ABCD

AO KPMG

KPMG Central Terms of Use

AO “KPMG” May 2016 This report contains 8 pages KPMG Central Terms of Use (CIS).docx © 2015 JSC “KPMG”, a company incorporated under the Laws of the Russian Federation, a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

ABCD

Document review and approval Revision history Version 0.0.1 0.0.2 0.0.3

Author Trunov Vlas Trunov Vlas Trunov Vlas

Date 04.08.2015 10.08.2015 14.08.2015

0.0.4

Trunov Vlas

18.05.2016

Revision Draft version. Content quota and deletion procedure revised. Keynotes removed, obsolete roles and positions removed, terminology revised, site expiration and prolongation procedure updated. Updates to the privileged roles with rights to create multiple engagement sites and updated limitations on site expiration.

This document has been reviewed by Reviewer

Date reviewed

1 2 3 4 5

This document has been approved by Subject matter experts Name

Signature

Date reviewed

1 2 3 4 5

KPMG Central Terms of Use (CIS).docx - 18 May 2016 © 2016 JSC “KPMG”. All rights reserved.

i

ABCD

Contents 1

Glossary of terms

1

2

Audience

1

3

Document Purpose

1

4

About KPMG Central

2

5

Setting up

2

6

Licensing

2

7

Managing Access to Sites

3

8

Extending access to KPMG Central for external users

3

9

Site Content

4

10

Site Expiration and Prolongation

4

11

Backups

5

12

Termination

5

13

Support

5

KPMG Central Terms of Use (CIS).docx - 18 May 2016 © 2016 JSC “KPMG”. All rights reserved.

ii

ABCD

1

Glossary of terms 1.1.1.

In order to understand the basic features of KPMG Central, it is necessary to understand terms specific to the subject matter. See Table 1 to find definitions for such terms.

Table 1 Term

Description

Client

KMPG client, signatory on the Agreement on the use of KPMG Central.

KPMG Central

Internet-facing environment for collaboration between KPMG users and third parties.

KPMG employee responsible for deployment, configuration, updates, KPMG Central troubleshooting, backup and recovery, and permission management Administrator issues. KPMG Central Administrator has full access rights to sites. Microsoft SharePoint

A web-based platform which enables enterprises to create secure spaces for storing and sharing information.

NITSO

National Information Technology Security Officer is in charge of business requirements, rollout activities and any security related matters.

Site

A virtual environment inside KPMG Central that is used for communication between stakeholders, internal as well as external.

Site Owner

For external sites: Engagement Partner and/or Engagement Manager. For internal sites: employee who requested the site and the employee who approved the request.

External Users

2

Audience 2.1.1.

3

Any Client’s users authorized to access engagement-related sites at KPMG central.

This document is intended for KPMG employees in client-facing departments who use KPMG Central for collaboration with Clients under the Agreement on the use of “KPMG Central”, as well as for KPMG employees who use KMPG Central for internal projects.

Document Purpose 3.1.2.

This document sets out the rules which KMPG Central users have to understand and abide in order to ensure the most secure and efficient communication between team members within the framework of a common project or engagement.

KPMG Central Terms of Use (CIS).docx - 18 May 2016 © 2016 JSC “KPMG”. All rights reserved.

1

ABCD

4

5

6

3.1.3.

This document provides a high-level description of the business processes implemented by KPMG Central. For more details on how to perform specific tasks in KPMG Central, refer to respective user guides and references.

3.1.4.

If any of the provisions set forth below cause doubt or difficulties in understanding, the user should consult with the Risk Management Partner and/or NITSO prior to accessing KPMG Central.

About KPMG Central 4.1.1.

KPMG Central offers a secure space where KPMG employees and Clients may communicate under common projects and engagements. There are two types of sites, each allocated for a single project or an engagement: internal and external sites. External sites are used to communicate with clients through sharing and approving documents, tracking tasks and events associated with the engagement. Similarly, internal sites are aimed to streamline collaboration on internal KPMG projects.

