks n. Coordinate capacity planning activities o. Share customer feedback and improvement opportunities 4. **Performance Measurement System**: a. Each service provider shall implement a comprehensive performance measurement system that: i. Collects and analyzes quantitative and qualitative performance data ii. Includes automated performance dashboards accessible to all series iii. Tracks performance against SLA commitments iv. Identifies trends and patterns in service performance v. Provides early warning of potential service issues vi. Includes customer satisfaction measurement vii. Monitors key technical and operational metrics viii. Compares performance against industry benchmarks ix. Supports continuous improvement initiatives x. Informs strategic planning decisions b. Performance metrics shall include: i. System availability and reliability ii. Response and resolution times iii. Transaction processing performance iv. Security metrics v. Cost efficiency vi. Customer satisfaction vii. Process efficiency viii. Innovation implementation ix. Technical debt reduction x. Environmental sustainability #### Section 3.1.7 - Technology Evolution and Innovation 1. **Innovation Requirements**: To maintain competitive service offerings, service providers shall: a. Allocate a minimum of 10% of their resources to innovation and new technology evaluation b. Establish formal mechanisms for evaluating emerging technologies c. Develop proof-of-concept processes for promising innovations d. Create safe experimental environments for testing new technologies e. Partner with series to pilot innovative solutions f. Report quarterly on innovation initiatives and outcomes g. Participate in industry forums and research communities h. Establish relationships with technology research organizations i. Develop internal innovation incentive programs j. Create processes for scaling successful innovations k. Maintain an innovation pipeline with short, medium, and long-term initiatives l. Establish innovation governance processes m. Implement formal ideation and evaluation methodologies n. Develop metrics for measuring innovation effectiveness o. Establish intellectual property protection for innovations 2. **Technology Currency**: Service providers shall: a. Maintain all technologies within manufacturer-supported versions b. Establish and follow formal technology lifecycle policies c. Provide 12-month advance notice for significant technology transitions d. Maintain compatibility with industry-standard technologies e. Ensure backward compatibility when feasible f. Provide migration support for technology transitions g. Document technology roadmaps with sunset dates h. Assess and mitigate risks associated with aging technologies i. Balance innovation with stability and security requirements j. Provide training for series personnel on new technologies k. Establish formal technology debt tracking and remediation processes l. Implement architectural review processes for technology decisions m. Document technology standards and compliance requirements n. Maintain compatibility testing environments o. Develop clear upgrade paths for all major systems 3. **Market Alignment**: The Technology Oversight Committee shall: a. Conduct annual assessments of market-competitive technologies b. Benchmark internal services against industry leaders c. Identify service gaps and deficiencies d. Recommend strategic technology investments e. Monitor industry trends and disruptions f. Assess competitive threats from new technologies g. Evaluate acquisition opportunities for technology advancement h. Define technology standards aligned with industry direction i. Forecast future technology requirements j. Report significant findings to the Board k. Develop strategies to address identified gaps l. Coordinate market research across service providers m. Identify cross-service technology opportunities n. Assess regulatory and compliance technology requirements o. Evaluate technology sustainability and environmental impact 4. **Emerging Technology Adoption Framework**: a. The Technology Oversight Committee shall establish a framework for evaluating and adopting emerging technologies that includes: i. Formal evaluation criteria ii. Risk assessment methodology iii. Return on investment analysis iv. Pilot program guidelines v. Success metrics vi. Security assessment requirements vii. Compliance review process viii. Integration evaluation ix. Scalability assessment x. User impact analysis xi. Total cost of ownership projection xii. Support and maintenance requirements xiii. Skill development needs xiv. Competitive advantage assessment xv. Implementation planning requirements b. Emerging technology adoption shall follow a staged approach: i. Initial assessment and research ii. Proof of concept in isolated environment iii. Limited pilot with selected users iv. Controlled production implementation v. Full deployment with appropriate controls vi. Continuous evaluation and optimization