This Data Processing Addendum (the “DPA”) relates to the processing by Proxymity Limited, a company incorporated in the United Kingdom, having its principal place of business at 3rd Floor Waverley House, 7-12 Noel Street, London, United Kingdom, W1F 8GQ (“Proxymity”) of Personal Data provided by Customer  under the applicable  services agreement and ordering documentation between Customer and Proxymity (collectively, the “Agreement”). This DPA is incorporated into and forms part of, and is subject to the terms and conditions of, the Agreement from the Effective Date of the Agreement (as defined therein). Any capitalized terms used in this DPA and not otherwise defined herein shall have the meanings ascribed to such terms in the Agreement.

Part 1 to the Appendix (Data Processing Details) sets out certain information regarding Proxymity’s Processing of Customer Personal Data including as required by Article 28(3) of the GDPR.

1. Definitions
a) “personal data”, “personal information” “controller”, “processor”, “data subject”, “processing” (and “process”), “business purpose”, “commercial purpose”, and “service provider” have the meanings given in the applicable Data Protection Law, as appropriate.

b) “Customer Personal Data” means any Personal Data or Personal Information that is Processed by Proxymity on behalf of the Customer in connection with provision of the Services including vote instructions and reports of beneficial ownership of securities.

c) “Data Protection Laws” means all applicable laws that regulate the Processing of Personal Data. In particular, Data Protection Laws may include (as applicable), the GDPR, the UK GDPR, U.S. Data Protection Laws and other applicable laws that specify privacy, security, or security breach notification obligations that affect the Personal Data Processed in the provision of the Services by Proxymity.

d) “EU Relevant Transfer Mechanism” means in respect of Restricted Transfer subject to: a) the GDPR, the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 (“EU SCCs”); b) the UK GDPR, the UK Addendum; and c) the Swiss FADP, the EU SCCs as amended by clause 3(c)

e) “Europe” means, for the purposes of this DPA, the Member States of the European Economic Area (EEA), the United Kingdom (UK) and Switzerland.

f) “GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation), and all issued implementing regulations.

g) “Personal Data” or “Personal Information” means all data containing personally identifiable information that is Processed by Proxymity in connection with the Services and falls within any definition of “personal data” or “personal information” under any applicable Data Protection Law.

h) “Restricted Transfer” means a transfer (directly or via onward transfer) of Personal Data subject to applicable European Data Protection Laws from Europe to a country outside of Europe that is not subject to an adequacy decision by the European Commission, or the competent UK or Swiss authorities (as applicable).

i) “Security Incident” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Customer Data processed by Proxymity and/or its Sub-processors in connection with the provision of the Services. For the avoidance of doubt, “Security Incident” does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful login attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

j) “Services” means the provision of services by Proxymity to Customer pursuant to the Agreement.

k) “Sub-processor” means any other processor engaged by Proxymity in its role as a processor to assist in fulfilling its obligations with respect to providing the services pursuant to the Agreement or this DPA where such entity processes Personal Data. Sub-processors may include Proxymity’s affiliates or other third parties.

l) “Swiss FADP” means the Swiss Federal Act on Data Protection and its implementing regulations.

m) “Transfer” means to disclose or otherwise make the Personal Data available to a party or third party (including to any Affiliate or Sub-processor of Proxymity), either by physical movement of the Personal Data to such party or third party or by enabling access to the Personal Data by other means.

n) “UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioner’s Office under S119(A) of the UK Data Protection Act 2018, as may be amended, superseded, or replaced from time to time.

o) “UK GDPR” means the in respect of the United Kingdom the Data Protection Act 2018 and the EU GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018.

p) “U.S. Data Protection Laws” means all state laws in effect in the United States of America that are applicable to the processing of personal data under this DPA, including, but not limited to, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”). 

