Managed IT Services
Our Contract
Effective June 26, 2026. This Master Services Agreement supersedes and replaces all prior versions.
Master Services Agreement
This Master Services Agreement (the “MSA”) is between Provider and the Client found on the applicable quotation, estimate, statement of work, proposal, or order (the “Order”) and, together with the Order, the terms and conditions, and relevant Service Attachments forms the Agreement between the parties (the “Terms”). Client accepts these Terms by signing an Order, using the services, or continuing to use the services after being notified of a change to these Terms. If there is a conflict between the Order, this Master Services Agreement, any Service Attachment, or Exhibit, the Order will control.
The parties agree as follows:
STATEMENT OF SERVICES
Service Attachments
The services to be delivered by Provider (the “Services”) and the fees for those Services, and the specific terms applicable to those Services are described in the Order or in one or more Service Attachments referencing this Agreement.
Provider may decline to perform any services requested by Client that are in violation of any applicable law or that are not typically associated with the Services provided by Provider.
FEES FOR SERVICES | PAYMENT TERMS
Service Fees
Fees for Services are set forth in an Order. Unless otherwise indicated in writing, all Services will be performed on a time-and-materials basis at Provider’s then-current rates.
Adjustments to Service Fees
Except as may be specified in an Order, Provider may adjust the Service Fees charged under this Agreement as follows:
- Increased or Revised Usage or Services. Provider may increase the fees based on revised or increased Usage or Services as described in the Order or applicable Service Attachments.
- At any time after the parties sign an Order, Provider may adjust its rates and charges or impose additional rates and charges to recover amounts required or permitted by governmental or quasi-governmental authorities to collect from others or pay to others in support of statutory or regulatory funds or programs. Client shall pay all Service Fees owed as they become due following any such adjustment.
- Service Fee Rate Increases. At any time after the parties sign an Order, Provider may elect to raise the fees that it charges under that Order. If the increase is greater than 10% annually, Provider shall give Client no less than thirty (30) days’ notice of any such increase in fees to be charged. Within 30 days following Client’s receipt of such notice, Client may terminate the Order without incurring any additional charges or penalties, if any, that Client ordinarily would incur for such termination.
- Third-Party Services. Client understands and agrees that Provider uses third-party solutions and service providers to perform some or all of the managed services offered to Client (“Third-Party Service Providers”). PROVIDER IS NOT RESPONSIBLE FOR THE ACTS OR OMISSIONS OF THIRD-PARTY SERVICE PROVIDERS. CLIENT’S RIGHTS REGARDING CLAIMS AGAINST THIRD-PARTY SERVICE PROVIDERS SHALL BE GOVERNED BY SUCH SERVICE PROVIDER’S END USER LICENSE AGREEMENT OR TERMS AND CONDITIONS. Provider’s current Third-Party Service providers and the governing terms and conditions related to those services are listed on the Schedule of Third-Party Services which may be updated by Provider without further notice to Client and is incorporated by reference as if fully set forth in this Agreement.
- Off-Boarding. Client’s cancellation, termination, or transition of the Services to Client’s control or to another service provider (“Off-Boarding”) may trigger a billable project. Any Off-Boarding projects will be subject to a separate Order, which will be billed at Provider’s then-prevailing rates.
- Client Delay. If Provider is unable to commence delivery of the Services on the service start date because of any failure on Client’s part including but not limited to the failure to provide access to Client’s resources in a timely manner, Client nonetheless will begin to incur Service Fees, which Client shall pay in accordance with the Order, the Service Attachment and the Master Services Agreement.
Reimbursable Expenses
Client shall pay Provider’s reasonable out-of-pocket expenses, including incremental third-party service fees, travel expenses, lodging, meals, or other similar expenses, which may be incurred by Provider in performing Services.
Payment Terms
Client shall pay the full amount reflected on any invoice as owed to Provider on or before the due date identified in the invoice (the “Payment Deadline”). Client shall pay a late charge of one- and one-half percent (1.5%) per month or the maximum lawful rate, whichever is less, for all invoiced amounts not paid by the Payment Deadline.
If Client disputes in good faith all or any portion of the amount owed to us, or if Client otherwise requests any adjustment to an invoiced amount, Client must notify Provider in writing, prior to the Payment Deadline, of the nature and basis of the dispute and/or adjustment. If Provider is unable to resolve the dispute prior to the Payment Deadline, Client nevertheless shall pay the entire invoiced amount by the Payment Deadline. If Provider ultimately determines that such amount should not have been paid, Provider shall apply a credit equal to such amount against any Service Fees owed for the following month.
Special rates may apply for services requested outside of normal business hours or on holidays. Special rates are one-and-one-half (1.5) times normal hourly rates, with a one-hour minimum. Holiday hour rates are two (2) times normal hourly rates, with a one-hour minimum.
Suspension of Service
If Client fails to pay all amounts owed under this Agreement when due, then upon at least ten (10) business days’ prior written notice, and in addition to any other remedies available to Provider, Provider may suspend Services and withhold Confidential Information (defined below) under this Agreement until full payment is made. Following any suspension of service under this provision, and after Client makes full payment to Provider, Provider may restore the Services after validating that all components to be monitored and/or managed under any applicable Order or Service Attachment comply with Provider’s level of security, updates, and best practices. Client shall pay a “Reactivation Fee” for such restoration equal to one month of the Service Fees. Provider’s right to suspend Services under this section is in addition to Provider’s right to terminate this Agreement.
Taxes
Unless otherwise indicated on an invoice, all charges and fees owed under this Agreement are exclusive of any applicable sales, use, excise, or services taxes that may be assessed on the provision of the Services. In the event that any taxes are assessed on the provision of any of the Services, Client shall pay the taxes directly to the taxing authority or shall reimburse Provider for their payment.
TERM AND TERMINATION
Term
This Agreement commences on the Order Effective Date, and it will remain in effect until either party terminates it as permitted below.
Termination
Either party may terminate this MSA for any reason or no reason upon at least thirty (30) days advance, written notice given to the other party. However, termination of this MSA will not, by itself, result in the termination of any Order or Service Attachments, and this MSA will remain in effect notwithstanding any notice of termination unless and until all Orders and/or Service Attachments are terminated or expire according to their terms.
INDEPENDENT CONTRACTOR
Unless otherwise agreed, Provider will perform all Services solely as an independent contractor and not as an employee, agent, or representative of Client.
INTELLECTUAL PROPERTY RIGHTS
Provider Works
Unless specifically identified in a separate Statement of Work, any writing or work of authorship, regardless of medium, created or developed by Provider for Client in the course of performance under this Agreement and related to existing works owned by Provider is a “Provider Work,” is not to be deemed a “work made for hire,” and is and will remain the sole, exclusive property of Provider. To the extent any Provider Work for any reason is determined not to be owned by Provider, Client hereby irrevocably assigns and conveys to Provider all of its copyright in such Provider Work. Client further hereby irrevocably assigns to Provider all of its patent, copyright, trade secret, know-how, and other proprietary and associated rights in any Provider Work.
License to Provider Works
If any Provider Work is located on hardware or equipment owned by Client, Provider hereby grants Client a non-exclusive, revocable, royalty-free license to use any Provider Work during the term of this Agreement (“Limited License”). The Limited License will be immediately and automatically revoked without the need for notice in the event that either party terminates the Services or this Agreement.
License Restrictions
Client shall not:
- Modify, copy, or create derivative works based on the Services or on the Provider Works;
- Build a product or service using similar ideas, features, functions, or graphics of the Service, or
- Copy any ideas, features, functions, or graphics of the Service.
Additional license restrictions may be set forth in the Service Attachments.
