Standard Services Offering Schedule

Standard Services Offerings Schedule

The Standard Services Offerings set forth in this document may be purchased using Subscription Services, Service Credits, or Professional Services. The Standard Services Offerings may be modified by Ncontracts from time to time.

Vendor Management Content, Compliance, and Forms

The Vendor Management Component comes with the following forms integrated into the system:

a. Vendor Management Board Policy

b. New Vendor Analysis

c. Classification Guidelines

d. Legal Contract Review Checklist

e. New Vendor Due Diligence

f. Existing Vendor Due Diligence

g. Vendor Risk Assessment

h. SOC Review

Ncontracts will update the forms as compliance regulations change.

Ncontracts provides ongoing monitoring of the compliance requirements of the federal banking agencies and prepared necessary program updates to meet the applicable compliance requirements of the federal banking agencies. Ncontracts will review any written examination question or finding of non-compliance and provide commercially reasonable assistance to Client in any necessary response, program action or update to ensure compliance.

Ncontracts will not be responsible to Client for any review of examination findings or response assistance if Client fails to substantially use or materially modifies the vendor classification criteria or due diligence and risk assessment question set(s) for any critical or significant classified vendors.

Contract Legal Risk Review (Risk Review) and Legal Contract Review (Redline Review)

1. For each Contract Legal Risk Review (Risk Review) ordered under an Exhibit or addendum to the Agreement, Ncontracts will:

a. Review each vendor agreement for contractual, legal and regulatory risk issues and provide a risk analysis of the key terms. Where appropriate, Ncontracts will provide comments and information on contract provisions to alert Client of the risk(s) presented (Risk Review).

2. For each Legal Contract Review (Redline Review) ordered under an Exhibit or addendum to the Agreement, Ncontracts will:

a. Review each vendor agreement for contractual, legal and regulatory risk issues and provide recommended contract revisions and supporting comments reasonably necessary to protect Client and mitigate identified risks (Redline Review).

b. Each review shall include an initial redlined contract review and one follow-up vendor response review, if applicable.

3. Miscellaneous Terms

a. Expedited Review turnaround is 3 business days, provided on an as-available basis.

4. Exclusions

a. Contracts for business transactions, acquisitions or unique relationships.

b. Core System Vendor Contracts.

c. Contracts & Schedules exceeding 25 pages.

d. Contracts with Contract Amount exceeding $1 million.

e. Follow up redline revisions after the first vendor response with each Legal Contract Review.

f. Discussions, reviews or negotiation following the completed Legal Contract Review.

5. Limitations. Client understands and agrees that the Contract Legal Risk Review (Risk Review) service is not intended to be a redlining, drafting, or contract negotiation service, but is simply to identify risk issues on less significant or lesser-dollar contracts. The Legal Risk Review service is not recommended for critical and significant vendor contracts.

Compliance Management System (CMS) Content and Services

If requested by Client, CMS content and services can be provided to Client as described below.

1. Ownership. Ncontracts is the owner of all right, title, and interest, or otherwise has and will have the necessary rights and consents, in and relating to the services and content it provides hereunder. Client acknowledges that the content provided hereunder (i) is a valuable asset and trade secret of the content owner, (ii) that the content owner has an exclusive, copyrighted property right and interest in such services and Compliance Management content, and (iii) Client agrees to protect all information related to such content from unauthorized disclosure, copying, or use.

2. Compliance Management Regulatory Content. Ncontracts shall regularly provide Client with compliance resources of federal regulatory actions affecting the compliance and operations of financial institutions containing the following regulatory content which will be integrated into the CMS software:

a. Relevant NCUA, FDIC, FFIEC, OCC, FRB, CFPB, FTC & IRS regulatory compliance alerts which will include:

• Regulatory Update Name

• Mandatory Compliance Date

• Scope & Applicability

• Agency(ies)

• Executive Summary

• Exemption Thresholds (if applicable)

• Impacted Areas

• Action Items

• Frequently Asked Questions (if applicable)

• Additional Resources

3. Scope of Services. The provision of regulatory content by Ncontracts hereunder does not establish an attorney-client relationship between Ncontracts (including any Ncontracts subcontractor) and Client, and does not entitle Client to additional regulatory compliance or legal support.