2. Roles of the parties and description of the processing

a) A description of the processing of Customer Personal Data related to the Services, as applicable, is set out in the Appendix hereto. Proxymity may update the descriptions of processing from time to time to reflect new products, features or functionality comprised within the Services.

b) Except as set out in Sections 2(c), where Proxymity processes Customer Personal Data in connection with the provision of the Services, Proxymity will process such Personal Data as a processor or sub-processor on behalf of Customer (who, in turn, processes such personal data as a controller or a processor)

c) Notwithstanding anything in the Agreement or this DPA to the contrary and as permitted by Data Protection Law, Proxymity may further process Customer Personal Data in its capacity as a controller for:

(i) certain purposes as further detailed in the Appendix; and

(ii) the purpose of de-identifying it and/or aggregating it with other customers’ data to create de-identified and/or aggregated datasets for internal operational purposes such as research and product development, and for its own insights and analytics services. In case of such processing, Proxymity will: (A) adopt reasonable measures to prevent any de-identified data from being used to infer information about, or otherwise being linked to, a particular natural person; and (B) maintain and use any de-identified data in a de-identified form and to not attempt to re-identify such data, except that Proxymity may attempt to re-identify such data solely for the purpose of determining whether its de-identification processes are compliant with applicable Data Protection Law.

d) Customer acknowledges and agrees that Proxymity may:

(i) disclose Customer Personal Data to any third party as necessary in order to provide the Services including to any issuer of securities (“Issuer”) or any third party acting on that Issuer’s behalf in the provision of Proxymity’s services to any of its customers; and

(ii) retain a copy of any Customer Personal Data (including after termination or expiry of the Agreement) as required by applicable law; and for the purposes of record-keeping and where it otherwise acts as a controller in respect of the Customer Personal Data.

3. General Obligations

a) Each party shall at all times comply with its respective obligations under applicable Data Protection Law in connection with its processing of Personal Data under this Agreement.

b) Without prejudice to Section 3(a), Customer shall be responsible for ensuring that it has, and will continue to have, the right to transfer, or provide access to, Customer Personal Data to Proxymity for processing and shall ensure that it has a lawful basis to enable Proxymity to Process Customer Personal Data as set forth herein. If any authorizations or consents of data subjects are required for such processing of Customer Personal Data by Proxymity, Customer shall be required to obtain any such consents directly from the data subjects. Customer represents, warrants and undertakes that it will not transmit or expose to Proxymity or otherwise require Proxymity to Process any (i) protected health information, criminal data or other special categories of data (as defined in the GDPR) ; (ii) cardholder data; or (iii) data of a minor; or (ix) Personal Data that is not able to be Processed as set forth herein in compliance with applicable Data Protection Laws, in connection with the Services or otherwise under this Agreement.

4. Additional Proxymity obligations as a processor or subprocessor

Where Proxymity acts as a processor or subprocessor in respect of its processing of Customer Personal Data under the Agreement, Proxymity will comply with the obligations set out in this Section 4.

a) Compliance with customer instructions
Proxymity will only process Customer Personal Data as is necessary for the performance of the Services pursuant to the Agreement and in accordance with Customer’s documented instructions as reasonably contemplated by the Agreement. This DPA, the Agreement, and Customer’s use of the Service’s features and functionality, are Customer’s complete set of instructions to Proxymity in relation to the processing of Customer Personal Data. Proxymity will promptly notify Customer if, in its opinion, the instructions given by Customer for Processing violate any Data Protection Law; provided, however, that Proxymity has no independent obligation to verify that the Processing complies with any specific Data Protection Law, as it is entitled to rely on Customer’s instructions.

b) Confidentiality
Proxymity shall ensure that any person that it authorises to process Customer Personal Data (including Proxymity’s staff, agents and Sub-processors) will be subject to a duty of confidentiality (whether a contractual duty or a statutory duty) and shall not permit any person to process Customer Personal Data who is not under such a duty of confidentiality.

c) Information Security/Security Incidents
Proxymity shall put in place appropriate administrative, technical and physical measures in accordance with applicable Data Protection Law to protect Customer Personal Data against accidental or unlawful destruction, alteration, unauthorised disclosure or access. Customer acknowledges that the Security Measures are subject to technical progress and development and that Proxymity may update or modify the Security Measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the Services.

