As used herein, “Ncontracts” means Ncontracts, LLC and its affiliates under its control, including but not limited to Quantivate, LLC. The Standard Services Offerings set forth in this document may be purchased using Subscription Services, Service Credits, or Professional Services. The Standard Services Offerings may be modified by Ncontracts from time to time.

Vendor Management Content, Compliance, and Forms

The Vendor Management Component comes with the following forms integrated into the system: 

1. Vendor Management Board Policy
2. New Vendor Analysis
3. Classification Guidelines
4. Legal Contract Review Checklist
5. New Vendor Due Diligence
6. Existing Vendor Due Diligence
7. Vendor Risk Assessment
8. SOC Review 

Ncontracts will update the forms as compliance regulations change.

Ncontracts provides ongoing monitoring of the compliance requirements of the federal banking agencies and prepared necessary program updates to meet the applicable compliance requirements of the federal banking agencies. Ncontracts will review any written examination question or finding of non-compliance and provide commercially reasonable assistance to Client in any necessary response, program action or update to ensure compliance. 

Ncontracts will not be responsible to Client for any review of examination findings or response assistance if Client fails to substantially use or materially modifies the vendor classification criteria or due diligence and risk assessment question set(s) for any critical or significant classified vendors. 

Contract Compliance Assessment

 1. Service Description. For each Contract Compliance Assessment ordered under the Agreement, Ncontracts will:

1. Review Client’s vendor contract and produce and deliver to Client a comprehensive report detailing how the contract maps back to relevant industry contract guidance.

2. Client Responsibilities. Client is solely responsible for (i) providing to Ncontracts any addenda, exhibits, schedules, attachments and/or agreements between Client and any of its vendors in a digital format reasonably acceptable to Ncontracts, (ii) the accuracy of all data and materials provided to Ncontracts by or on behalf of Client in connection with the services implemented hereunder, and (iii) any action or inaction taken in response to any work product created by Ncontracts hereunder.

3. Disclaimer/Limitations. CLIENT UNDERSTANDS THAT NCONTRACTS IS NOT PROVIDING LEGAL ADVICE OR COUNSEL. CLIENT SHOULD CONSULT WITH A QUALIFIED AND LICENSED ATTORNEY BEFORE MAKING ANY LEGAL DECISIONS REGARDING ITS AGREEMENTS, COMPLIANCE ISSUES OR ANY LEGAL MATTER, AND CLIENT SHOULD NOT RELY ON THE SERVICES PROVIDED HEREIN FOR LEGAL ADVICE. NCONTRACTS IS NOT ENGAGED IN THE PRACTICE OF LAW. CLIENT SHOULD NOT ACT OR REFRAIN FROM ACTING ON THE BASIS OF ANY CONTENT INCLUDED IN THE CONTRACT COMPLIANCE ASSESSMENT SERVICES WITHOUT SEEKING THE APPROPRIATE LEGAL OR OTHER PROFESSIONAL ADVICE ON THE PARTICULAR FACTS AND CIRCUMSTANCES AT ISSUE FROM AN ATTORNEY LICENSED IN CLIENT’S STATE. NCONTRACTS EXPRESSLY DISCLAIMS ALL LIABILITY IN RESPECT OF ACTIONS TAKEN OR NOT TAKEN BASED ON ANY OF THE SERVICES UNDER THE AGREEMENT OR THE CONTENTS OF THE SUMMARIES PREPARED IN CONNECTION THEREWITH. NCONTRACTS IS NOT ENGAGED IN AN INDEPENDENT REVIEW OF THE SUBSTANCE OR ADEQUACY OF ANY CLIENT CONTRACTS TO BE DELIVERED TO NCONTRACTS IN CONNECTION WITH THE SERVICES UNDER THE AGREEMENT. 

Compliance Management System (CMS) Content and Services 

If requested by Client, CMS content and services can be provided to Client as described below. 