Not Legal Advice. The regulatory content provided by Ncontracts hereunder is intended for informational purposes and is not offered as legal advice.

ITRM Module Content

The ITRM Content comes with the following:

1. IT Risk Categories. IT Risk Categories are logical groupings of all known types of threats to information and information systems. The risk categories are the focal point for the streamlined IT risk management methodology. The methodology groups known threats into risk categories, that are mitigated using corresponding security control categories, to simplify and organization the information security program into an easily understood format.

2. Common Compliance Framework (CCF) Controls. CCF is a comprehensive set of information security controls that can be used to assess the security program across the organization and each information system. These controls are grouped into security control categories that correspond to the IT Risk Categories for simplified assessment of risk and management of the security program. The CCF Controls are mapped to the following:

a. IT Risk Categories

b. Individual policy documents in the Information Security Policy Framework

c. Control Standards: NIST Cybersecurity Framework, NIST 800-53, NIST 800-171, ISO 27001/2, Center for Internet Security (CIS) 18 Critical Security Controls, PCI DSS and FFIEC Cybersecurity Assessment Tool and NCUA control standards

3. Risk Assessment Template

a. Preset risk assessment template to streamline the process

b. Ties risks and controls together

c. Customizable template based on assessment

4. Information Security Policy Framework. Content includes a security policy framework that can be implemented at most organizations. Policy documents are mapped in the Ncontracts software to each of the CCF Controls. The policy list includes the following templates:

a. Information Security Program – high level charter style document

b. Information Security Policy – some detail regarding security program elements

c. Data Classification and Handling Policy

d. Data Retention and Disposal Policy

e. Electronic Communications & Security Policy – employee facing

f. Mobile Device Management Policy

g. Security Incident Response Policy

5. Update Frequency

a. IT Risk Categories are not expected to change regularly but may be updated annually based on feedback from clients and consultants in the field

b. Security Control Categories change to correspond with changes to the IT Risk Categories

c. CCF Controls may change annually based on client feedback, field consultants, and shifts in information security best practices

d. Security Policy Framework templates are updated annually to reflect changes in regulations, best practices, and general information security considerations

Changes to ITRM Content will be outlined in a notice to clients and will include a summary of the changes made. Ncontracts’ staff will also be available to answer questions about content changes.

Implementation of content changes will be automated as much as possible. Where automation is not possible, Ncontracts staff will work with clients to successfully incorporate new content into the Ncontracts ITRM software module.

Content controls have unique identifiers and version numbers so clients know what version of content they have in their Ncontracts software.

6. Included Data Security Services. Several services are included with the purchase of ITRM Content:

a. Implementation

• A consultant joins kick-off meeting

• Up to two hours of ITRM Content implementation guidance

b. Ongoing

• Annual ITRM Content updates

LexisNexis StateNet Integration

1. Ncontracts will provide an integration to bring LexisNexis StateNet Content into the Client build on a nightly basis. Ncontracts will bring the following information into the software in the form of a compliance Change:

a. Where available: State, title, agency name, number, URL, proposed date, emergency adopted date, adopted date, current disposition, summary, Contact, Citation, History and any issue tags defined

2. Client Responsibility

a. Sign a service agreement with LexisNexis.

b. Work with LexisNexis to curate the appropriate content to bring into the software.