Improvements to Services
Client hereby assigns to Provider any and all suggestions, ideas, enhancement requests, feedback, recommendations, or other information provided by Client or Client’s users relating to any proposed improvements of or modifications to the Services.
NON-DISCLOSURE AND CONFIDENTIALITY
Confidential Information
During the course of performance under this Agreement, either party may be exposed to or may acquire the other’s proprietary or confidential information. Each party shall hold all such “Confidential Information” in strict confidence and shall not disclose any such information to any third party.
Confidential Information includes but is not limited to: (a) with respect to Provider, Provider’s unpublished prices for Services, audit and security reports, server/network configuration designs, firewall and other hardware configurations, passwords, all business plans, technical information or data, product ideas, methodologies, calculation algorithms and analytical routines, and other proprietary technology, (b) with respect to Client, content transmitted to or from, or stored by Client on, Provider’ servers, and (c) with respect to both parties, other information that is conspicuously marked as “confidential” or if disclosed in non-tangible form, is verbally designated as “confidential” at the time of disclosure.
Non-Confidential Information
Notwithstanding the preceding provision, Confidential Information does not include:
- Information that at the time of disclosure is, without fault of the recipient, available to the public by publication or otherwise;
- Information that either party can show was in its possession at the time of disclosure and was not acquired, directly or indirectly, from the other;
- Information received from a third party with the right to transmit same without violation of any secrecy agreement with the other party; and
- Information that must be disclosed pursuant to court order or permitted by law.
Agreement Confidentiality
No copy of the Order, this MSA, any Service Attachment or Schedule of Services, discussions, negotiations, terms or conditions relating to the Order, the MSA, Service Attachment, or any other information relating to the Order, this MSA, or any Service Attachment may be disclosed to any third party, except by reason of legal, accounting or regulatory requirements, without the prior written consent of the parties hereto.
Information Releases
Notwithstanding the preceding provisions, Provider may publicly refer to Client, orally and in writing, as a Client of Provider. Any other reference to Client by Provider may be made only pursuant to a written agreement between the parties.
PROVIDER-SUPPLIED EQUIPMENT
“Equipment” means any computer, networking or telephony equipment, racking, or associated hardware, or other equipment (if any) that Provider installs on Client’s premises or that Provider ships to Client’s location to facilitate the delivery of Services. Equipment does not include any hardware or devices that Provider may sell to Client or that Provider procures on Client’s behalf.
Provider is and will remain the sole owner of any Equipment, which is provided on a rental or temporary basis only. This agreement transfers to Client no Equipment ownership rights of any kind.
Provider retains sole discretion to determine the appropriate Equipment and associated software and/or technology, if any, to be used at Client’s location, provided that Provider’s determination does not materially impair the availability or delivery of services under this Agreement. Provider also retains sole discretion to determine the necessity of maintenance, repairs, and/or improvement of the Equipment.
Except as otherwise may be specified in an applicable Service Attachment, Provider makes no independent representations or warranties with respect to the Equipment. Any third-party warranties are Client’s exclusive remedies with respect to such Equipment. In the event of an Equipment malfunction, Provider will take commercially reasonable steps to ensure that Client receives the benefit of any manufacturer warranties applicable to the Equipment in use at Client’s location.
Client shall take reasonable care of the Equipment and shall not damage it, tamper with it, move or remove it, attempt to repair it, or attempt to install any software on it. Client is financially responsible, up to the full replacement value of all Equipment, for all damage to or loss of the Equipment used at Client’s location, other than loss or damage caused by Provider. In addition, Client shall obtain and maintain insurance with a reputable insurer for the full replacement value of the Equipment. Such policy or policies of insurance must cover the Equipment against loss or damage (including, without limitation, accidental loss or damage) and must name Provider as an insured beneficiary with respect to the Equipment. Upon demand, Client must produce evidence that such insurance is being maintained and is valid.
Client is responsible for providing the necessary power, network connection, and appropriate environment to support the Equipment.
Client shall not remove any sign, label, or other marking on the Equipment identifying Provider as the owner of the Equipment. Client does not acquire and will not acquire any rights of ownership in the Equipment by virtue of this Agreement, and Client does not have and will not have, by operation of law or otherwise, any lien or other similar right over or in relation to the Equipment.
On termination of any Agreement pursuant to which Client obtained any Provider-owned Equipment, Client shall allow Provider and its employees and contractors reasonable access to its premises to remove the Equipment. Alternatively, upon Provider’s request, Client shall return the Equipment to Provider via the carrier of Provider’s choice, for which Provider will pay all applicable shipping charges. Upon termination, Client is responsible for removing all Client Data from the equipment. Upon pickup or return of equipment to Provider, Provider will not be responsible for lost Client Data.
PROVIDER-SUPPLIED SOFTWARE
“Software” means all and any software installed on the Equipment or provided by Provider for installation on Client’s computer equipment to facilitate the delivery of the Services.
This Agreement does not transfer any right, title, or interest in the Software to Client. Client’s use of the Software is subject to all applicable terms of any end-user license agreement pertaining to the Software, a copy of which will be made available to Client, upon request.
Client shall not, and shall not permit any third party, to:
- distribute or allow others to distribute copies of the Software or any part thereof to any third party,
- tamper with, remove, reproduce, modify, or copy the Software or any part thereof,
- provide, rent, sell, lease, or otherwise transfer the Software or any copy or part thereof or use it for the benefit of a third party, or
- reverse assemble, reverse compile or reverse engineer the Software or any part thereof, or otherwise attempt to discover any Software source code or underlying proprietary information except as may be permitted by law.
CLIENT COVENANTS AND OBLIGATIONS
Assistance
Client shall provide in a timely and professional manner, and at no cost to Provider, assistance, cooperation, complete and accurate information and data, equipment, access to applicable computer and telecommunications facilities, networks, firewalls, servers, programs, files, documentation, passwords, a suitable work environment, and other resources requested by Provider to enable it to perform the Services (collectively, “Assistance”). Provider shall not be liable for any deficiency in performing the Services if such deficiency results from Client’s failure to provide full Assistance as required hereunder. Assistance includes, but is not limited to, designating a project manager or contact person to interface with Provider during the course of Services.
Software Licensing
Unless specifically otherwise agreed to in an applicable Order, Client represents and warrants that Client has title to or has a license or the right to use or modify the Software and has a license or right to permit Provider to use, access, or modify any software that Client has requested Provider to use, access, or modify as part of the Services.
It is the Client’s responsibility to independently ensure that ALL software in use by Client is properly licensed, and Client agrees to maintain records of applicable licenses. Provider will not promote the use of, or knowingly support software which is not properly licensed by Client. Assistance with software audits or licensing compliance matters are billable at Provider’s then-prevailing hourly rates.
Unsupported Software
Provider shall not be responsible or liable to Client for any consequences from the use of software no longer under manufacturer product support or no longer supported by the software publisher (“Unsupported Software”). THEREFORE, CLIENT AGREES TO HOLD PROVIDER HARMLESS FROM ANY LOSS, INJURY, OR DAMAGE TO CLIENT OR ANY HARDWARE, SOFTWARE, AND/OR COMPUTER DATA OF CLIENT CAUSED BY ANY USE OF UNSUPPORTED SOFTWARE.
Provider Access
Client shall supply Provider necessary access to its personnel, appropriate documentation and records, and facilities in order for Provider to timely perform the Services.
Broadband Internet access must be provided. Provider must be provided with remote access (via VPN or other reasonable remote access) to covered equipment. Appropriate cabling to all covered computers and devices must be provided. Appropriate air conditioning and ventilation for all covered computers and devices must be provided, in order to maintain temperature and air quality as specified by the applicable hardware manufacturers. Power surge protection must be provided for all covered computers and devices. Provider must be allowed convenient and timely access to the Equipment covered under this Agreement, adequate working space and facilities within a reasonable distance of the equipment, and access to and use of all information, internal resources, and facilities determined necessary to service the equipment. Client may be required to conduct preliminary diagnostic steps or provide additional information related to a support request, prior to a technician being dispatched to Client’s facility. Client must agree to assign one employee to be liaison or contact person to Provider in order to make communications between both parties effective.