1. Ownership. Ncontracts is the owner of all right, title, and interest, or otherwise has and will have the necessary rights and consents, in and relating to the services and content it provides hereunder. Client acknowledges that the content provided hereunder (i) is a valuable asset and trade secret of the content owner, (ii) that the content owner has an exclusive, copyrighted property right and interest in such services and Compliance Management content, and (iii) Client agrees to protect all information related to such content from unauthorized disclosure, copying, or use.

2. Compliance Management Regulatory Content. Ncontracts shall regularly provide Client with compliance resources of federal regulatory actions affecting the compliance and operations of financial institutions containing the following regulatory content which will be integrated into the CMS software: 

1. Relevant NCUA, FDIC, FFIEC, OCC, FRB, CFPB, FTC & IRS regulatory compliance alerts which will include:

• Regulatory Update Name 
• Mandatory Compliance Date 
• Scope & Applicability 
• Agency(ies)
• Executive Summary
• Exemption Thresholds (if applicable)
• Impacted Areas
• Action Items
• Frequently Asked Questions (if applicable)
• Additional Resources 

3. Scope of Services. The provision of regulatory content by Ncontracts hereunder does not establish an attorney-client relationship between Ncontracts (including any Ncontracts subcontractor) and Client, and does not entitle Client to additional regulatory compliance or legal support. 

4. Not Legal Advice. The regulatory content provided by Ncontracts hereunder is intended for informational purposes and is not offered as legal advice. 

ITRM Module Content 

The ITRM Content comes with the following:

1. IT Risk Categories. IT Risk Categories are logical groupings of all known types of threats to information and information systems. The risk categories are the focal point for the streamlined IT risk management methodology. The methodology groups known threats into risk categories, that are mitigated using corresponding security control categories, to simplify and organization the information security program into an easily understood format. 

2. Common Compliance Framework (CCF) Controls. CCF is a comprehensive set of information security controls that can be used to assess the security program across the organization and each information system. These controls are grouped into security control categories that correspond to the IT Risk Categories for simplified assessment of risk and management of the security program. The CCF Controls are mapped to the following:

1. IT Risk Categories
2. Individual policy documents in the Information Security Policy Framework
3. Control Standards: NIST Cybersecurity Framework, NIST 800-53, NIST 800-171, ISO 27001/2, Center for Internet Security (CIS) 18 Critical Security Controls, PCI DSS and FFIEC Cybersecurity Assessment Tool and NCUA control standards

3. Risk Assessment Template

1. Preset risk assessment template to streamline the process
2. Ties risks and controls together
3. Customizable template based on assessment 

4. Information Security Policy Framework. Content includes a security policy framework that can be implemented at most organizations. Policy documents are mapped in the Ncontracts software to each of the CCF Controls. The policy list includes the following templates: 

1. Information Security Program – high level charter style document
2. Information Security Policy – some detail regarding security program elements
3. Data Classification and Handling Policy
4. Data Retention and Disposal Policy
5. Electronic Communications & Security Policy – employee facing
6. Mobile Device Management Policy
7. Security Incident Response Policy 

5. Update Frequency 

1. IT Risk Categories are not expected to change regularly but may be updated annually based on feedback from clients and consultants in the field
2. Security Control Categories change to correspond with changes to the IT Risk Categories
3. CCF Controls may change annually based on client feedback, field consultants, and shifts in information security best practices
4. Security Policy Framework templates are updated annually to reflect changes in regulations, best practices, and general information security considerations 
   

Changes to ITRM Content will be outlined in a notice to clients and will include a summary of the changes made. Ncontracts’ staff will also be available to answer questions about content changes.

Implementation of content changes will be automated as much as possible. Where automation is not possible, Ncontracts staff will work with clients to successfully incorporate new content into the Ncontracts ITRM software module.

Content controls have unique identifiers and version numbers so clients know what version of content they have in their Ncontracts software.

6. Included Data Security Services. Several services are included with the purchase of ITRM Content: 

a. Implementation

• A consultant joins kick-off meeting
• Up to two hours of ITRM Content implementation guidance 

b. Ongoing

• Annual ITRM Content updates 
  
  

LexisNexis StateNet Integration 

1. Ncontracts will provide an integration to bring LexisNexis StateNet Content into the Client build on a nightly basis. Ncontracts will bring the following information into the software in the form of a compliance Change:

1. Where available: State, title, agency name, number, URL, proposed date, emergency adopted date, adopted date, current disposition, summary, Contact, Citation, History and any issue tags defined 

2. Client Responsibility 

1. Sign a service agreement with LexisNexis.
2. Work with LexisNexis to curate the appropriate content to bring into the software. 