Business Continuity Service

1. For each plan ordered under an Exhibit or addendum to the Agreement, Ncontracts shall provide Client with the following business continuity planning services. Purchased BC plans can consist of up to 5 processes and 20 dependencies/resources. Each purchased BC plan may be used as a Departmental Plan, Crisis Management Plan, Pandemic Plan, or Disaster Recovery Plan.

a. Business continuity plan creation includes:

• Business Impact Analysis meeting (up to 2 hours)

• Solutions & Planning meeting (up to 3 hours)

• Structured BC Plan walkthrough across all purchased plans (up to 1 hour)

• Tabletop BC Exercise across all purchased plans (up to 2 hours)

b. Business Continuity Plan update includes (with multiyear service):

• Annual full BC plan review (up to 2 hours)

• Annual tabletop BC Exercise walkthrough across all purchased plans (up to 2 hours)

c. Periodic guidance meetings as needed with BC Administrator throughout service agreement (up to 4 times annually).

d. Completion of location-based risk assessment with BC Administrator (up to 2 hours).

Vendor Management Due Diligence Services

1. For each Standard vendor review ordered under an Exhibit or addendum to the Agreement, Ncontracts shall provide Client with the following services once per vendor annually:

a. Gather Due Diligence data from vendors using Ncontracts workflows and content (Client agrees to assist with non-responsive vendors).

b. Answer due diligence questions within twelve (12) months of receipt of vendor(s) on Ncontracts-provided form; any vendor(s) received in any other format may experience a delay in completion.

c. Perform vendor monitoring.

d. Start Risk Assessment workflows.

2. For each Preferred vendor review ordered under an Exhibit or addendum to the Agreement, Ncontracts shall provide Client with everything listed in the Standard review with the addition of the following services:

a. Conducting risk assessment interviews with each vendor owner (up to half an hour).

3. For each Premium vendor review ordered under an Exhibit or addendum to the Agreement, Ncontracts shall provide Client with everything listed in the Standard and Preferred review with the addition of the following services:

a. Certified Public Accountant (CPA) review and opinion of the vendor’s financials.

b. Certified Information Systems Security Professional cyber security review and opinion of the vendor’s information security program.

4. Client Responsibility

a. Annually provide Ncontracts with a vendor management documentation request authorization letter signed on Client letterhead.

b. Annually provide Ncontracts with a list of classified vendors to be serviced on a Ncontracts-provided form including the following information:

• Vendor Name

• Product

• Vendor Contact

• Vendor Contact Email Address

• Level of Service Requested (Standard, Preferred, Premium)

c. Sign three-way non-disclosure agreement template (Ncontracts, Client, and Client’s Vendor) to be executed if required by each vendor.

5. Miscellaneous Terms

a. If a vendor contact fails to respond to the documentation request after four (4) attempts and if there is not adequate public information available to complete the due diligence analysis, Client may contact the vendor directly or replace the vendor at no additional cost with a different vendor.

b. If a vendor contact responds but declines to provide the documentation requested and there is not adequate public information available to complete the due diligence analysis, Client may contact the vendor directly or replace the vendor with a different vendor.

c. Client must not modify, add, or delete any of the New or Existing Vendor Due Diligence questions from the VM Component.

d. If vendor has multiple products and there are different Due Diligence documents for each product, Client will need to decide which product to base the vendor review on Ncontracts-provided form. If multiple products are entered on the Ncontracts-provided form, it will count as multiple vendors.

e. If Client sends Ncontracts a vendor to be serviced that is not in Ncontracts’ Vendor Library, Ncontracts will reach out to the vendor to gather documentation and answer all Ncontracts Due Diligence questions in Ncontracts’ Vendor Library. When completed Ncontracts will upload the results to the Client’s build. Once the upload is complete that will be the date going forward for the annual review to be completed.