Remote Access
Client grants to Provider the explicit right to remotely access Client’s network systems without the need to obtain expressed permission or consent each time remote access is established.
Third-Party Service Provider Fees
Unless expressly undertaken by Provider in writing, Client is responsible for any Third-Party Service Provider service fees, charges and to arrange for disconnection or termination and payment of charges related to the disconnection or termination of any related services with Client’s current carrier(s) or service provider(s).
Network Security and Malicious Events
Unless specifically otherwise agreed to in an applicable Order, it is Client’s sole responsibility to determine whatever actions deemed necessary to make Client’s data and voice networks and circuits secure from unauthorized access. Hardware firewall must be in place. Wireless data traffic in the environment must be securely encrypted. Provider is not responsible for the security of Client’s network and circuits from third parties, or for any damages that may result from any unauthorized access to Client’s network.
Client has an affirmative obligation to protect Client’s network environment, and to train its employees for spam, malware, phishing, virus protection, and prevention from criminal acts of third parties. Provider is not responsible for criminal acts of third parties, including but not limited to hackers, phishers, crypto-locker, and any network environment subject to ransom.
If a security system for Client’s network is included within the Services to be provided by Provider, Provider agrees to use commercially reasonable efforts to protect Client’s network from malicious attacks by computer viruses, computer worms, and/or computer hackers (collectively, “malicious activities”). However, Client understands that no security system can guarantee complete protection against malicious activities as such attacks often involve the intentional action by third parties to invade and injure computer systems. UNLESS CAUSED BY PROVIDER’S NEGLIGENCE OR WILLFUL MISCONDUCT, CLIENT AGREES TO HOLD PROVIDER HARMLESS FROM ANY LOSS, INJURY, OR DAMAGE TO CLIENT OR ANY HARDWARE, SOFTWARE, AND/OR COMPUTER DATA OF CLIENT CAUSED BY SUCH MALICIOUS ACTIVITIES.
Third-Party Criminal Activity
Provider is not responsible for criminal acts of third parties, including but not limited to intrusions or unauthorized access of any kind, hackers, phishers, crypto-locker, and any network environment subject to ransom. CLIENT AGREES TO HOLD PROVIDER HARMLESS FOR ANY ACTIVITY AFFECTING NETWORK SECURITY ON CLIENT’S ENVIRONMENT RELATED TO THIRD-PARTY CRIMINAL ACTIVITY, NETWORK SECURITY, OR PRIVACY. Any costs or fees to rebuild or service machines will be billed at Provider’s then-prevailing hourly rates.
Theft of Service
Client shall notify Provider immediately, in writing, by electronic mail or by calling the Provider customer support line, if Client becomes aware at any time that the Services are being stolen or used fraudulently. Failure to do so in a timely manner may result in the immediate termination of the Services and additional charges billed to Client. Client will be liable for all use of the Service using Equipment stolen from Client and any and all stolen Service or fraudulent use of the Services. Credits will not be issued for charges resulting from fraud that arises out of third parties hacking into any Equipment. This includes, but is not limited to, modem hijacking, wireless hijacking, or other fraud arising out of a failure of Client’s internal/corporate procedures. Provider will not issue credit for invoiced charges for fraudulent use resulting from Client’s negligent or willful acts or those of an authorized user of Client’s service. THEREFORE, CLIENT AGREES TO HOLD PROVIDER HARMLESS FROM ANY LOSS, INJURY OR DAMAGE TO CLIENT, OR ANY THEFT OF SERVICE CAUSED BY SUCH THEFT OF SERVICE.
Hardware Equipment
Client equipment must be in working order and maintained under a manufacturer’s warranty or maintenance contract. Provider is not responsible for Client equipment that is not maintained under manufacturer’s warranty or maintenance contract or that is otherwise out of order. All Service Fees assume equipment is under manufacturer’s warranty or maintenance contract or is in working order.
Provider in its reasonable opinion and supported by manufacturer information, may designate certain equipment as obsolete or defective, and therefore exclude it from coverage under this Agreement.
Physical Security
Client is responsible for the physical security of its on-premises hardware and software systems.
Independent Backup
Unless specifically otherwise agreed to in an applicable Order or Service Attachment, Client must maintain an independent backup of all files that are sent to either the cloud or a data backup service. A backup solution must be in place, with backup copies stored off-site. It is the Client’s responsibility to verify that backups are made regularly, as well as the integrity of the backups. Provider shall not be held liable in the event of data loss, backup software failure, backup selection, backup hardware failure, backup media failure, or backup system failure even in the event that Provider was tasked to perform the backups. Client will be solely responsible for all lost data.
Malware
An anti-malware solution must be in place and updated with valid update subscription. Provider is not responsible for any harm that may be caused by Client’s access to third-party application programming interfaces or the execution or transmission of malicious code or similar occurrences, including without limitation, disabling devices, drop dead devices, time bombs, trap doors, Trojan horses, worms, viruses, and similar mechanisms. Any costs or fees to rebuild or service machines are provided and sold separately by Provider.
Hardware and Software Configurations
All Hardware and Software Configurations implemented by Provider shall belong to Provider and shall constitute Provider’s Confidential Information.
Client Data Security & Privacy
In addition to its other confidentiality obligations under an applicable Service Attachment, Provider shall not use, edit, or disclose to any party other than Client any Client Data (defined below), except as otherwise requested by Client, or required by court order or applicable law. For purposes of this provision, all data stored on the virtualized machines assigned to Client, including locally stored personal data of individual employees, will be considered Client Data by Provider.
As between Provider and Client, all Client Data is owned exclusively by Client. Client Data constitutes Confidential Information subject to the Terms. Provider may access Client’s User accounts, including Client Data, solely to respond to service or technical problems or otherwise at Client’s request.
Security and Regulatory Recommendations
Although it is under no obligation to do so, from time to time, Provider may make recommendations regarding regulatory compliance, safety, and security related to Client’s network and practices (e.g., multi-factored authentication). If Client fails to adopt or implement the recommended protocols, Client is responsible for any and all damages related to regulatory, security, privacy, or data protection, including but not limited to fines, data breach notification, malware or ransomware costs, restoration, forensic investigation, restoring backups, or any other costs or damages related to Client’s refusal to implement the recommended protocols.
Artificial Intelligence
Client uses artificial intelligence (“AI”) services or tools at its own risk. Provider is not responsible for any Client use of AI.
Provider may, at its discretion, use AI tools, systems, or services in connection with the delivery of the Services. AI may be used to enhance efficiency, automate tasks, analyze data, or support service delivery. Client acknowledges that AI outputs may not be accurate or reliable. Provider is not responsible for results or outcomes of AI use.
Password-Management Services
If Provider provides password management services to Client, Client shall be responsible and liable for any unauthorized use of passwords. THEREFORE, CLIENT AGREES TO HOLD PROVIDER HARMLESS FROM ANY LOSS, INJURY, OR DAMAGE TO CLIENT OR ANY THEFT OF PASSWORDS CAUSED BY SUCH USE OF THE PASSWORD SERVICES BY CLIENT.
PROVIDER REPRESENTATIONS AND WARRANTY
Internal Network Security Compromise Policy
Provider monitors the availability and performance of its internal firewall and network security. This process involves monitoring for intrusion attempts and potential security breaches. In order to minimize a possible compromise of security, all services and applications exposed to the Internet on Provider’s servers are updated with all commonly available security hotfixes and best practices. As appropriate, Provider proactively evaluates, investigates, and reports security-related incidents to the appropriate authorities. Provider also monitors and proactively manages the anti-virus protection of its servers and applications using industry-recognized anti-virus software systems.