Business Continuity Service 

1. For each plan ordered under an Exhibit or addendum to the Agreement, Ncontracts shall provide Client with the following business continuity planning services. Purchased BC plans can consist of up to 5 processes and 20 dependencies/resources. Each purchased BC plan may be used as a Departmental Plan, Crisis Management Plan, Pandemic Plan, or Disaster Recovery Plan.

  a.    Business continuity plan creation includes:

• Business Impact Analysis meeting (up to 2 hours)
• Solutions & Planning meeting (up to 3 hours)
• Structured BC Plan walkthrough across all purchased plans (up to 1 hour)
• Tabletop BC Exercise across all purchased plans (up to 2 hours) 

  b.    Business Continuity Plan update includes (with multiyear service):

• Annual full BC plan review (up to 2 hours)
• Annual tabletop BC Exercise walkthrough across all purchased plans (up to 2 hours) 

  c.    Periodic guidance meetings as needed with BC Administrator throughout service agreement (up to 4 times annually). 

  d.    Completion of location-based risk assessment with BC Administrator (up to 2 hours). 

Vendor Management Due Diligence Services 

1. For each Standard (Level 3) Vendor review ordered under the Agreement, Ncontracts shall provide Client with the following services once per vendor on an annual basis:

1. Ncontracts shall use commercially reasonable efforts to create the following risk assessments about each Standard (Level 3) Vendor: operational risk summary (information security risk assessment); and credit risk summary (financial summary).
2. The summaries listed above will be based on the information gathered by Ncontracts about each Standard (Level 3) Vendor, which includes several reports that are available annually.
3. Perform vendor monitoring which reports on material negative news (e.g., material litigation, cybersecurity breaches, regulatory actions, and other material negative news).
4. Start Residual Risk Assessment workflows. 

2. For each Preferred (Level 2) Vendor review ordered under the Agreement, Ncontracts shall provide Client with the following services once per vendor on an annual basis:

1. Everything listed in the Standard (Level 3) Vendor review above, PLUS
2. Ncontracts shall use commercially reasonable efforts to create a transaction risk summary (business resilience summary) about each Preferred (Level 2) Vendor.

3. For each Premium (Level 1) Vendor review ordered under the Agreement, Ncontracts shall provide Client with the following services once per vendor on an annual basis: 

1. Everything listed in the Standard (Level 3) Vendor and Preferred (Level 2) Vendor reviews above, PLUS
2. Ncontracts shall use commercially reasonable efforts to create a compliance risk summary (information security and privacy risk assessment) about each Premium (Level 1) Vendor.

4. Client Responsibility 

1. Client shall designate Ncontracts as its authorized representative to assist in gathering documents from applicable vendors and, on an annual basis, shall provide Ncontracts with (i) an Authorization Form (in the format provided by Ncontracts) printed on Client’s letterhead and signed by Client; (ii) valid contact information for all applicable vendors including, without limitation, contact names, email addresses and phone numbers; and (iii) other information and assistance reasonably requested by Ncontracts to enable the provision of the Vendor Management Due Diligence Services described herein. 
    

5. Miscellaneous Terms 

1. Ncontracts shall contact each of Client’s vendors for Vendor Management Due Diligence Services by phone and/or by email up to three (3) times each year to gather the applicable documents. If Ncontracts is unable to obtain these documents or if a vendor refuses to provide the documents, then Ncontracts shall report the results back to Client.
2. Upon completion of the applicable summaries listed above, Ncontracts will deliver such summaries to Client, along with all relevant documents gathered from the respective vendors in connection with such summaries.

Vendor Management Contract Services 

1. For each Contract Digitization ordered under an Exhibit or addendum to the Agreement, Ncontracts shall provide Client with the following services:

  a. Review each agreement and enter the corresponding contractual terms, start date, end date, contract type, term, and notification requirements. 