d) Upon becoming aware of a Security Incident, Proxymity will notify Customer (via email to the address specified in the Appendix) without undue delay (and in any event within 24 hours of its discovery) and provide timely information (taking into account the nature of processing and the information available to Proxymity) relating to the Security Incident as it becomes known or as is reasonably requested by Customer to allow Customer to fulfill its data breach reporting obligations under applicable Data Protection Law.

e) Sub-processing
Customer consents to Proxymity engaging Sub-processors to process Customer Personal Data, and hereby provides its general authorisation for Transfers to those Sub-processors listed in Part III of the Appendix to this DPA. Proxymity will provide a notice to Customer of any new Sub-processors in accordance with the Agreement.  Customer may object in writing to Proxymity’s appointment of a new Sub-processor within fourteen (14) days’ of such notification (the “Notice Period”), provided that such objection is based on reasonable grounds relating to a violation of Data Protection Laws. In such an event, the parties will discuss such concerns in good faith with a view to achieving resolution. If the parties are not able to achieve resolution within the Notice Period, Customer, as its sole and exclusive remedy, may terminate the applicable Work Order(s) or parts of the Service provided by the Sub-processor in question for convenience. If the Customer does not object during the Notice Period, Customer will be deemed to have waived its right to object and have authorised the new Sub-processor.

f) Notwithstanding the foregoing, where a sudden replacement or supplement of a Sub-processor is required by Proxymity to continue providing the Services (such as if a third party abruptly discontinues services to Proxymity), Proxymity may, in lieu of advance notice, inform Customer of the new Sub-processor as soon as practicable following which Customer may raise reasonable objections as set forth above. If the parties are not able to achieve resolution within thirty (30) days after Proxymity’s receipt of the objection, Customer, as its sole and exclusive remedy, may terminate the applicable Work Order(s) or parts of the Service provided by the Sub-processor in question for convenience.

g) Proxymity shall: (i) enter into a written agreement with each Sub-processor imposing data protection terms that require the Sub-processor to protect the Customer Personal Data to the standard required by applicable Data Protection Law (and in substance, to the same standard provided by this DPA); and (ii) remain liable to Customer if such Sub-processor fails to fulfill its data protection obligations with regard to the relevant processing activities under the Agreement.

h) Taking into account the nature of the processing, Proxymity shall reasonably cooperate with Customer and its Affiliates, at Customer’s expense, to enable Customer to respond to: (i) any request from a data subject to exercise any of its rights under applicable Data Protection Law (including its rights of access, to rectification, to erasure, to restriction, to objection, and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party, in each case in respect of Customer Personal Data that Proxymity processes on Customer’s behalf. To the extent Proxymity is required under applicable Data Protection Law, Proxymity shall at the Customer’s cost provide reasonably requested information regarding the Services to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities, taking into account the nature of processing and the information available to Proxymity.

i) In the event that any request, correspondence, enquiry or complaint (referred to under paragraph (h) above) is made directly to Proxymity, Proxymity acting as a processor will not respond to such communication directly without Customer’s prior authorization, unless legally required to do so, and instead, after being notified by Proxymity, Customer may respond. If Proxymity is legally required to respond to such a request, Proxymity will promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so

j) Deletion or return of data
On termination or expiry of the provision of the Services (or where Proxymity determines its processing of Customer Personal Data is no longer necessary for the provision of the Services), Proxymity will, unless otherwise set out in this DPA or where required by applicable law to retain copies of Customer Personal Data, either: (i) provide a copy of the Customer Personal Data to Customer, and/or (ii) purge, delete and destroy the Customer Personal Data.

k) Audit
Proxymity uses external auditors to verify the adequacy of its security measures with respect to its processing of Customer Personal Data. Such audits are conducted at least annually, are performed at Proxymity’s expense by independent third-party audit professionals at Proxymity’s selection, and result in a confidential audit report. Upon written request, and no more than once a year, Proxymity shall provide Customer with reasonable information about Proxymity’s information security program (including a SOC2 Report or equivalent) as well as a summary of any other relevant audit reports relating to Proxymity’s processing of Customer Personal Data, so Customer can verify Proxymity’s compliance with this DPA. All such information is Confidential Information of Proxymity.

