Vendor Due Diligence Independence Statement

ACA Aponix®
Vendor Due Diligence Independence Statement

June 10, 2018

ACA Risk Strategies, LLC and ACA Risk Europe (a division of ACA Compliance (Europe) Limited), which each do business as ACA Aponix and/or ACA Compliance Group (collectively, “ACA Aponix”) recognize the importance of providing objective and independent due diligence reviews of vendors for our clients. ACA Aponix faces a potential conflict of interest when it performs due diligence on a vendor that is also a portfolio company client of ACA Aponix (as defined below), or is a portfolio company held by a fund that is a client (or managed by a client) of ACA Aponix.

Accordingly, ACA Aponix has developed this Vendor Due Diligence Independence Statement (this “Statement”) in order to establish principles and controls designed to mitigate potential conflicts of interest and ensure that ACA Aponix is able to continue to provide objective and independent findings and recommendations in connection with its vendor due diligence services.

Background

ACA Risk Strategies, LLC and ACA Compliance (Europe) Limited are wholly-owned operating subsidiaries of ACA SIH Topco, L.P., which, together with ACA Risk Strategies, LLC and ACA Compliance (Europe) Limited and its other operating subsidiaries, do business as “ACA Compliance Group.”

Since its inception in 2014, ACA Aponix has sought to provide objective and independent guidance to its clients relating to their vendors. Accordingly, ACA Aponix does not participate in any third-party vendor referral programs nor does it agree to provide any vendor with preferential treatment when performing due diligence. ACA Aponix may recommend a list of vendors appropriate for a client’s specific needs, however, all vendors are afforded non-preferential treatment.

Potential Conflict of Interest

ACA Aponix often assists clients by conducting due diligence on the client’s current and prospective vendors in order to identify technology and technology-related operational risks, and providing guidance to clients on potential remediation activities that the client or vendor can take to address these risks.

Similarly, ACA Aponix often conducts due diligence on portfolio companies for the same purposes. When ACA Aponix conducts due diligence on portfolio companies, ACA Aponix may be engaged by the fund that has invested in the portfolio company, the fund’s manager, or the portfolio company itself.

If ACA Aponix is engaged to conduct due diligence on a vendor that is also a portfolio company client of ACA Aponix, or is held by a fund that is a client (or managed by a client) of ACA Aponix, ACA Aponix may be reluctant to provide the full range and detail of its findings on the vendor, in order to preserve the direct client relationship with the portfolio company or fund/fund manager client (the “Potential Conflict”).

Mitigating Controls

ACA Aponix has established the following controls, which are designed to mitigate the Potential Conflict:

Segregation of Personnel

ACA Aponix has segregated certain of its employees into a group (the Vendor Management Office Services or “VMOS” group) that provides only vendor due diligence services and related tasks, such as responding to requests for vendor due diligence from prospective clients and drafting data diagrams of client-vendor relationships. Employees within the VMOS group do not perform any of the other services offered by ACA Aponix, with the exception of assisting with select portfolio company due diligence.

ACA Aponix employees who are not assigned to the VMOS group do not conduct vendor due diligence services. However, non-VMOS employees may conduct diligence on a company that is a vendor if that company also is a portfolio company client of ACA Aponix, or is held by a fund (or the fund’s manager) that is a client of ACA Aponix.

Although all ACA Aponix employees ultimately are supervised by the same individuals, employees within the VMOS group are directly supervised only by other employees within the VMOS group and employees who are not assigned to the VMOS group are similarly directly supervised only by other non-VMOS group employees, in order to maintain an additional level of separation.

Access Controls

ACA Aponix has established written policies and technical controls to ensure that employees who are not assigned to the VMOS group have only “read-only” access to information that is (a) submitted to ACA Aponix by or on behalf of vendors in connection with the vendor due diligence services, and (b) produced by employees in the VMOS group in connection with the performance of such services, including any written deliverables (collectively, “Vendor Due Diligence-Related Information”). These technical controls are designed to prohibit employees who are not assigned to the VMOS group from modifying any Vendor Due Diligence-Related Information at any stage of its development.

Contact Information

Questions relating to this Statement should be directed to ACA Aponix Partner Raj Bakhru at (917) 993-4786 or ACA Aponix Partner Marc Lotti at (917) 554-5545.