4.1.2.

There is no cost for Client associated with the use of the KPMG Central environment.

Setting up 5.1.1.

Any requested site, whether external or internal, shall be adequate to business needs and current technical capacities. For this purpose, the site must be approved as stipulated in 5.1.3 and 5.1.4.

5.1.2.

KPMG Central employee must sign an Agreement on the Use of KPMG Central with the Client prior to requesting a site.

5.1.3.

External as well as internal sites are approved by Engagement Managers or Engagement Partners. For engagement sites, additional approval from Risk Management is required for sites requested prior to signing the Agreement on the use of KPMG Central.

5.1.4.

An internal site may be requested by submitting a request to Service Desk including the site title, site owner’s name, expiration date and interface language.

Licensing 6.1.1.

Users are authorized to use the Microsoft® SharePoint® environment internally or with Clients/External users in direct support of KPMG’s business (client service delivery).

6.1.2.

The Client acquires no right, title, or interest of any kind in or to KPMG Central. The Company agrees not to grant any right to, sell, or otherwise profit from KPMG Central. The Company also agrees not to disassemble, reverse engineer, or in any other way modify KPMG Central.

6.1.3.

In case of any violations, deviations or irregularities in respect to licensing terms are brought to the knowledge of site users or else they have any suspicions in this regard, such instances shall be immediately reported to NITSO for relevant assessment and necessary actions.

KPMG Central Terms of Use (CIS).docx - 18 May 2016 © 2016 JSC “KPMG”. All rights reserved.

2

ABCD

7

8

Managing Access to Sites 7.1.1.

A site may be accessed only by KMPG employees and external users explicitly authorized by the Site Owner.

7.1.2.

The Engagement Manager or Engagement Partner may at their own disposal temporarily disable access for any of the site users.

7.1.3.

A Site Owner shall be held responsible for updating access rights to the site for all users.

7.1.4.

Access to external sites must not be extended to subsidiaries or used for multiple engagements unless expressly approved by Risk Management Partner.

7.1.5.

Multiple Clients/External users may be given access to a non-engagement site for sharing generic non-client specific information (for example, industry information provided as part of a Global Markets initiative).

7.1.6.

KPMG employees access KPMG Central using their network username and password. External users access KPMG Central via Active Directory Federation Services by providing their username and password.

7.1.7.

Granting access to external users implies that such users consent the processing of their personal data (including transmission of the same outside of the Russian Federation) in connection with the engagement.

Extending access to KPMG Central for external users 8.1.1.

There may be instances when a Client may want to provide external third party access to a KPMG Central External environment (i.e. an entity that is not directly involved with the KPMG/Client relationship such as an external legal counsel, joint auditor, specialists etc). Such extension of membership privileges may be permitted only if the Client provides a written business case stating the feasibility for extending access rights, including a description of the third party’s role in the engagement. The Engagement Partner on the engagement must review and approve the business case.

8.1.2.

The Engagement Partner must then obtain approval from its country KPMG Central Lead following discussion with the country Risk Management Partner and General Counsel as considered appropriate.

8.1.3.

All third parties must agree to comply with KPMG’s security measures when using the site and accept that their use of the site is at their own risk. The Client and/or the third party must agree to indemnify and hold KPMG harmless in respect of any claims brought against KPMG in relation to the third party’s use of the site.

KPMG Central Terms of Use (CIS).docx - 18 May 2016 © 2016 JSC “KPMG”. All rights reserved.

3

ABCD

9

10

Site Content 9.1.1.

All sites and related databases are hosted on Russian premises.

9.1.2.

The maximum disk space allocated for a site shall not exceed 2 Gb by default. For any sites exceeding the foresaid default limit, the Engagement Manager or the Engagement Partner shall submit a request which is subject to approval by the IT Service.

9.1.3.

Site Owners shall monitor disk space usage to maintain continuous operation of the sites and prevent interruptions in business activities under the project/engagement.

9.1.4.

