Document ID: TI101AC211 Stamp Sr. No.

: W 651211

STATEMENT OF WORK NO. 1

This Statement of Work No. 1 (“SOW 1” OR “SOW”) is made on October 15, 2022.
BY AND BETWEEN:

Xtranet Bpo Pvt. Ltd., an entity, having its registered office at, Z-24, Zone- 1, M.P. Nagar,
Bhopal - 462011, Madhya Pradesh (hereinafter referred to as the “AGENCY” or “Partner” or
“Provider” or “Service Provider” which expression shall, unless it be repugnant to the context and meaning
thereof shall deemed to mean and include its successors and permitted assigns) of the SECOND PART
AND
SBI CARDS AND PAYMENT SERVICES LIMITED (formerly known as SBI CARDS AND
PAYMENT SERVICES PRIVATE LIMITED), registered as a public limited Company under the Indian
Companies Act, 2013, having its registered office at UNIT 401 & 402,4TH FLOOR, AGGARWAL
MILLENNIUM TOWER, E 1,2,3, NETAJI SUBHASH PLACE, WAZIRPUR, NEW DELHI –
110034 and its Corporate Office At 2ND FLOOR, TOWER B, DLF INFINITY TOWERS, DLF
CYBER CITY, DLF PHASE 2, GURGAON-122002, HARYANA, (hereinafter referred to as the
“Company” or “SBI Card” or “SBICPSL” , which term shall include its affiliates and successors, which
expression shall, unless it be repugnant to the context or meaning thereof, be deemed to include its
successors and permitted assigns)
For the purposes of this SOW, “SBI Card” and “Partner” are hereinafter jointly and collectively referred to
as “Parties” and individually as “Party”

WHEREAS:

A. SBI Card and the Partner entered into a Master Service Agreement dated October 15, 2022.
(hereinafter referred to as the “Agreement”) whereby the Partner had agreed to provide certain
services to SBI Card;

B. The Parties are hereinafter entering into this SOW to lay down the services to be rendered by the
Partner to SBI Card and the terms and conditions in connection therewith.

1.Scope of Services
Partner agrees and undertakes to provide services with regards to lead generation to SBI Card and
while providing such services under this SOW, Partner also agrees to carry on specific activities
including but not limited to the following as per the requirement of SBI Card from time to time:
I. Partner will generate leads for SBI Credit Card applications using its own data base either through
a. tele-calling
b. by conducting various open-market activities at its own expense.
c. The tele-calling activities will be done from the Partner’s registered office or such
premises/locations which would be agreed between the Parties over an e-mail exchange
and would be done as per the script and other calling instructions as may be provided by
the Company from time to time and in accordance with the applicable rules, laws &
regulations.

II. Partner will generate leads of interested prospective credit card customers as per the eligibility
criteria laid down by the Company. The Partner will also explain the product features and
documentation requirements to the customers.
III. SBI Card’s non full-time employee resource deployed at Partner’s premise shall do a PAN
Validation of the interested prospective customer as per the Company’s instructions in this regard.
IV. Post the lead generation of a prospective customer, SBI Card’s NFTE resource deployed at
Partner’s premise is required to capture the QDE details on the SBI Card’s app / website, post
which an OTP/Application Code is generated and sent to the interested prospective customer.
V. In case the prospective customer does not send the OTP/Application code to SBI Card’s no. for
verification purposes, the Partner is required to give a reminder call to the interested prospective
customer.
VI. The Company will fulfill the approved lead/application.
VII. Under no circumstances, the Partner will sub-let this process to any other company, proprietorship/
partnership or individual.
VIII. Relevant MIS to be shared by the Partner.
IX. The Partner will not store PII of SBI Card’s prospective customers in digital or physical form

For SBICPSL For Sign & Seal Page 1 of 5

Authorized Signatory Authorized Signatory

Document ID: TI101AC211 Stamp Sr. No.: W 651211

Specific Terms and Conditions

I. The Partner shall be responsible to ensuring the confidentiality and security of the lead data
generated by it under this arrangement, including the PAN numbers and the Company shall have
no liability for any third party claims arising from Partner’s failure in this regard.
II. The Partner is responsible for managing the tele-calling set up, including obtaining the requisite
licenses and permissions from the relevant Government / regulatory authorities and adherence to
TRAI and other applicable guidelines.
III. The Partner shall ensure compliance with the instructions given by the Company in this regard
and any shall be responsible for any non-compliance with the same. The Partner undertakes to
indemnify, defend and keep Company, its officers, directors, employees or agents indemnified
and harmless from and against any/all liability, loss, claims, penalties, costs , damages, actions,
third party claims, arising out of or resulting from breach of Partner’s obligations pertaining to
and under this scope of services.

