1. ICT Services. Commvault’s provision of its Solutions, Professional Services, support, and maintenance may be considered an “outsourcing function” or “ICT service” pursuant to applicable Financial-Sector Customer represents it undertook due diligence to ensure that the Solutions, Professional Services, support, and maintenance meet the criteria defined by applicable Financial-Sector Laws. In the event of a conflict, this Addendum shall control, then the relevant Data Agreement and the Terms.

2. ICT Customer’s Rights. Customer, its internal and external auditors (“Auditors”), and its regulators and competent and/or resolution authorities (“Regulators”) have comprehensive rights of directives, instructions, and monitoring vis-à-vis Commvault and its If Customer, either acting on its own or upon a Regulator’s instruction, requires a change to Commvault’s Solutions, Professional Services, support or maintenance, and such change is required under the Financial-Sector Laws, Customer may request such change from Commvault. The Parties will collaborate to address any such requests.

3. 3. Rights and Obligations of the Parties. The Parties agree:
      • 3.1. Commvault will provide information required for Customer to monitor the Solutions in accordance with applicable Financial- Sector Laws.
      • 3.2. Commvault will comply with the Data Agreement with respect to disclosure of Customer Data. The Parties acknowledge that the provisions herein relating to Regulators’ rights to examine are not intended to contravene or interfere with any Financial- Sector Laws, and nothing in this section should be construed as an impediment to the Regulator’s ability to monitor ICT services provisioned by Commvault.
      • 3.3. Upon Commvault’s request, Customer will disclose its risk assessment results of the Solutions and Commvault’s ICT services.
      • 3.4. Upon Customer’s request, Commvault shall provide details and proof of completion of its ICT security awareness programs and digital operational resilience training. If the Customer deems these programs insufficient, the Parties will collaborate to implement suitable training enhancements.
      • 3.5. In the event of an ICT incident caused by Commvault, any related assistance provided in excess of four (4) hours shall be invoice at Commvault’s then-current Professional Services rates.
      • 3.6. Commvault shall use its best efforts to enforce financial institution client confidentiality, as defined by Financial-Sector Laws, and the obligations set forth in this section 3 on its subcontractors. If a subcontractor refuses to allow Customer, its Auditors or Regulator to carry out an inspection or disclose relevant information, Commvault will, at Customer’s request, use best efforts to immediately exercise its rights under its contract with its subcontractor to enforce such obligations.
   4. Customer’s critical and important functions. In the event the Solutions are identified as supporting Customer’s critical or important functions pursuant to Financial-Sector Laws, the Parties agree that:
      • 4.1. Commvault shall notify Customer of any developments that may have a material impact on Commvault’s ability to provision the Solution, Professional Services, support or maintenance, with sufficient advance notice.
      • 4.2. Commvault will participate in Threat Led Penetration testing (“TLPT”) specific to its ICT services, provided such tests do not compromise the Solution’s operational integrity or disclose proprietary information. In the event any TLPT identifies vulnerabilities, Customer shall notify Commvault and shall not disclose any information related thereto to any third parties, except as required by Financial-Sector Law.
      • 4.3. Commvault shall participate and fully cooperate with regards to Customer’s right to monitor the Solutions under applicable Financial-Sector Laws including by cooperating with Customer’s, or its Auditors’ or Regulators’ onsite inspections or audits. Such inspections or audits may include unrestricted rights of access and the right to relevant documentation on-site. With respect to audits and inspections, Customer shall: (i) provide reasonable prior written notice, unless such notice is not possible due to an emergency, or would render the audit or inspection ineffective; (ii) align with Commvault on the scope, procedures, and frequency; (iii) verify that its Auditors possess appropriate skills and knowledge; (iv) adhere to commonly accepted standards which align with its Regulator instructions; and (v) not unduly disrupt or interfere with Commvault’s business operations.
   5. Exit strategy. Commvault shall continue to provide the Solutions, Professional Services, support and/or maintenance during the Term in a manner that reduces disruption for the Customer and allows the Customer to migrate to another provider and/or solution. Any additional offboarding services will be subject to Commvault’s then- current terms and rates. In the event of termination or expiry of the SaaS Solution, Customer may elect to extend the SaaS Solution on a month-to-month basis for up to twelve (12) months from the date of termination by providing notice to Commvault. During such period, Commvault will continue to provide, and Customer will continue to pay for, the SaaS Solution pursuant to the Terms at the then-current pricing, and Customer may retrieve its Customer Data through Commvault’s standard processes. Customer may cancel the extended service by providing thirty (30) days written notice to Commvault.
   6. Other. This Addendum will apply mutatis mutandis to Commvault’s Partners providing ICT Services that include the Solutions to customers subject to Financial-Sector Laws. Partner shall be responsible for any refund obligations related to the Partner shall be responsible for flowing down all the obligations stated herein to each of its respective customers. All communications related to this Addendum shall be sent to the following addresses: for Customer/Partner: [insert email or address] and for Commvault: compliance@commvault.com.

Last Updated: May, 2026