Common use of Subcontracting the Services Clause in Contracts

Subcontracting the Services. (a) EVERTEC shall provide COMPANY and BPPR with the written notice required below in this Section 1.16(a) prior to outsourcing, delegating or subcontracting the performance of any part of the Services to a Third Party vendor, including any Third Party computer programmers, software developers or Data Center, collocation, hosting or cloud service providers (each, a “Subcontractor”), to the extent such Subcontractor would store, process, transport or otherwise have access to BPPR Data or other Confidential Information or Intellectual Property of COMPANY or BPPR or their respective Subsidiaries (a Subcontractor with such access, including those who perform Data Processing of Personal Data or provide Data Center services, a “Data Subcontractor”), except to the extent such Data Subcontractor is in use by EVERTEC as of the Effective Date. The Data Subcontractors used by EVERTEC as of the Effective Date are listed in Schedule 1.16. For the avoidance of doubt, such information related to EVERTEC’s Data Centers, Data Subcontractors and Subcontractors shall be considered EVERTEC Confidential Information and EVERTEC may otherwise engage Subcontractors who are not Data Subcontractors without the obligation to inform COMPANY or BPPR, as applicable, subject to the terms of this Master Agreement and to applicable Legal Requirements. EVERTEC agrees that, prior to assigning a Data Subcontractor under this Master Agreement: EVERTEC must (i) provide COMPANY and BPPR with at least 180 days’ written notice for Data Subcontractors that will perform Services at a new Data Center and at least 30 days’ written notice for all other Data Subcontractors (or such shorter period as may be necessary to assign a Data Subcontractor in order to remedy an Incident or other similar emergency event); (ii) within 10 days of a request from COMPANY or BPPR, provide COMPANY or BPPR the information described in Section 1.16(c) to evaluate the proposed Data Subcontractor during the applicable notice period provided above; and (iii) comply with the outsourcing policies and procedures set forth in Exhibit F (the “Outsourcing Policy”) and applicable Legal Requirements relating to the outsourcing of services. Without limiting the foregoing, prior to the commencement of any work by any Data Subcontractor, EVERTEC must: (i) perform the necessary due diligence to manage related vendor risks and ensure it only assigns Subcontractors that (A) are qualified industry vendors that EVERTEC reasonably believes to be competent, (B) meet or exceed any requirements as may be required under applicable Legal Requirements and (C) have the requisite skills to perform the subcontracted obligations; (ii) enter into written agreements that bind the Data Subcontractors to data security and confidentiality obligations no less stringent than to those herein; and (iii) monitor its Subcontractor’s performance to ensure it is consistent and compliant with all the requirements of the Outsourcing Policy. (b) EVERTEC shall monitor its Data Subcontractors’ performance to ensure such performance is consistent and compliant with all the applicable requirements of this Master Agreement and the Outsourcing Policy. Notwithstanding the foregoing, EVERTEC shall remain exclusively and fully responsible and liable towards COMPANY, BPPR, and their respective Subsidiaries for the due performance of such Services, compliance with this Master Agreement, and any gross negligence, fraud or willful misconduct by such Subcontractors (including any Fourth Party) and there shall be no direct relationship whatsoever between COMPANY, BPPR, or their respective Subsidiaries, on the one hand, and such Subcontractors or Fourth Parties, on the other, solely by virtue of this Master Agreement. (c) Subject to Section 1.16(f), at COMPANY’s or BPPR’s request, upon reasonable advance written notice, EVERTEC will provide COMPANY or BPPR with copies of any documents in EVERTEC’s possession that are related to EVERTEC’s due diligence and risk analysis of its Data Subcontractors; provided, that (i) such requests shall be conducted in such a manner as not to interfere with the normal operations of EVERTEC’s business, (ii) disclosure of such information by EVERTEC shall be subject to, and limited by, applicable Legal Requirements, (iii) EVERTEC may redact from such copies information related solely to EVERTEC or customers other than COMPANY, BPPR or their respective Subsidiaries and (iv) EVERTEC shall not be obligated to provide any information if doing so would reasonably be expected to result in the waiver of any attorney-client or other legal privilege. (d) EVERTEC represents that its vendor risk management policies and procedures include commercially reasonable audit rights with respect to its Data Subcontractors. (e) If a Data Subcontractor uses or permits another party (a “Fourth Party”) to store, transport, process otherwise access Personal Data or Confidential Information or Intellectual Property of COMPANY, BPPR, or their respective Subsidiaries, EVERTEC will comply with this Section 1.16 with respect to such Fourth Party, subject to Section 1.16(f). (f) If there are terms in EVERTEC’s contracts existing as of the Effective Date with its Data Subcontractors that limit EVERTEC’s rights to provide the information requested by COMPANY or BPPR under Section 1.16(c) or (e), EVERTEC will use Best Efforts to obtain the right to provide the requested information but will not be in breach of this Master Agreement to the extent it is unable to do so as a result of such contract terms. If a Data Subcontractor proposes to limit EVERTEC’s rights in this regard in any new contract or contract renewal after the Effective Date, EVERTEC will notify COMPANY and BPPR reasonably in advance of the contract execution date of the issue and use Best Efforts to address any concerns relating to the issue that COMPANY or BPPR may raise with EVERTEC.