2. Service Fees
For performance of the Services covered under this SOW, the Partner shall be paid the following service
fee on monthly basis and in accordance to the payment terms as mentioned herein.

Approved Card per month Payout per approved card(in Rs.)

Up to 500 2800
501-1000 2900
>1000 3000

“The above commercial table of payout per card shall only be applicable for regular leads. However, in the
event the lead is an existing SBI Credit Cardholder (multi carding), then SBI Card shall pay INR 500
(Rupees Five Hundred only) per approved card. Further, only 10% of the approved card accounts would be
allowed to be from existing SBI Credit Cardholders. Any multi carding exceeding beyond 10% will not be
considered for any payouts whatsoever and accordingly, will not be considered as part of overall cards to
decide the slab for the month.”

PAYMENT TERMS:

I. Partner will raise monthly bill for cards issued in the previous month as per the rates given above
along with the Taxes or Service Tax as per the prevailing Tax rate, if applicable,
II. The payment will be billed on monthly basis and all undisputed payments is to be made by Cheque /
Demand Draft/ NEFT/RTGS by SBI Card to the Partner within 15 Days from the date of the Invoice
received by the Company.
III. The said payment of fee shall be subject to deduction of Income Tax at source at the applicable rates
and any other deductions/ penalties, if any as per the agreement.
IV. The Partner shall not be eligible to claim and/or charge or any out of pocket expenses or any
expenses/fee over and above the explicitly capped Fee as stated in the Agreement and/or Annexure(s)
thereof or Purchase Orders issued thereunder.
V. The Fee stated above will be valid for the duration/ terms of the SOW and may change during the term
of the SOW based on the review by the Company and mutually agreed by both Parties and accordingly
the SOW will be amended, or an email will be sent by one Party and will be accepted by the other party.

3. Information and Data Security:

• Partner agrees to abide and ensure compliances with the Information and data security requirements
as detailed in ANNEXURE A of this SOW.
• SBI Card, may in its discretion conduct at any time an Information Security Audit, by itself or by
an SBI Card appointed external IS auditor and/ or its regulator, as reasonable required to confirm
Partner compliance with its obligations under this agreement. SBI Card in its discretion would
govern the scope of the audit.

For SBI CARD For Sign & Seal Page 2 of 5

Authorized Signatory Authorized Signatory

Document ID: TI101AC211 Stamp Sr. No.: W 651211

• Compliance by Partner to be done, after discussing it mutually with SBI Card and any
recommendation by SBI Card for IS security audit, having the effect of any kind of increase
commercially, to be mutually discussed and settled between the parties.
• Partner hereby agrees to comply with all the reasonable recommendations of the IT Audit as may
be conducted by SBI Card from time to time, as specified in the Audit Report.
4. The effective date of this SOW shall beOctober 15 2022. and the SOW shall remain valid till
October 14, 2022..

5. This SOW shall be governed by the terms and conditions mentioned in the Agreement and in case
of any inconsistency or conflict between the terms of this SOW and the Agreement, the terms of
this SOW shall supersede.

BOTH PARTIES WHEREOF THE PARTIES have signed this SOW

By the within named Company, SBI CARDS AND By the within named Partner, Xtranet Bpo Pvt.
PAYMENT SERVICES LIMITED (formerly Ltd. through its authorized representative
known as SBI CARDS AND PAYMENT
SERVICES PRIVATE LIMITED) through its
authorized representative

Name: _______________________________ Name: ________________________________

Date: ________________________________ Date: _________________________________

For SBI CARD For Sign & Seal Page 3 of 5

Authorized Signatory Authorized Signatory

Document ID: TI101AC211 Stamp Sr. No.: W 651211

ANNEXURE A

INFOSEC POLICY/ REQUIREMENTS

Mandatory Information Security and Data Protection Requirements

Partner will establish and maintain reasonable safeguards against the destruction, loss, alteration of, or
unauthorized access to SBI Card and Payment Services Ltd (SBIC) data in all forms including its
prospective customers’ Personally Identifiable Information (PII) and Sensitive Personally Identifiable
Information (SPII).