Service Warranty
We warrant that the Services will be performed in a professional and workmanlike manner and as described in an applicable Service Attachment or Schedule of Services. All Services will be deemed to be accepted unless Client notifies Provider in writing within ten (10) working days after performance that the Services did not conform to this warranty. Provider promptly will correct any non-conformities and will notify Client in writing that the non-conformities have been corrected.
DISCLAIMER OF WARRANTY
PROVIDER DOES NOT WARRANT THAT THE SERVICES WILL BE PERFORMED ERROR-FREE OR UNINTERRUPTED, THAT PROVIDER WILL CORRECT ALL SERVICES ERRORS, OR THAT THE SERVICES WILL MEET CLIENT’S REQUIREMENTS OR EXPECTATIONS, OR THAT THE SERVICE WILL BE COMPLETELY SECURE. THERE ARE RISKS INHERENT IN INTERNET CONNECTIVITY THAT COULD RESULT IN THE TEMPORARY LOSS OF SERVICE AVAILABILITY. PROVIDER IS NOT RESPONSIBLE FOR ANY ISSUES RELATED TO THE PERFORMANCE, OPERATION, OR SECURITY OF THE SERVICES THAT ARISE FROM CLIENT’S CONTENT OR THIRD-PARTY CONTENT, OR SERVICES PROVIDED BY THIRD PARTIES. PROVIDER SHALL HAVE NO OBLIGATION WITH RESPECT TO A WARRANTY CLAIM (i) IF NOTIFIED OF SUCH A CLAIM AFTER THE WARRANTY PERIOD OR (ii) IF THE CLAIM IS THE RESULT OF THIRD-PARTY HARDWARE OR SOFTWARE FAILURES, OR THE ACTIONS OF CLIENT OR A THIRD PARTY.
FOR ANY BREACH OF THE SERVICES WARRANTY, CLIENT’S EXCLUSIVE REMEDY AND PROVIDER’S ENTIRE LIABILITY SHALL BE THE CORRECTION OF THE DEFICIENT SERVICES THAT CAUSED THE BREACH OF WARRANTY, OR, IF PROVIDER CANNOT SUBSTANTIALLY CORRECT THE DEFICIENCY IN A COMMERCIALLY REASONABLE MANNER, CLIENT MAY END THE DEFICIENT SERVICES AND PROVIDER WILL REFUND TO CLIENT THE FEES FOR THE TERMINATED SERVICES THAT CLIENT PRE-PAID TO PROVIDER FOR THE PERIOD FOLLOWING THE EFFECTIVE DATE OF TERMINATION.
TO THE EXTENT NOT PROHIBITED BY LAW, CLIENT ACKNOWLEDGES THESE WARRANTIES ARE EXCLUSIVE AND THERE ARE NO OTHER EXPRESS OR IMPLIED WARRANTIES OR CONDITIONS BY THE PROVIDER OR ANY THIRD-PARTY VENDORS INCLUDING FOR SOFTWARE, HARDWARE, SYSTEMS, NETWORKS OR ENVIRONMENTS, OR FOR MERCHANTABILITY, SATISFACTORY QUALITY, AND FITNESS FOR A PARTICULAR PURPOSE, AND THAT THOSE THIRD-PARTY VENDORS DISCLAIM ANY AND ALL LIABILITY, WHETHER DIRECT, INDIRECT, OR CONSEQUENTIAL, ARISING FROM THE SERVICES.
PROVIDER MAY LINK TO OR OFFER THIRD-PARTY SERVICES FOR RESALE. ANY PURCHASE, ENABLING, OR ENGAGEMENT OF THIRD-PARTY SERVICES, INCLUDING BUT NOT LIMITED TO IMPLEMENTATION, CUSTOMIZATION, CONSULTING SERVICES, E-MAIL, WEB HOSTING, SERVER HOSTING, PHONE SERVICE, AND ANY EXCHANGE OF DATA BETWEEN CLIENT AND ANY THIRD-PARTY SERVICE, IS SOLELY BETWEEN CLIENT AND THE APPLICABLE THIRD-PARTY SERVICE PROVIDER AND IS SUBJECT TO THE TERMS AND CONDITIONS OF SUCH THIRD-PARTY PROVIDER. PROVIDER DOES NOT WARRANT THIRD-PARTY SERVICES AND IS NOT RESPONSIBLE OR LIABLE FOR SUCH SERVICES OR ANY LOSSES OR ISSUES THAT RESULT FROM CLIENT’S USE OF SUCH SERVICES. IF CLIENT PURCHASES, ENABLES, OR ENGAGES ANY THIRD-PARTY SERVICE FOR USE IN CONNECTION WITH THE SERVICES, CLIENT ACKNOWLEDGES THAT PROVIDER MAY ALLOW THIRD-PARTY SERVICES PROVIDERS TO ACCESS CLIENT DATA USED IN CONNECTION WITH THE SERVICES AS REQUIRED FOR THE INTEROPERATION OF SUCH THIRD-PARTY SERVICES WITH THE SERVICES. CLIENT REPRESENTS AND WARRANTS THAT CLIENT’S USE OF ANY THIRD-PARTY SERVICE SIGNIFIES CLIENT’S INDEPENDENT CONSENT TO THE ACCESS AND USE OF CLIENT’S DATA BY THE THIRD-PARTY SERVICE PROVIDER, AND THAT SUCH CONSENT, USE, AND ACCESS IS OUTSIDE OF PROVIDERS’S CONTROL. PROVIDER WILL NOT BE RESPONSIBLE OR LIABLE FOR ANY DISCLOSURE, MODIFICATION, OR DELETION OF DATA RESULTING FROM ANY SUCH ACCESS BY THIRD-PARTY SERVICE PROVIDERS.
COMPLIANCE WITH LAWS
Provider shall comply with all laws applicable to Provider in its role as a Managed IT Provider. For the avoidance of doubt, unless otherwise provided in an Order, Provider is not responsible for complying with the laws applicable to Client or Client’s industry. Client shall comply with all laws applicable to Client or in Client’s industry.
Although it is under no obligation to do so, from time to time, Provider may make recommendations regarding legal requirements and regulatory compliance protocols related to Client’s network and practices. If Client fails to adopt or implement the recommended legal requirements or regulatory compliance protocols, Client is responsible for any and all damages related to legal and regulatory compliance. Even if Client does take Provider’s advice regarding legal requirements and regulatory compliance protocols, Provider does not take responsibility for any legal requirements and regulatory compliance protocols or audits.
NO HIRING
Neither party shall solicit, recruit, hire, or otherwise pay any employee or contractor of the other party during the Term of this Agreement and for twelve (12) months following termination of this Agreement.
Each party acknowledges that injury resulting from any breach of this provision would be significant and irreparable and that it would be extremely difficult to ascertain the actual amount of damages resulting from such breach. Therefore, in the event of a violation of this provision, in addition to any other right the non-hiring party may have at law or in equity, the hiring party shall make a one-time payment to the non-hiring party in the amount of one hundred percent (100%) of the affected employee’s or contractor’s payments from the non-hiring party for the preceding one year, which accurately reflects the reasonable value of the employee’s time and costs. The parties agree that such amount is not intended as a penalty and is reasonably calculated based upon the projected costs the injured party would incur to identify, recruit, hire, and train suitable replacements for such personnel.
