Co-Development Governance Framework

1 Scope and Purpose
2 Definitions
3 Onboarding of Collaborators
4 Disclosure process
- 4.1 Accessing disclosed code
- 4.2 Hosting disclosed code
5 Contribution process
- 5.1 Guidelines for new features
  - 5.1.1 Guidelines for new features
  - 5.1.2 Feature Approval Process
  - 5.1.3 Progress Tracking and Communication
- 5.2 Code Review and Merge Policy
- 5.3 Quality Assurance
  - 5.3.1 Maintenance of Quality
  - 5.3.2 Test Coverage
  - 5.3.3 Bugs
6 Security Compliance
- 6.1 Security Protocols
- 6.2 Security Review
- 6.3 Unauthorized Activities
7 IP rights (Intellectual Property Rights)
8 Usage of Hardware and Software
- 8.1 Hardware
- 8.2 E-Mail Account
9 Costs
- 9.1 Hardware and License
- 9.2 Effort provision
10 Amendments to the Framework
11 Terms and Termination
12 Acceptance

Scope and Purpose

This Co-Development Governance Framework ("Framework") is established to guide the collaborative development efforts of Unique (herein referred to as “Unique” or "Company") and its client (herein referred to as "Client" or "Customer") in the joint development of the software identified as Unique FinanceGPT ("Software"). The purpose of this Framework is to ensure that the Software's integrity, quality, security, and functionality are maintained throughout the development process, especially when both parties are contributing code and features.

The goal of this framework is to allow Contributors from Clients (or External companies that were hired by our Clients), to add to the core code of Unique in their repositories. This enables Clients to introduce features and improvements that are critical for the business of the Client without being dependent on Unique’s resources.

The guidelines in this document aim to facilitate contributions while ensuring the code's security, quality, and scalability, and safeguarding the interests of Unique's clientele.

This Document only discusses contribution to the code in repositories of Unique. Any other software interacting with the API or similar to Unique is exempt from the restrictions posed in this document.

Definitions

Client: Client refers to the Financial Institution (e.g. insurance, bank, private equity) who Unique has a master service agreement or Proof of Concept contract in place. The contract outlines the terms, conditions, and obligations governing the collaboration between Unique and the Client, ensuring a clear and legally binding framework for their business relationship.
External Contributors. External Contributors or Collaborators refer to employees of Clients as well as developers/consultants employed by third parties (e.g. consulting firms) that work on specific tasks and want to contribute outside of the initial SoW between Unique and the Client. The Collaborators that are not employees of the Client can either be contracted by the Client or by Unique.
IP Rights: In this agreement, 'Intellectual Property' refers to all software code, algorithms, and data sets, as well as any documentation and its associated materials encompassing the Unique solutions.
Merged code: Integration of code into the code base.

Onboarding of Collaborators

Approval of Collaborators

Collaborators to Unique must have an adequate education and qualification in software development to be able to contribute to Unique FinanceGPT.

Prior to the commencement of Onboarding, Unique and the Client shall jointly conduct a review of the External Contributor's qualifications and must provide mutual consent for approval. Each party retains the right to either endorse or reject the proposed Collaborators based on this assessment, ensuring that the individual's qualifications meet the qualification requirements and both parties' standards.

Limitation of Onboarding of External Contributors

Under the terms of Unique’s co-development agreement, Unique shall provide onboarding and guidance for a maximum of two (2) External Contributors per Client per year. Should the Client require the onboarding and guidance of additional External Contributors beyond this specified number, such arrangements may be accommodated subject to mutual agreement between the parties. Additional charges may be applicable for onboarding and guidance of any External Contributors in excess of the agreed-upon number.

Process and Governance

The process and required documents/equipment for the on-and off-boarding of External Contributors are documented and agreed on in a separate document which defines the On and Off-Boarding steps.

Roles and Responsibilities

Roles and Responsibilities need to be strictly distributed to ensure smooth coordination and timely resolution of issues. This is outlined in a dedicated list containing the roles and responsibilities of each individual involved. The list will be distributed to the external during onboarding.

Confidentiality and Non-Disclosure

To safeguard proprietary information exchanged during the co-development, the parties agree to maintain strict confidentiality, refraining from disclosing or using such information for any purpose other than the agreed-upon project. This obligation extends beyond the termination of the co-development agreement, ensuring a lasting commitment to protecting sensitive data.

All External Contributors must sign an NDA before onboarding.

Compliance with Laws and Regulations

The External Contributor commits to compliance with all applicable laws and regulations throughout the co-development process, including but not limited to data protection laws, banking secrecy, and industry-specific mandates. This mutual agreement ensures that the collaborative efforts adhere to legal standards, promoting a secure and lawful development environment. The External Contributor ensures adherence to the terms, conditions, and obligations outlined in the Master Service Agreement or POC contract between Unique and the Client, ensuring a clear and legally binding framework for their business relationship.