The maximum size of a file uploaded to the site shall not exceed 1Gb. Attempting to upload files of larger size will result in an error. This however does not preclude the users from uploading archives split into smaller volumes.

9.1.5.

If the total of the free disk space left on the site becomes less than 250Mb, the site displays a respective warning message. In this case, the Engagement Manager or the Engagement Partner shall undertake actions to ensure business continuity and data integrity as set forth in 9.1.3 above.

9.1.6.

The Site Owner shall ensure that only relevant contents is stored on the site. In the event that the contents exceed the initial allocated disk space, he undertakes to verify feasibility of such content and request additional space as required. For any content which may be found irrelevant to the site purpose (video, audio, etc.), the Site Owner may request that such content is removed, preserved or, in case of default, the Site Owner choose to delete the content himself with a respective notification to the users.

9.1.7.

In respect of site contents, users shall exercise the same standards of care as for written communication.

9.1.8.

Site Owners undertake to treat personal users data stored on the sites and/or site backup copies in full compliance with The Russian Federal Law on Personal Data (No. 152-FZ).

Site Expiration and Prolongation 10.1.1. The maximum site lifetime is 9 months from the date of creation. The site lifetime may be extended to the maximum of 3 months after the expiration date as specified in 10.1.7 below. 10.1.2. In case the Client desires not to engage with KPMG from a specific date, this date explicitly reported to the Engagement Manager or the Engagement Partner shall deem the date when access to the site for Client’s users is disabled. For KPMG employees the site shall remain available within 60 days to fulfill obligations under the previous engagement. Either of the Site Owners shall adjust the due date for the site accordingly and manually disable Client’s accounts. 10.1.3. In the event stipulated in 10.1.1 above, KPMG may choose any other communication methods to request additional information from the Client to fulfill the engagement after the expiration date of the site. 10.1.4. Thirty days prior to the site’s expiration date, the Engagement Manager, the Engagement Partner and the KPMG Central Administrator receive an email prompting the user to

KPMG Central Terms of Use (CIS).docx - 18 May 2016 © 2016 JSC “KPMG”. All rights reserved.

4

ABCD

extend the site’s period or backup the contents before the site is disabled and deleted. Similar notification will follow fifteen, ten and five days prior to the sites expiration date. 10.1.5. Unless otherwise requested by the Engagement Manager/Partner or in the event stipulated in 5.1.4 above, the site expires on the date specified in the site request. 10.1.6. Failure to request extended lifetime for the site by the Engagement Management/Partner within thirty days after the site’s expiration date will result in permanent deletion of the site and its contents. 10.1.7. The site’s lifetime may be extended upon a request submitted by the Engagement Manager or the Engagement Partner at any time starting from the thirtieth day preceding and ending on the thirtieth day following the site’s expiration date. Such requests are processed automatically.

11

Backups 11.1.1. Any information copied from the sites by KPMG users shall be stored only in KPMG network. 11.1.2. Any information backed up from the sites automatically (both user contributed content or system information) shall be accessible only to Risk Management and KPMG Central Administrator. 11.1.3. Site users may file a request to recover the site and associated data within two weeks after the site expiration date. In cases stipulated in 10.1.1 above, Client’s users shall use other communication methods in regards to the engagement and any contents contained on the site.

12

Termination 12.1.1. Users acknowledge that access to KPMG Central may be suspended, limited, denied or disabled at any time and that content posted on KPMG Central may not be recoverable. Users are responsible for ensuring that they retain copies of all content posted by them. 12.1.2. KPMG reserves the right to terminate access for a user to KPMG Central for any reason, including in the event KPMG becomes aware of any unauthorized use of KPMG Central or any breach of these Terms of Use by the user.

13

Support 12.1.1. For any issues arising in connection with KPMG Central, whether technical or businessrelated, KPMG users must contact IT Service Desk, and External users must contact their Engagement Manager in KMPG.

KPMG Central Terms of Use (CIS).docx - 18 May 2016 © 2016 JSC “KPMG”. All rights reserved.

5