DISPUTE RESOLUTION
Arbitration Procedures
Each party shall attempt to settle amicably by mutual discussions any disputes, differences, or claims related to this Agreement within sixty (60) days of the date any such dispute arises. Failing such amicable settlement, any such dispute, including claim related to the existence, validity, interpretation, performance, termination, or breach of this Agreement, is to be settled by arbitration in accordance with the Arbitration Rules of the American Arbitration Association (“AAA”). The arbitration will be conducted in English and will have one (1) arbitrator. The Arbitrator will not have the authority to award punitive damages to either party. Each party will bear its own expenses but shall share equally the expenses of the Arbitration Tribunal and the AAA. Any arbitration award will be final, and judgment thereon may be entered in any court of competent jurisdiction. The arbitration will be held in Spokane, Washington, or at another location upon which the parties may agree. Notwithstanding the foregoing, Provider may make claims for injunctive relief and for Client’s failure to pay for Services in a state or federal court in the United States with jurisdiction over the subject matter and parties.
Period for Bringing Claim
Other than claims brought by Provider for non-payment, no claims may be made more than six (6) months after the date by which the fault or failure should reasonably have been discovered; failure to make such a claim within the six (6) month period shall forever bar the claim.
Continued Service
Unless Provider is bringing an action for Client’s failure to make payments for Services not otherwise in dispute, Provider will continue to provide Services under this Agreement, and Client shall continue to make payments to us, in accordance with this Agreement, during the period in which the parties seek resolution of the dispute.
Attorneys’ Fees
In the event that there is any dispute, difference, or claim related to this Agreement that is resolved either through arbitration or through litigation, the prevailing party will be entitled to an award of reasonable attorneys’ fees incurred while defending or prosecuting such dispute, difference, or claim.
Collection Costs
In addition to all amounts owing under this Agreement, Client shall pay on demand all costs and expenses of collection and enforcement incurred by Provider, including without limitation reasonable attorneys’ fees and expenses, court costs, collection agency fees, costs of lien filings and recordings, service of process, investigation, pre- and post-judgment interest, domestication and execution costs, and costs of any appeal, arbitration, insolvency, or bankruptcy proceeding. Such amounts are recoverable whether incurred before suit, in litigation or arbitration, on appeal, or after judgment, and shall be added to the amounts owed to Provider to the maximum extent permitted by law.
INDEMNIFICATION
By Client
Client shall defend, indemnify, and hold Provider harmless against all costs and expenses, including reasonable attorney’s fees, associated with the defense or settlement of any claim that:
INDEMNIFICATION
By Client
Client shall defend, indemnify, and hold Provider harmless against all costs and expenses, including reasonable attorney’s fees, associated with the defense or settlement of any claim that:
- Provider’s use, access, or modifications of any software that Client has requested that Provider use, access, or modify as part of the Services infringes any patent, copyright, trademark, trade secret, or other intellectual property right;
- Any claim related to software licensing and software licensing compliance; or
- Any claim related to any federal, state, or international law or regulation involving data privacy, data protection, or data breach to which Client is subject.
Client shall pay any judgments or settlements based on any such claims.
By Provider
Subject to the limitation of liability set forth in the section titled LIMITATION OF LIABILITY, Provider agrees to indemnify and hold Client harmless from and against all loss, liability, and expense including reasonable attorney’s fees caused by Provider’s:
- negligent act, error, omission, or misrepresentation;
- breach of any contractual term implied by law;
- other act, error, or omission giving rise to civil liability arising out of business activities performed for Client.
Provider shall pay any judgments or settlements based on any such claims.
LIMITATION OF LIABILITY
EXCEPT AS MAY BE DESCRIBED IN AN APPLICABLE SCHEDULE OF SERVICES OR IN A SERVICE AGREEMENT FOR PROJECT SERVICES, PROVIDER’S LIABILITY UNDER THIS AGREEMENT IS LIMITED TO ANY ACTUAL, DIRECT DAMAGES INCURRED BY CLIENT AND WILL NOT EXCEED THE GREATER OF (1) THE PROCEEDS OF PROVIDER’S PROFESSIONAL LIABILITY INSURANCE MAINTAINED BY PROVIDER UNDER ITS APPLICABLE INSURANCE POLICIES, OR (2) THE AMOUNTS PAID BY CLIENT TO PROVIDER UNDER THIS AGREEMENT AND ALL SERVICE DESCRIPTIONS IN THE SCHEDULE OF SERVICES DURING THE SIX (6) MONTH PERIOD IMMEDIATELY PRECEDING THE ACCRUAL OF ANY SUCH CLAIM. IN THE EVENT OF AN INSURANCE COVERAGE DISPUTE, PROVIDER IS NOT REQUIRED TO DISPUTE THE COVERAGE DETERMINATION AND IS NOT REQUIRED TO FILE A DECLARATORY JUDGMENT ACTION.
IN NO EVENT IS EITHER PARTY TO BE HELD LIABLE TO THE OTHER PARTY FOR ANY INCIDENTAL, CONSEQUENTIAL, SPECIAL, INDIRECT, OR PUNITIVE DAMAGES OR CLAIMS, INCLUDING BUT NOT LIMITED TO LOST PROFITS, LOST SAVINGS, LOST PRODUCTIVITY, LOSS OF DATA, LOSS FROM INTERRUPTION OF BUSINESS, LOSS OF PROGRAMS OR INFORMATION, AND THE LIKE THAT RESULT FROM THE USE OR INABILITY TO USE THE SERVICES OR FROM MISTAKES, THE SERVICES NOT MEETING CLIENT’S REQUIREMENTS OR EXPECTATIONS, OMISSIONS, TRANSLATIONS AND SYSTEM WORDINGS, FUNCTIONALITY OF FILTERS, MIGRATION ISSUES, INTERRUPTIONS, DELETION OF FILES OR DIRECTORIES, HARDWARE FAILURES, UNAVAILABILITY OF BACKUPS, ERRORS, DEFECTS, DELAYS IN OPERATION, TRANSMISSION, SECURITY BREACH, OR THIRD-PARTY SERVICE FAILURES, EVEN IF PREVIOUSLY ADVISED OF THEIR POSSIBILITY AND REGARDLESS OF WHETHER THE FORM OF ACTION IS IN CONTRACT, TORT, OR OTHERWISE. PROVIDER WILL NOT BE LIABLE FOR ANY KIND OF AUTHORIZED ACCESS OR ANY HARM THAT MAY BE CAUSED BY CLIENT’S ACCESS TO THIRD-PARTY APPLICATION PROGRAMMING INTERFACES OR THE EXECUTION OR TRANSMISSION OF MALICIOUS CODE OR SIMILAR OCCURRENCES, INCLUDING WITHOUT LIMITATION, DISABLING DEVICES, DROP DEAD DEVICES, TIME BOMBS, LOGIC BOMBS, TRAP DOORS, TROJAN HORSES, WORMS, VIRUSES, HACKERS, PHISHERS, CRYPTO-LOCKERS, RANSOMWARE, AND SIMILAR MECHANISMS. CLIENT AGREES THAT THE TOTAL LIABILITY OF PROVIDER AND CLIENT’S SOLE REMEDY FOR ANY CLAIMS FOR DAMAGES REGARDING THE SERVICES UNDER THIS AGREEMENT, INCLUDING ANY SCHEDULE, OR OTHERWISE IS LIMITED TO PROCEEDS OF APPLICABLE INSURANCE COVERAGE.
CLIENT ACKNOWLEDGES AND AGREES THAT PROVIDER WOULD NOT ENTER INTO THIS AGREEMENT FOR THE CONSIDERATION GIVEN BY CLIENT BUT FOR THE LIMITATIONS OF LIABILITY AND DAMAGES CONTAINED IN THIS AGREEMENT. CLIENT ACKNOWLEDGES AND AGREES THAT THE RIGHT TO RECEIVE THE SERVICES IN EXCHANGE FOR THE LIMITATIONS IN THIS AGREEMENT AND THE OTHER CONSIDERATION GIVEN BY CLIENT FOR THE SERVICES CONSTITUTES A BARGAIN THAT IS FAIR AND REASONABLE.