External Contributors may work outside of Switzerland unless they get access to production data or the client strictly forbids it. If an External Contributor, who is based in Switzerland wants to work outside of Switzerland for a definite or indefinite time, approval needs to be given by Unique and the Client. The external has to submit such an inquiry at least 2 weeks in advance.

Performance Review of External Contributor

In the event that Unique determines the capabilities of an engaged External Contributor are inadequate for a substantive contribution—such that the time spent on assistance or review by Unique personnel exceeds the time it would take for said personnel to author the code directly—Unique reserves the right to either request a substitute contributor or to levy charges for the supplementary services necessitated by this deficiency in expertise. Such charges will be invoiced on an hourly basis to maintain product integrity and operational efficiency.

Disclosure process

Not all Clients or External Contributors want to directly submit code changes (see below Contribution process for actively submitting contributions).

For disclosing only the code (which can also be leveraged as Business Continuity mechanism) the same Onboarding process applies as for Contributions.

Once onboarded, Unique advises Clients to follow the pattern described below to ensure governed and maintainable disclosure. This pattern is not suitable for the Contribution process but only to disclose Uniques source code to a Clients organisation using the Clients own authorisation system (respecting movers, leavers and/or processes).

Accessing disclosed code

Unique uses GitHub Enterprise to host its code. Unique can only invite GitHub users (via their handles).

Unique advises clients to create and provide a technical user handle
Providing GitHub handles from Human users is discouraged as their access might persist above the employee relationship of the Human with the Client
Unique will invite the provided handle in due time (normally 1-2 business days)

Hosting disclosed code

Once invited, Unique advises Clients to mirror the repository at an interval (e.g every night at 3am). The Client can then invite via their own permission/authorisation system further users to the cloned disclosed source without Uniques support making this process fast, secure and governed.

The Disclosure process is not suited to make contributions. To contribute, human contributors as described below must be used.

Contribution process

Guidelines for new features

All new features, enhancements, or significant changes must be formally proposed using the specified tools. Each proposal will be reviewed and must be mutually agreed upon by designated representatives of both Unique and the Client.

External Contributors must adhere to the following guidelines:

Guidelines for new features

Each feature should be capable of being activated or deactivated for any customer, primarily through the use of configs or feature flags to manage the introduction of new features. This allows for incremental development and testing without affecting other customers or the production environment.
If new features have a front-end impact, Unique Design should provide the UX/UI direction.
No new feature should be added to the Unique code base if the same outcome can be achieved externally, while still adhering to the intended purpose of the software.
Should the development of a new feature be achievable by utilizing existing APIs, such functionality must be developed through the use of these APIs and shall not be developed within the repositories of Unique. Examples of using the APIs:
- new module
- specific ingestion pipeline
- new chunking method

Feature Approval Process

Unique will act as the gatekeeper to ensure that the integrity of the Software is preserved. Unique reserves the right to refuse the development of new features, enhancements, or significant changes in cases where it deems such refusal to be justified, including but not limited to instances where the requested features could result in a violation of legal or regulatory standards, does not follow the guidelines or if changes negatively impact the functionality, performance, or security of the Software as experienced by other customers.
Prior to the incorporation of new features into the code base, such features must be deliberated with designated Unique personnel, typically including an architect and/or a product owner. The Contributor shall provide a solution design according to Solution Design for Code Implementation before asking for approval.

Progress Tracking and Communication

The feature must be tracked using one or more GitHub Issues. Each Issue should be clearly assigned to a team member, with labels and milestones used to indicate the current status and expected timeline. Additionally, these Issues should be organised within a GitHub Project Board to provide a visual overview of who is working on what and at what time.
It is expected that the Contributors reach out on a regular basis to discuss their progress of the development. Both parties agree on milestones, timelines, and terms for the contribution of the new feature.

Code Review and Merge Policy

All proposed code changes, including patches, enhancements, and fixes submitted by the Client, must be reviewed and approved by Unique before being merged into the main codebase. Unique will act as the gatekeeper to ensure that the multi-tenant integrity of the Software is preserved and will assign a designated team or team member(s) to conduct the reviews.

The code review process is outlined in the GitHub Code Contribution Guide

Quality Assurance

Maintenance of Quality

Unique is the ultimate gatekeeper of code quality. All contributions must meet or exceed established quality metrics, which will be clearly communicated and updated by Unique as necessary.

Test Coverage

The Client is required to maintain or increase the test coverage with each contribution. All new features and code changes must be accompanied by automated tests where applicable (unit, integration, and end-to-end as appropriate) that validate the changes and ensure that existing functionality is not broken.