The said information shall be processed, in compliance with all applicable laws, and applicable regulatory
and professional standards, use security measures, including, but not limited to, encryption and firewalls,
to protect such data from unauthorized disclosure or use. Such measures shall be no less rigorous than those
measures maintained by ‘Partner’ for data of similar nature of his own. The Partner shall comply with the
information security requirements set forth in the Agreement as of the Effective Date and continuing during
the term of this Agreement.

The Partner would always be required to adhere to the following information security control requirements
during the course of the engagement.

Governance and Management

The Partner will comply with all applicable policies of the SBI Card, including but not limited to the SBI
Card’s Privacy Policy, Information Security Policy, Code of Conduct/Ethics, RBI guidelines on
outsourcing and the Do-Not-Call policies and the policies and regulations issued by any Regulatory
Authorities including TRAI, IBA, RBI etc. from time to time.

Policy Standard and Compliances

Partner to follow all the process defined by SBI Card like human resources/personnel security, physical and
environmental security, incident management, secure handling of customer information etc.

Physical & Personnel Security

Partner to have physical security procedures in place, including physical access control, security guards,
and regular monitoring of all work areas. CCTV cameras must be monitored and recording to be retained
for a period of 90 days at least for all the areas accessing, storing or processing SBI Card information.
• Identification badges shall be provided to employees, visitors, contractors and third-party personnel
entering the premises.
• No SBIC or its customer data shall be stored in paper / hard copy format within the Partner
premises.
• Partner to conduct background checks on all its personnel engaged in providing services to SBI
Card. It should include below checks:
o All qualification checks
o Employment (current and previous) check
o Address check
o Court check, national crime database check or police verification or valid passport
• The employees working on the project should be made aware of his or her responsibilities with
respect to Information Privacy and Information Security.
• Partner will conduct regular and random monitoring of its personnel providing services or working
on SBI Card engagement(s).

Data Storage
No SBIC or its prospective customer PII and SPII in physical and digital form shall be stored, or transferred
to any Partner’s IT assets, including but not limited to servers, desktops or laptops computing device or any
portable storage medium in Partner’s custody and control.

For SBI CARD For Sign & Seal Page 4 of 5

Authorized Signatory Authorized Signatory

Document ID: TI101AC211 Stamp Sr. No.: W 651211

Right to audit
SBIC or an appointed independent audit firm(auditors) or it’s regulator(s) has the right to audit the Partner.
Partner shall grant full access to the auditor (SBIC or Third Party) to conduct audit as per the SBIC
requirements. It is not mandatory to disclose the date and time of the audit of the premises. Partner will
make necessary employees or contractors available for interviews in person or on the phone during the time
frame of the audit. Following completion of such audit, SBIC shall notify Partner in writing of any
deficiencies. The Partner shall, within thirty (30) days of such written notification, either correct such
deficiencies or provide SBIC with a plan reasonably acceptable to SBIC for remediating the deficiencies.
Unless and until (i) the deficiencies are remediated, or (ii) an acceptable plan for remediating such
deficiencies is agreed to by the parties, SBIC may exercise such rights and remedies it deems appropriate
under the circumstances, including, without limitation, offsetting the cost of the subject audit against
payments otherwise due to Partner. Further, such deficiencies that have not remediated shall be deemed a
material breach of the agreement.

Incident Management and Security Breach Notification

Partner to comply with all applicable laws that require the notification to individuals in the event of
unauthorized release of personally identifiable information or other event requiring notification under
applicable law, Partner to:
• Maintain a centralized security incident tracker wherein details of all security incidents occurred in
Partner environment should be logged and tracked to closure.
• Notify SBIC by telephone to SBIC contacts for the engagement relationship and email
(infosec.incident.management@sbicard.com) of such event within 24 hours of discovery.
• Assume responsibility for informing all such individuals in accordance with applicable law and
indemnify, hold harmless and defend SBIC and its trustee, officers, and employees from and against
ant claims, damages, or other harm related to such notification event.
• Partner will cooperate in all respects with SBIC, and execute all documents necessary as requested
by SBIC, to evidence the facts and nature of the breach, for example, to preserve any and all
intellectual property protection or potential for protection for data accessed or compromised during
or by the breach.

For SBI CARD For Sign & Seal Page 5 of 5

Authorized Signatory Authorized Signatory