2. Miscellaneous Terms 
  a.    For each Contract Digitization, Client responsibilities include:

• Creation of the contract resource in Ncontracts software linked to the appropriate vendor.
• Readable agreement with terms verified for accuracy uploaded to the contract resource.
• Provide Ncontracts with a list of vendors and their contract to have digitized.
• Client is responsible for final validation of entered terms. 

Enterprise Risk Management Services 

1. For Enterprise Risk Management Component orders under an Exhibit or addendum to the Agreement, Ncontracts shall provide Client with one or more of the following: 
  a.    JumpStart Program

• Ncontracts’ ERM Services Team will deliver a written customized Enterprise Risk Management Roadmap (“ERM Roadmap”).
• Upon completion and mutual agreement of the customized ERM Roadmap, the ERM Roadmap may be executed with Subscription Services Credits or Professional Services Credits as mutually agreed to by the parties. 

2. Client Responsibility 

1. Provide and maintain Ncontracts with a dedicated ERM Client resource.
2. Ensure adequate Client resources to effectively execute the mutually agreed upon ERM Roadmap.
3. Ensure Ncontracts’ access to Client Board of Directors, Executive Management, and others as required to effectively execute the mutually agreed upon ERM Roadmap.
4. Provide Ncontracts with all necessary access to information required by Ncontracts to effectively execute the mutually agreed upon ERM Roadmap. 

Sandbox Service 

1. Sandbox environments are isolated from Client’s production environment. Operations performed in Sandbox environments do not affect the Client’s production environment, and conversely. Sandbox environments are intended to be used as testing environments. 

2. Ncontracts Responsibility
  a.    Provide Client with a replica of their production environment, as requested. 
  b.    Replace Sandbox environment, as requested, with a new replica of production environment. 

3. Client Responsibility
  a.    Client may request a Sandbox environment be created once every 30 days. 
  b.    Previously existing Sandbox environment will be overwritten when a new Sandbox is requested. 
  c.    When requesting a Sandbox environment, Client will indicate if the Sandbox environment should or should not send notifications. Note: There is a risk of duplicate notifications being sent to recipients if Sandbox environment is set to send notifications the same as production environment. 
  d.    Client acknowledges any changes made in their Sandbox environment will not in any way affect their production environment nor will any changes be automatically transferable to their production environment. 

sFTP Server Service 
1. Ncontracts’ sFTP Server Service customers will be provided with an sFTP server location for use with Ncontracts nightly import jobs. 

2. Ncontracts Responsibility
  a.    Create unique sFTP server location for Client. 
  b.    Provide Client with a link to access their sFTP server. 
  c.    Provide Client with one (1) username and password for access to the sFTP server. 
  d.    Complete initial setup of automated import job utilizing Client’s Ncontracts sFTP server. 
  e.    Delete Client sFTP server without restore capabilities when Client cancels service. 

3. Client Responsibility
  a.    Client will be responsible for uploading, maintaining, and deleting all files on their sFTP server. 
  b.    Client will only use their sFTP server for the purpose and intent of automating Ncontracts import jobs. 
  c.    Client will not upload any files to their sFTP server deemed to be illegal, or so that as uploaded into the sFTP server they infringe, misappropriate or otherwise violate any intellectual property rights or other rights of any third party or violate any applicable law. 
  d.    Client will be responsible for keeping their username and password secure. 

Emergency Notifications 

1. Ability to create custom automated e-mail notifications for different requirements 

2. Ability to assign individuals to custom groups in order to send notifications to multiple recipients 

3. Ability to establish single point in time or recurring notifications 

4. Ability to send out SMS and voice broadcast notifications. Each SMS and voice broadcast message is subject to fee which will be invoiced monthly at the rate of $0.15 per message per recipient. 

5. A billable message is defined as:
  a.    An SMS message of 160 characters or less sent to a single recipient 
  b.    A 60-second or less voice message sent to a single recipient 
  c.    A poll response for a voice recording message received from a single recipient 

Last Revised: February 7, 2025