• Example: Client sends Ncontracts a vendor to be serviced on an Ncontracts-provided form that is not in Ncontracts’ Vendor Library on 7/1/2023. Ncontracts will begin reach out attempts and document gathering. Since vendor’s responses vary greatly, Ncontracts cannot guarantee a date of completion, but will complete as soon as possible but no later than 7/1/2024.

f. If Client sends Ncontracts a vendor to be serviced on an Ncontracts-provided form that is in Ncontracts’ Vendor Library, Ncontracts will reach out to the vendor asking them if any of their documentation or answers to Ncontracts’ Due Diligence questions have changed since Ncontracts last queried them for this information. Once the vendor has responded Ncontracts will upload the results to Client’s build. Going forward on a year-after-year basis for the length of Client’s contract Ncontracts will automatically reach out to the vendor before the date originally queried for the Ncontracts Vendor Library and will upload the completed new year’s Due Diligence information to Client’s build.

• Example: Client sends Ncontracts a vendor to be serviced that is in Ncontracts’ Vendor Library on 7/1/2023. Ncontracts already queried the vendor with completed results in the Ncontracts Vendor Library on 5/1/2023. Ncontracts will reach out to the vendor again asking them if any of their documentation or answers to the Ncontracts Due Diligence questions have changed since last queried. Once vendor replies Ncontracts will upload the results to Client’s build and date with the current date, in this example 8/1/2023. Going forward on a year-after-year basis, Ncontracts will begin reach out attempts early enough to have Client’s next year’s Due Diligence completed on or before the date first queried and entered into the Ncontracts Vendor Library, in this example 5/1/2024. This will result in Client receiving the immediate next year’s completed Due Diligence sooner than twelve (12) months, but all subsequent years in Client’s contract will now be synchronized with the Ncontracts Vendor Library and delivered on a twelve (12) month annual basis. In this example first year 8/1/2023, second year 5/1/2024, third year 5/1/2025, fourth year 5/1/2026, etc. Ncontracts will not prorate for time difference in this scenario.

Vendor Management Contract Services

1. For each Contract Digitization ordered under an Exhibit or addendum to the Agreement, Ncontracts shall provide Client with the following services:

a. Review each agreement and enter the corresponding contractual terms, start date, end date, contract type, term, and notification requirements.

2. Miscellaneous Terms

a. For each Contract Digitization, Client responsibilities include:

• Creation of the contract resource in Ncontracts software linked to the appropriate vendor.

• Readable agreement with terms verified for accuracy uploaded to the contract resource.

• Provide Ncontracts with a list of vendors and their contract to have digitized.

• Client is responsible for final validation of entered terms.

Enterprise Risk Management Services

1. For Enterprise Risk Management Component orders under an Exhibit or addendum to the Agreement, Ncontracts shall provide Client with one or more of the following:

a. JumpStart Program

• Ncontracts’ ERM Services Team will deliver a written customized Enterprise Risk Management Roadmap (“ERM Roadmap”).

• Upon completion and mutual agreement of the customized ERM Roadmap, the ERM Roadmap may be executed with Subscription Services Credits or Professional Services Credits as mutually agreed to by the parties.

2. Client Responsibility

a. Provide and maintain Ncontracts with a dedicated ERM Client resource.

b. Ensure adequate Client resources to effectively execute the mutually agreed upon ERM Roadmap.

c. Ensure Ncontracts’ access to Client Board of Directors, Executive Management, and others as required to effectively execute the mutually agreed upon ERM Roadmap.

d. Provide Ncontracts with all necessary access to information required by Ncontracts to effectively execute the mutually agreed upon ERM Roadmap.

Single Sign-On Service (SSO)

1. Ncontracts Responsibility

a. Provide SSO integration with Ncontracts’ software platform through a SAML (2.0 or higher) endpoint.

b. Allow provisioned SSO users the ability to login to the Ncontracts Platform after being authenticated by Client’s identity provider (IP).

2. Client Responsibility

a. Client must utilize Ncontracts’ third-party endpoint solution for SAML connection.

b. Client responsible for configuring their IP SAML connection.

3. Exceptions to the SSO capability

a. Quantivate.com and/or ncontracts.com account creation will be handled via just-in-time provisioning, import, or manual account entry.

b. Deprovisioning (deletion) of accounts on quantivate.com and/or ncontracts.com and removal of mobile app handled by Client.