EXCEPT AS MAY BE DESCRIBED IN AN APPLICABLE SCHEDULE OF SERVICES OR IN A SERVICE AGREEMENT FOR PROJECT SERVICES, PROVIDER’S LIABILITY UNDER THIS AGREEMENT IS LIMITED TO ANY ACTUAL, DIRECT DAMAGES INCURRED BY CLIENT AND WILL NOT EXCEED THE GREATER OF (1) THE PROCEEDS OF PROVIDER’S PROFESSIONAL LIABILITY INSURANCE MAINTAINED BY PROVIDER UNDER ITS APPLICABLE INSURANCE POLICIES, OR (2) THE AMOUNTS PAID BY CLIENT TO PROVIDER UNDER THIS AGREEMENT AND ALL SERVICE DESCRIPTIONS IN THE SCHEDULE OF SERVICES DURING THE SIX (6) MONTH PERIOD IMMEDIATELY PRECEDING THE ACCRUAL OF ANY SUCH CLAIM. IN THE EVENT OF AN INSURANCE COVERAGE DISPUTE, PROVIDER IS NOT REQUIRED TO DISPUTE THE COVERAGE DETERMINATION AND IS NOT REQUIRED TO FILE A DECLARATORY JUDGMENT ACTION.
IN NO EVENT IS EITHER PARTY TO BE HELD LIABLE TO THE OTHER PARTY FOR ANY INCIDENTAL, CONSEQUENTIAL, SPECIAL, INDIRECT, OR PUNITIVE DAMAGES OR CLAIMS, INCLUDING BUT NOT LIMITED TO LOST PROFITS, LOST SAVINGS, LOST PRODUCTIVITY, LOSS OF DATA, LOSS FROM INTERRUPTION OF BUSINESS, LOSS OF PROGRAMS OR INFORMATION, AND THE LIKE THAT RESULT FROM THE USE OR INABILITY TO USE THE SERVICES OR FROM MISTAKES, THE SERVICES NOT MEETING CLIENT’S REQUIREMENTS OR EXPECTATIONS, OMISSIONS, TRANSLATIONS AND SYSTEM WORDINGS, FUNCTIONALITY OF FILTERS, MIGRATION ISSUES, INTERRUPTIONS, DELETION OF FILES OR DIRECTORIES, HARDWARE FAILURES, UNAVAILABILITY OF BACKUPS, ERRORS, DEFECTS, DELAYS IN OPERATION, TRANSMISSION, SECURITY BREACH, OR THIRD-PARTY SERVICE FAILURES, EVEN IF PREVIOUSLY ADVISED OF THEIR POSSIBILITY AND REGARDLESS OF WHETHER THE FORM OF ACTION IS IN CONTRACT, TORT, OR OTHERWISE. PROVIDER WILL NOT BE LIABLE FOR ANY KIND OF AUTHORIZED ACCESS OR ANY HARM THAT MAY BE CAUSED BY CLIENT’S ACCESS TO THIRD-PARTY APPLICATION PROGRAMMING INTERFACES OR THE EXECUTION OR TRANSMISSION OF MALICIOUS CODE OR SIMILAR OCCURRENCES, INCLUDING WITHOUT LIMITATION, DISABLING DEVICES, DROP DEAD DEVICES, TIME BOMBS, LOGIC BOMBS, TRAP DOORS, TROJAN HORSES, WORMS, VIRUSES, HACKERS, PHISHERS, CRYPTO-LOCKERS, RANSOMWARE, AND SIMILAR MECHANISMS. CLIENT AGREES THAT THE TOTAL LIABILITY OF PROVIDER AND CLIENT’S SOLE REMEDY FOR ANY CLAIMS FOR DAMAGES REGARDING THE SERVICES UNDER THIS AGREEMENT, INCLUDING ANY SCHEDULE, OR OTHERWISE IS LIMITED TO PROCEEDS OF APPLICABLE INSURANCE COVERAGE.
CLIENT ACKNOWLEDGES AND AGREES THAT PROVIDER WOULD NOT ENTER INTO THIS AGREEMENT FOR THE CONSIDERATION GIVEN BY CLIENT BUT FOR THE LIMITATIONS OF LIABILITY AND DAMAGES CONTAINED IN THIS AGREEMENT. CLIENT ACKNOWLEDGES AND AGREES THAT THE RIGHT TO RECEIVE THE SERVICES IN EXCHANGE FOR THE LIMITATIONS IN THIS AGREEMENT AND THE OTHER CONSIDERATION GIVEN BY CLIENT FOR THE SERVICES CONSTITUTES A BARGAIN THAT IS FAIR AND REASONABLE.
THE PARTIES ACKNOWLEDGE AND REPRESENT THAT THEY HAVE READ, ARE FAMILIAR WITH, AND UNDERSTAND THE RIGHTS PROVIDED BY CALIFORNIA CIVIL CODE SECTION 1542, AND SHALL BE DEEMED TO HAVE EXPRESSLY WAIVED ANY AND ALL PROVISIONS, RIGHTS, AND BENEFITS CONFERRED BY CALIFORNIA CIVIL CODE SECTION 1542 AND ANY STATUTE, RULE, AND LEGAL DOCTRINE SIMILAR, COMPARABLE, OR EQUIVALENT TO CALIFORNIA CIVIL CODE § 1542, WHICH READS AS FOLLOWS:
“A GENERAL RELEASE DOES NOT EXTEND TO CLAIMS THAT THE CREDITOR OR RELEASING PARTY DOES NOT KNOW OR SUSPECT TO EXIST IN HIS OR HER FAVOR AT THE TIME OF EXECUTING THE RELEASE AND THAT, IF KNOWN BY HIM OR HER, WOULD HAVE MATERIALLY AFFECTED HIS OR HER SETTLEMENT WITH THE DEBTOR OR RELEASED PARTY.”
INSURANCE
Client Obligations
Client shall maintain a minimum of One Million Dollars (US $1,000,000) in insurance coverage through its respective carriers. Such insurance must include, at a minimum, commercial general liability, workers’ compensation coverage, and first-party cyber liability.
Provider Obligations
Provider agrees to maintain during the Term, professional liability insurance including errors and omissions with aggregate limits of at least One Million Dollars (US $1,000,000). Client’s insurance shall be primary over Provider’s insurance. Client agrees to waive and to require its insurers to waive any rights of subrogation or recovery they may have against Provider, its agents, officers, directors, and employees.
Upon request by Client, Provider may assist Client with: 1) the preparation of applications for insurance; or 2) provide technical assistance to Client in connection with providing information for the underwriting of insurance. Client acknowledges and agrees that Client is solely responsible for reviewing the information for accuracy and Client will be solely responsible for adverse actions taken by insurance carriers in connection with underwriting or claims administration.
DATA PRIVACY & PROTECTION
Client Data
Provider agrees that any electronic data or personal information submitted by Client to Provider as a part of the Service (“Client Data”) remains the property of Client and/or its end-user or other third party. Provider agrees that it will comply with all applicable United States data privacy and data security laws that the Services are subject to and as stated herein.
Compliance with Privacy and Data Security Laws
Client agrees not to provide any consumer or other third-party data subject to privacy regulation under international, federal, state, or local laws (“Regulated Data”) to Provider including but not limited to HIPAA, GLBA, CMMC, GDPR, the California Consumer Privacy Act (“CCPA”), etc. without first entering into an appropriate Order with Provider that specifically references the Regulated Data and the law to which the Client Data is subject.