l) Only to the extent Customer cannot reasonably satisfy Proxymity’s compliance with this DPA through the exercise of its rights under paragraph (k) above, or where required by applicable Data Protection Law or a regulatory authority, Customer, or its authorised representatives, may at its own cost conduct audits (including inspections) during the term of the Agreement to assess Proxymity’s compliance with the terms of this DPA.

m) Any such audits or inspections may not be carried out more than once per year, must be undertaken with reasonable advance notice of at least 45 calendar days, during Proxymity’s regular business hours and in any case during the off-peak voting season and be carried out by Customer (or by a qualified independent auditor) at Customer’s expense in a mutually-agreeable manner, with any findings being restricted to data and information relevant to Customer. Any independent auditors utilized shall be required to enter into a confidentiality agreement with Proxymity and Proxymity shall also cooperate with any audits conducted by any regulatory agency that has authority over Customer as needed to comply with applicable law.

n) For the avoidance of doubt, Customer understands that due to the third-party hosting and multi-tenant nature of the Services, Proxymity cannot grant access to the premises, facilities, or records of any Sub-processor or Proxymity’s production or non-production systems, source code, or anything that could expose confidential information of other customers of Proxymity. Customer shall reimburse Proxymity on demand for any time expended by Proxymity in fulfilling any such requests set forth in this section at Proxymity’s then-current professional services rates, which shall be made available to Customer upon request.

5. Restricted Transfers

a) The Parties agree that if and to the extent the transfer of Personal Data from Customer or Proxymity (as applicable) (as “data exporter”) to Customer or Proxymity (as applicable) (as “data importer”) is a Restricted Transfer and applicable Data Protection Law requires that appropriate safeguards be put in place, the transfer will be subject to the Standard Contractual Clauses, which are deemed incorporated into and form a part of this DPA, as follows:

(i) In relation to transfers of Personal Data governed by the GDPR and processed in accordance with Section 2(b) of this DPA, the SCCs will apply, completed as follows:

1. Module Two, Module Three or Module Four will apply (as applicable);
2. in Clause 7, the optional docking clause will not apply;
3. for the purpose of Module Two and Module 3 in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes will be as set out in Section 4 (e) of this DPA;
4. in Clause 11, the optional language will not apply;
5. for the purpose of Module Four, clauses 14 and 15 will apply;
6. in Clause 17, Option 1 will apply, and the SCCs will be governed by Irish law;
7. in Clause 18(b), disputes will be resolved before the courts of Ireland;
8. Annex I of the SCCs is deemed completed with the information set out in this Section 3 and Appendix to this DPA, as applicable; and
9. subject to Section 4 (c) of this DPA, Annex II of the SCCs is deemed completed with the information set out in the Appendix hereto;

b) In relation to transfers of Personal Data governed by UK GDPR, the UK Addendum will apply as completed in accordance with paragraphs (i) and (ii) above; which is deemed executed by the parties and incorporated into and forming an integral part of this DPA. In addition, Tables 1 to 3 in Part 1 of the UK Addendum is deemed completed respectively with the information set out in Section 4 (e). (f) and (g) as well as the Appendix hereto; Table 4 in Part 1 is deemed completed by selecting “neither party.” Any conflict between the terms of the SCCs and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.