Sandbox Service

1. Sandbox environments are isolated from Client’s production environment. Operations performed in Sandbox environments do not affect the Client’s production environment, and conversely. Sandbox environments are intended to be used as testing environments.

2. Ncontracts Responsibility

a. Provide Client with a replica of their production environment, as requested.

b. Replace Sandbox environment, as requested, with a new replica of production environment.

3. Client Responsibility

a. Client may request a Sandbox environment be created once every 30 days.

b. Previously existing Sandbox environment will be overwritten when a new Sandbox is requested.

c. When requesting a Sandbox environment, Client will indicate if the Sandbox environment should or should not send notifications. Note: There is a risk of duplicate notifications being sent to recipients if Sandbox environment is set to send notifications the same as production environment.

d. Client acknowledges any changes made in their Sandbox environment will not in any way affect their production environment nor will any changes be automatically transferable to their production environment.

sFTP Server Service

1. Ncontracts’ sFTP Server Service customers will be provided with an sFTP server location for use with Ncontracts nightly import jobs.

2. Ncontracts Responsibility

a. Create unique sFTP server location for Client.

b. Provide Client with a link to access their sFTP server.

c. Provide Client with one (1) username and password for access to the sFTP server.

d. Complete initial setup of automated import job utilizing Client’s Ncontracts sFTP server.

e. Delete Client sFTP server without restore capabilities when Client cancels service.

3. Client Responsibility

a. Client will be responsible for uploading, maintaining, and deleting all files on their sFTP server.

b. Client will only use their sFTP server for the purpose and intent of automating Ncontracts import jobs.

c. Client will not upload any files to their sFTP server deemed to be illegal, or so that as uploaded into the sFTP server they infringe, misappropriate or otherwise violate any intellectual property rights or other rights of any third party or violate any applicable law.

d. Client will be responsible for keeping their username and password secure.

Emergency Notifications

1. Ability to create custom automated e-mail notifications for different requirements

2. Ability to assign individuals to custom groups in order to send notifications to multiple recipients

3. Ability to establish single point in time or recurring notifications

4. Ability to send out SMS and voice broadcast notifications. Each SMS and voice broadcast message is subject to fee which will be invoiced monthly at the rate of $0.15 per message per recipient.

5. A billable message is defined as:

a. An SMS message of 160 characters or less sent to a single recipient

b. A 60-second or less voice message sent to a single recipient

c. A poll response for a voice recording message received from a single recipient

Last Revised: April 12, 2024

Solutions

Risk Solutions

Vendor Solutions

Compliance Solutions

Lending Compliance

1071 Compliance Software

Software Solutions

Risk Management Software

Vendor Management Software

Compliance Management Software

Continuity Management Software

Fair Lending Compliance Software

Findings Management Software

Audit Management Software

Cybersecurity Assessment Software

Contract Assistant Software

Employee Information Security Platform

Board Portal Software

Accredited Certification Program

Banks

Credit Unions

Mortgage Lenders

Fintech

Wealth Management

Nsight Blog

Webinars

Ncast Podcast

Regulatory Pulse

Events

Nsider Community

Dig into our Nstitute Certified Vendor Management Professional Training!

Featured Resources

July 2024 Regulatory Brief

1071 Compliance Updates

Webinar: What Does Resilience Look Like?

Webinar: The Future of Risk Management

9 Fair Lending Compliance Training Essentials

Podcast: Succeeding All Together, Banking and Company Intranets

Book: The Upside of Risk

Resource Hub

About Us

News

Leadership

Partnerships

Join the Team

Ncontracts Highlights

Ncontracts Launches Nstitute & the Certified Vendor Management Professional (NCVMP) Certification

Ncontracts named Top Workplace for Third Consecutive Year in 2023

Ncontracts and CBANC Release New Report

Event: Ngage 2024

Standard Services Offerings Schedule