Data Processing Agreement
For Clients who require the processing of Regulated Data, Client must enter into an applicable Order with Provider, together with a data processing agreement (the “Data Processing Agreement” or “DPA”). Each data privacy or data protection regulation may contain its own separate addendum (or combined addendum) depending on Provider or Client’s regulated activities.
GENERAL
Observed Holidays
Provider reserves the right to identify observed holidays and adjust its holiday schedules from time to time. When a holiday falls on a weekend, Provider may close on the closest business day in observance of that holiday. After-hours emergency support is still available during these times, and Client will be charged for Services at Provider’s then-prevailing Holiday support rates.
Notices
Except as otherwise provided under this Agreement, all notices, demands or requests to be given by any party to the other party shall be in writing and shall be deemed to have been duly given on the date delivered in person, or sent via fax, courier service, electronic mail, or on the date of the third business day after deposit, postage prepaid, in the United States Mail via Certified Mail, return receipt requested, and addressed as set forth on the applicable Order.
The address to which such notices, demands, requests, elections or other communications are to be given by either party may be changed by written notice given by such party to the other party pursuant to this Section.
Force Majeure
Provider will not be liable for any failure of performance of the Services due to causes beyond its reasonable control, including, but not limited to, fire, flood, electric power interruptions, national or regional emergencies, epidemics, pandemics, public health emergencies, stay-at-home orders, furloughs, quarantines, or other restriction or prohibition, civil disorder, acts of terrorism, riots, strikes, Acts of God, or any law, regulation, directive, or order of the United States government, or any other governmental agency, including state and local governments having jurisdiction over Provider or the Services provided hereunder (the “Affected Performance”).
Any party whose performance is so affected shall give written notice to the other party describing the Affected Performance. The parties promptly shall confer, in good faith, to agree upon equitable, reasonable action to minimize the impact on both parties of such condition. If the delay caused by the force majeure event lasts for a period of more than thirty (30) days, the parties shall attempt to negotiate an equitable modification to the Agreement pertaining to the Affected Performance. If the parties are unable to agree upon an equitable modification, then either party may serve thirty (30) days’ written notice of termination on the other party with respect only to the portion of the Agreement relating to the Affected Performance. Client shall pay Provider for that portion of the Affected Performance that was completed or that was in the process of being completed through the effective termination date of the Affected Performance.
Waiver
No delay in exercising, no course of dealing with respect to, and no partial exercise of, any right or remedy hereunder will constitute a waiver of any right or remedy, or future exercise thereof.
Assignment
Neither party may assign this Agreement, in whole or in part, or any of its rights or obligations hereunder without the prior written consent of the other party. However, Provider may assign or otherwise transfer its rights, interests, and obligations under this Agreement without Client’s consent in the event of a change in control of 50% or more of the equity of Provider, the sale of substantially all the assets of Provider, or the restructuring or reorganization of Provider or its affiliate entities. If Client transfers its rights, interests, and obligations under this Agreement without Provider consent, then such assignment will not be valid, and Client shall remain responsible for all Fees under this Agreement and any Attachment regardless of whether Client continues to derive any benefit from the Services. In addition, unless otherwise agreed, Provider may contract with third parties to deliver some or all of the Services, and no such third-party contract is to be interpreted as an assignment of this Agreement. However, Provider will use commercially reasonable efforts to ensure that any and all such third parties abide by all of the terms of this Agreement, and, except as otherwise agreed, Provider will remain solely responsible for the fulfillment of all of Provider’s obligations under this Agreement. This Agreement is binding upon the parties, their successors, and permitted assigns.
Marketing
Client hereby grants Provider the right to reference Client’s name, industry, logo, and URLs in its marketing literature, website, and/or correspondence to potential new Clients, so as to identify Client as a customer of Provider for marketing purposes and for Provider’s benefit. Such information is not considered Confidential Information subject to non-disclosure.
Notifications and Alerts
Client hereby grants Provider the right to utilize Client information to send alerts, notifications, news, and general correspondence to Client to provide the Services.
Survival
The parties’ respective duties and obligations with respect to proprietary rights, intellectual property rights, and non-disclosure and confidentiality will survive and remain in effect, notwithstanding the termination or expiration of this Agreement.
Amendment
Provider may, from time to time, in its sole discretion, and for any reason, amend the Order, the Master Services Agreement and any Service Attachments, Schedules, or other terms and conditions identified on the Order.
Governing Law
This MSA is to be governed by and construed in accordance with the laws of Washington.
Litigation Holds, Testimony, and E-Discovery
If Provider receives a clear, unambiguous litigation hold, subpoena, or a request for assistance with litigation matters or e-discovery, Provider will make reasonable efforts to comply with the request. There may be additional fees for assistance with litigation holds, testimony, and e-discovery requests, as none are included in the scope of Services. Provider takes no responsibility for ambiguous requests, or for compliance with litigation holds, litigation assistance, discovery requests, or court orders, which remain the sole responsibility of Client.
Severability
If any term or provision of this agreement is declared invalid by a court of competent jurisdiction, the remaining terms and provisions will remain unimpaired, and the invalid terms or provisions are to be replaced by such valid terms and provisions that most nearly fulfill the parties’ intention underlying the invalid term or provision.
Third-Party Beneficiaries
This Agreement is for the sole benefit of the parties hereto and their respective successors and permitted assigns, and nothing herein is to be construed to give any person or entity, other than the parties hereto and their respective successors and permitted assigns, any legal or equitable rights hereunder.
No Disparagement
Neither Party, nor any of its respective partners, principals, shareholders, members, officers, directors, employees, affiliates, subsidiaries, agents, or representatives, shall initiate or participate in any action or conduct tending to injure, bring into disrepute, ridicule, damage, or destroy the goodwill of Provider or Client, or the others’ affiliates. The foregoing shall not be construed to prevent or prohibit a Provider or Client, or any of its respective partners, principals, shareholders, members, officers, directors, employees, affiliates, subsidiaries, agents, or representatives, from: (i) exercising its rights under this Agreement; (ii) complying with a legal obligation or a professional responsibility; or, (iii) reporting, providing, or disclosing information to federal, state, municipal, or local government agencies, authorities, or officials in the ordinary course of business or as required by law. Further, in the event Provider or Client or any of its respective partners, principals, shareholders, members, officers, directors, employees, affiliates, subsidiaries, agents, or representatives breach this Section, the non-breaching party and its respective partners, principals, shareholders, members, officers, directors, employees, affiliates, subsidiaries, agents, and representatives shall no longer be bound by the obligations set forth under this Section.
Entire Agreement
This Master Services Agreement, the Order, the Service Attachments or Descriptions, and any other attachments thereto (collectively, the “Agreement”) set forth Provider’s entire understanding with respect to the subject matter hereof and are binding upon both parties, their successors, and their permitted assigns, in accordance with the terms of the Agreement. There are no understandings, representations, or agreements other than those set forth herein. Each party, along with its respective legal counsel, has had the opportunity to review this agreement. Accordingly, in the event of any ambiguity, such ambiguity will not be construed in favor of, or against either party.
Effective June 26, 2026. This Service Attachment for Managed Services supersedes and replaces all prior versions.
Service Attachment for Managed Services
This Service Attachment is between Provider (sometimes referred to as “we,” “us,” or “our”), and the Client found on the applicable Order (sometimes referred to as “you,” or “your”) and, together with the Order, Master Services Agreement, and other relevant Service Attachments, forms the Agreement between the parties the terms to which the parties agree to be bound.
The parties further agree as follows:
SERVICES
Provider will deliver only the Services itemized in the Services section of the Order. Additional Services may be added only by entering into a new Order including those Services.
Help Desk Support:
Help desk support is available during normal business hours. After-hours support is intended for critical systems outages. After-hours support may incur additional charges as defined by the Order.