c) In relation to transfers of personal data governed by the Swiss FADP, the EU SCCs will also apply in accordance with paragraphs (i) and (ii) above, with the following modifications: I. any references in the SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” will be interpreted as references to the Swiss FADP, and references to specific Articles of “Regulation (EU) 2016/679” will be replaced with the equivalent article or section of the Swiss FADP; II. references to “EU”, “Union”, “Member State” and “Member State law” will be interpreted as references to Switzerland and Swiss law, as the case may be, and will not be interpreted in such a way as to exclude data subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs; III. Clause 13 of the EU SCCs and Part C of Annex 1 are modified to provide that the Federal Data Protection and Information Commissioner (“FDPIC”) of Switzerland will have authority over data transfers governed by the Swiss FADP. Subject to the foregoing, all other requirements of Clause 13 will be observed; IV. references to the “competent supervisory authority” and “competent courts” will be interpreted as references to the FDPIC and competent courts in Switzerland; V. in Clause 17, the EU SCCs will be governed by the laws of Switzerland; and VI. Clause 18(b) states that disputes will be resolved before the applicable courts of Switzerland.

d) The parties acknowledge and agree that as at the date of this Agreement, the transfer of Personal Data from Customer to Proxymity is not a Restricted Transfer.  If and to the extent that the transfer of Personal Data from Customer to Proxymity becomes Restricted Transfer the transfer will be subject to the applicable provisions of clause 3a) to c) above.

e) It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses, thus if a supervisory authority or court determines that the Transfer mechanism used herein is no longer an appropriate basis for Restricted Transfers, Proxymity and Customer shall promptly use reasonable efforts to take all steps necessary to demonstrate adequate protection for the impacted information, using another approved mechanism or instrument. If permitted by law, the parties agree that the terms of such new or additional mechanism or instrument will be automatically incorporated by reference into this DPA upon Proxymity’s circulation of an addendum or amendment to this DPA containing the required terms.

6. CCPA obligations

a) To the extent Customer Personal Data includes personal information protected under the CCPA that Proxymity processes as a service provider acting on behalf of Customer, Proxymity will process such Customer Personal Data in accordance with the CCPA, including by complying with applicable sections of the CCPA and providing the same level of privacy protection as required by CCPA, and in accordance with Customer’s written instructions, as necessary for the limited and specified purposes identified in the Agreement or this DPA. Proxymity will not:

(i) retain, use, disclose or otherwise process such Customer Personal Data other than for the limited and specified purposes identified in this DPA, the Agreement, and/or any related Work Order;

(ii) retain, use, disclose or otherwise process such Customer Personal Data for a commercial purpose other than for the limited and specified purposes identified in this DPA, the Agreement, and/or any related Work Order, or as otherwise permitted under the CCPA;

(iii) “sell” or “share” such Customer Personal Data within the meaning of the CCPA; and

(iv) retain, use, disclose or otherwise process such Customer Personal Data outside the direct business relationship with Customer and not combine such Customer Personal Data with personal information that it receives from other sources, except as permitted under the CCPA.

b) Proxymity must inform Customer if it determines that it can no longer meet its obligations under U.S. Data Protection Laws within the timeframe specified by such laws, in which case Customer may take reasonable and appropriate steps to prevent, stop, or remediate any unauthorised processing of such Customer Personal Data.

7. Limitation of Liability

Each party’s liability arising out of or related to this DPA, including its exhibits and attachments, whether in contract, tort or under any other theory of liability, is subject to any limitation of liability as set forth in the Agreement and any reference to such limitation of liability of a party means the aggregate liability of the party and its Affiliates under the Agreement and this DPA, including its exhibits and attachments, together.

8. Miscellaneous

a) The parties agree that this DPA replaces and supersedes any existing data protection provisions in the Agreement or DPA the parties may have previously entered into in connection with the Services.

b) Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. The order of precedence in case of any conflict, exclusively in relation to the processing of personal data under this DPA, will be, in order of priority: (a) Standard Contractual Clauses, if applicable; (b) this DPA; (c) the Agreement.

c) Any claims against Proxymity or its affiliates under this DPA can only be brought by the Customer entity that is a party to the Agreement with Proxymity. In no event will this DPA or any party restrict or limit the rights of any data subject or of any competent supervisory authority.

d) This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Law.

e) This DPA and the Standard Contractual Clauses will terminate simultaneously and automatically upon deletion by Proxymity of the Customer Personal Data processed on behalf of the Customer, in accordance with Section 4 (j) of this DPA.

f) If an amendment to this DPA is required in order to comply with applicable Data Protection Laws and regulations, both parties will work together in good faith to promptly execute a mutually agreeable amendment to this DPA reflecting the requirements set out by the applicable Data Protection Laws and regulations.