Bugs

If any bugs or regressions are found on any of the implemented features, the External Contributor ensures that such bugs are resolved with the highest priority to not compromise the quality of the product. Complimentary regression tests are added to ensure that it never happens again

Security Compliance

Unique must ensure compliance with the specified level of information security and services as per our agreements, in accordance with our ISMS (Information Security Management System) guidelines for supplier relationships.

Security Protocols

Security is paramount. All code changes must adhere to the highest security standards as defined by the Company. This includes but is not limited to, adherence to secure coding practices, regular security audits, and the integration of security measures into the Software's design.

Security Review

The Company will conduct security reviews of all PRs to ensure that no vulnerabilities are introduced. The Client must remediate any identified security issues prior to the merge of their contributions.

Unauthorized Activities

The External Contributor is not allowed to perform any form of load, security, penetration or performance test unannounced or without permission on any of our clusters and guarantees not to introduce any ‘disabling codes’, ‘worms’, ‘viruses’ or similar into the results.

The Employee agrees not to involve any external third party in the performance of his contractual duties without the prior permission of the Employer, and to use no external services which could involve the protective rights of a third party.

IP rights (Intellectual Property Rights)

Upon integration of code into the code base, all intellectual property rights associated with the merged code shall be exclusively assigned to Unique. Unique shall retain the right to utilize, license, or otherwise permit the use of the merged code by any of its clients at its discretion. All rights of the merged code and derivatives are retained by Unique.

In case of any conflict between the terms of this Agreement and the Master Service Agreement and its Annexes or those of the customer and the terms of one or several stipulation(s) between a Customer and Unique or with an employee of Unique, the terms of the Master Service Agreement and its Annexes shall exclusively prevail, in particular with regards to, but not limited to intellectual property rights.

External contributors shall indemnify, defend and hold harmless Unique, its officers, directors, employees, agents and affiliates from and against any and all losses, liabilities, claims, obligations, costs and expenses (including reasonable attorneys´ fees) arising out of or relating to any third-party claims with respect to the use by Unique, its officers, directors, employees, agents and affiliates of the Services and the Software procured by the Collaborators under this Agreement or any orders relating to this Agreement or furnished by any of Provider´s agents or subcontractors, that such use infringes any patent, trademark or other intellectual property rights. External contributor undertakes to include similar clauses in its contracts with its agents and subcontractors.

Unique shall promptly notify the External Contributor in writing of such claims for infringement and shall render the External contributor reasonable assistance as may be required for the defense against such claims.

Usage of Hardware and Software

Hardware

Unique will provide an Apple MacBook if agreed upon. The device will be set up according to our Device Management Policy and enrolled in MS Intune to ensure that the device stays compliant throughout the length of the agreement.

External collaborators are permitted to use their own devices (BYOD) for collaboration purposes, provided that these devices are either Mac or Unix-based. Additionally, it is mandatory that these external devices are managed by the client company, which is responsible for ensuring that each device complies with our minimum security requirements. These requirements will be explicitly outlined within the contractual agreement.

E-Mail Account

Depending on the collaborator an E-Mail may or may not be provided. In the case that Unique provides the E-Mail Account, the address will have a different address pattern than employees of Unique for a clear distinction.

Costs

Hardware and License

The costs for hardware and licenses and external licenses will be covered by the Client. These costs can include:

Macbook Pro
MS Azure account
Confluence/Jira Account
Slack Account
etc.

Effort provision

Unique allocates a consultation budget, which covers onboarding, synchronisation meetings, and reviews, amounting to 5 days annually for each Collaborator.

Should the consultation budget be surpassed, Unique retains the discretion to determine whether advisory services for each additional feature will be provided as part of the existing agreement or if they will be billed based on the amount of work required. In instances where charges are applied, the daily fees previously agreed with the Client will be enforced.

Amendments to the Framework

This Framework may be amended from time to time by mutual agreement of the Unique and the Client. All amendments must be documented and communicated to relevant stakeholders.

Terms and Termination

For each project, the the duration of the co-development agreement and conditions under which either party can terminate the agreement, including any notice periods have to be agreed upon. We reserve the right to terminate the agreement upon determining that the services of the External Contributors are no longer required.

Acceptance

By participating in the co-development of the Software, the Collaborator agrees to adhere to the terms and conditions outlined in this Framework.

This framework constitutes an amendment to the existing POC contract/ master service agreement established with the client, and all mutually accepted provisions, particularly those pertaining to Service Level Agreements (SLA), warranty, liability and indemnification, shall persist unaltered.

Owner	@Andreas Hauri @Daylan Araz
Version	V 1.2