APPENDIX 

 

PART I – DATA PROCESSING DETAILS

DESCRIPTION OF THE PROCESSING AND TRANSFER

Proxymity provides a digital platform that streamlines and automates the entire proxy voting and shareholder communication process.

Categories of data subjects whose personal data may be processed and/or transferred

• Customer’s employees, customers, shareholders/beneficial owners of securities (or nominees of customers shareholders/beneficial owners) and other persons whose information is processed by Proxymity in the course of providing Services to the Customer.

Categories of personal data may be processed and/or transferred

• Contact information (such as name, address, email address, phone number)
• Professional details (such as employer, title, position)
• Vote information including vote instructions and records of beneficial ownership of securities (including share purchase date)
• Technical information (such as access privileges and customer access criteria, access log information)
• Online and technical data (IP address, device ID and related data, connection data)
• Other information (date of birth, bank details, national insurance number, passport details, marital status, national identification number)

Sensitive data processed and/or transferred (if applicable)

• N/A

Nature of the processing

• Proxymity shall process Personal Data set out above for the purpose of providing to the Customer the the Services set forth on the applicable Work Order in its capacity as a “processor”.
• Proxymity may further process certain Personal Data mentioned above in its capacity as “controller” for the following closely-related purposes: (i) detecting security incidents, and protecting against malicious, deceptive, fraudulent, or illegal activity; (ii) debugging to identify and repair errors that impair intended functionality of the Services and other activities needed to maintain the quality and/or safety of the services; and (iii) internal operational activities such as responding to data subject requests, making back-ups as part of disaster recovery/business continuity programs, confirming usage quantities, and processing required for legal or regulatory compliance and business sales and administration/record keeping purposes.

Where a Transfer of personal data is considered a Restricted Transfer, the relevant Standard Contractual Clauses shall be populated with the following information:

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

• Personal Data will be retained by the data importer in accordance with its data retention policy and no longer than necessary for the purposes set forth in the Agreement or until such earlier time as the data exporter requests deletion in writing.

Purpose(s) of the data transfer and further processing

• To enable Proxymity to provide the Services per the Agreement

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

• Continuous

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

• See Part III below.

COMPETENT SUPERVISORY AUTHORITY FOR RESTRICTED TRANSFERS (if applicable)

 

Restricted Transfer	Competent Supervisory Authority & Governing Law
EEA Transfers	Data Protection Commission for Ireland
Swiss Transfers	Federal Data Protection & Information Commissioner (FDPIC), Switzerland
UK Data Transfers	Information Commissioner Office (ICO) – United Kingdom

 

PART II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. 

Proxymity’s information security program is described in the Security Measures which shall be made available to the Client in accordance with Sectiom 4 (k) of the DPA.

PART III – LIST OF SUBPROCESSORS

Customer has authorised Proxymity’s use of the following Sub-processors:

Name of entity	Address	Service provided	Critical to delivery of services to Proxymity customers?
Amazon Web Services EMEA SARL	38 avenue John F. Kennedy, L-1855 Luxembourg	Digital infrastructure	Yes
Bottomline Technologies Ltd (“Bottomline”)	1600 Arlington Business Park, Theale, Reading, Berkshire, England, RG7 4SA	Digital infrastructure (replaces FundTech Financial Messaging Limited (“Finastra”) later in 2024	Yes
Fundtech Financial Messaging Limited (“Finastra”)	4 Kingdom Street, London W2 6BD, UK	Digital infrastructure	Yes
Salesforce	Floor 26 Salesforce Tower, 110 Bishopsgate, EC2N 4AY	CRM tool	No
Zendesk	989 Market St., San Francisco, CA, 94103, USA	Customer Service Platform	No