On-site Support:
It is Provider’s intention to provide remote support whenever possible. On-site support is available once it is determined by Provider that the support cannot be provided remotely. Typically, this will be due to hardware issues or network connectivity issues. On-site support may incur additional charges as defined by the Order.
License
Provider hereby grants Client the right to access and use only those software solutions and other information technology Services specified on the Order during the Term. Those Services may be hosted on servers operated by one or more third parties.
License Restrictions
As between the parties, Provider retains all right, title and interest in and to the Services and their various components, along with all intellectual property rights associated therewith. Other than as expressly set forth in this Service Attachment, no license or other rights in or to the Services are granted to you, and all such licenses and rights are hereby expressly reserved. In addition, Client shall not:
- Modify, copy or create derivative works based on the Services or on any Provider Materials;
- Create Internet “links” to or from the Services, or “frame” or “mirror” any content forming part of the Services, other than on your own intranet(s) or otherwise for your own internal business purposes;
- Distribute or allow others to distribute any copies of any Provider Materials or any part thereof to any third party;
- Rent, sell, lease or otherwise provide any third party with access to the Services or to any Provider Materials, or to any copy or part thereof, or use the Services or any Provider Materials for the benefit of a third party; or
- Remove, modify or obscure any copyright, trademark or other proprietary-rights notices that are contained in or on any Provider Materials.
- Reverse engineer, decompile, or disassemble the Provider Materials, except to the extent that such activity is expressly permitted by applicable law.
For purposes of this Service Attachment, “Provider Materials” means any text, graphical content, techniques, methods, designs, software, hardware, source code, data (including Reference Data), passwords, APIs, documentation or any improvement or upgrade thereto, that is used by or on our behalf to provide the Services.
Third-Party Service Providers
Some components of the Services may be provided through or licensed from Third-Party Service Providers, including but not limited to third-party software, products or services.
Provider, and not those third parties, will provide any and all technical support related to the Services, including support related to those third-party components. However, under certain circumstances, pursuant to the terms of applicable third-party license or services agreements, Provider may be obligated to provide certain information to those third parties regarding the Services and/or regarding your identity. Client consents to such disclosures.
Client understands and agrees that third-party services will be warranted only by the Third-Party Service Provider and only as and to the extent set forth in such provider’s license agreement, and that Provider will not be responsible, and makes no warranty, with respect to third-party services other than that which is expressly contained in the applicable Third-Party Services Provider’s agreements.
Third-party software publishers, including but not limited to, Microsoft will be intended third-party beneficiaries of the Agreement, with the right to enforce provisions of the Agreement and to verify compliance. If any third-party software publisher believes in good faith that Client is not complying with its end-user terms and conditions (“End-User License”), Provider will cooperate in good faith with the third-party publisher to investigate and remedy the non-compliance.
Within thirty (30) days of the termination of this Agreement, Provider shall remove, or cause to be removed, all copies of Client’s Services and/or Provider Materials from the Client’s devices, or otherwise render the software, the Services and/or the Provider Materials permanently unusable. Furthermore, Provider shall require that Client return or destroy all copies of the software, the Services and/or the Provider Materials that it received. Client shall reasonably cooperate and assist, as needed, with all such activities.
No High-Risk Use
Client acknowledges that the Services are not fault-tolerant and are not guaranteed to be error-free or to operate uninterrupted. You shall not use the Services in any application or situation where the Services’ failure could lead to death or serious bodily injury of any person, or to severe physical or environmental damage (“High-Risk Use”). High-Risk Use does not include utilization of the Services for administrative purposes, to store configuration data, engineering and/or configuration tools, or other non-control applications, the failure of which would not result in death, personal injury, or severe physical or environmental damage. Client agrees to indemnify and hold harmless Provider from any third-party claim arising out of Client’s use of the Services in connection with any High-Risk Use.
No Illegal Use
Client shall not use the Services in any application or situation where the Services would be used for any illegal manner, for any unlawful purpose, or to violate the rights of others.
Restorable Backup
Prior to installation, or accessing, or using any Services specified on an applicable Order during the Term, Client shall create a full, complete, and restorable electronic backup of all systems which might be affected, in whole or in part, by the installation and/or maintenance of any software-solution and other information technology services specified on an applicable Order during the Term. Client shall, and does hereby, hold Provider harmless in the event of any damage to any system and applications software.
PROVIDER-SUPPLIED EQUIPMENT
Provider shall deliver the equipment and applications as identified in the Order (“Equipment”). Provider’s delivery of that Equipment is on a rental basis only and is expressly subject to the terms of this Service Attachment pertaining to Provider-supplied Equipment.
Included Services
The Monthly Service Fee for Equipment includes all fees for the use of the Provider-owned hardware, software, operating systems, and all labor needed to install and maintain all hardware, software, operating systems delivered to client under this section.
Equipment Restrictions
All Equipment must be used by Client for the purpose for which it was intended. Client shall not abuse the Equipment or permit it to be serviced by anyone other than Provider. Neither Client nor Client’s agent shall connect accessories supplied by anyone other than Provider to the Equipment without Provider’s written consent, which shall not be unreasonably withheld. Client shall use the Equipment only in the manner contemplated by the manufacturer and in accordance with law. Client shall not allow anyone other than Provider to disconnect or move the Equipment from the location noted on the Order. Provider must be free to make any changes needed on the Equipment. Any critical business data stored on any Equipment must be backed up by Client.
Ownership of Provided Software
Client acknowledges that its interest in any software installed by Provider on the Equipment is that of a licensee and that the software provided by Provider shall remain the property of Provider and must be returned if requested by Provider in furtherance of the Services or upon termination of this Agreement. Client further agrees to cease the use of any software or Equipment that remains the property of Provider upon cancellation or termination of this Attachment.
CREDENTIALS
Network Administrative Credentials – Provider must have exclusive network administrative credentials for Client’s network. While it is providing Services, Provider will not release the network administrative credentials to Client or to any third party for any reason without a signed release acceptable to Provider. Upon termination, if Client has paid any and all required fees, including but not limited to, termination fees, remaining third-party service fees, and off-boarding fees, Provider will then release the network administrative credentials to Client.
User Credentials – User credentials are the property of Client, and Provider will not withhold individual user credentials to systems or applications.
Third-Party Global Admin Credentials (e.g., Microsoft tenant credentials) (“Client Credentials”) – While it is providing services, Provider will not release Client Credentials to Client or to any third party for any reason without a signed release acceptable to Provider. Upon termination, if Client has paid any and all required fees, including but not limited to, termination fees, remaining third-party service fees, and off-boarding fees, Provider will then release Client Credentials to Client.
Third-Party Service Provider Credentials (“Provider Credentials”) – In many instances, Provider licenses third-party tools and applications in order to assist with the provision of services to Client. Provider’s Credentials for these tools (e.g., Duo, Kaseya, SentinelOne, Connectwise, etc.) will never be released to Client for any reason.
ADDITIONAL CLIENT OBLIGATIONS
Hardware Equipment
Client equipment must be maintained under a manufacturer’s warranty or a current maintenance contract. Provider is not responsible for client equipment that is not maintained under a manufacturer’s warranty or maintenance contract or that is otherwise out of order. All Service Fees assume equipment is under a manufacturer’s warranty or maintenance contracts.
Provider in its reasonable opinion and supported by manufacturer information, may designate certain equipment as obsolete or defective, and therefore exclude it from coverage under this Agreement.
Minor On-Site Tasks
Provider may occasionally ask Client to perform simple on-site tasks (e.g., powering down and rebooting a computer). Client agrees to cooperate with all reasonable requests.
Server Upgrades or Repair
Provider will authorize all server upgrades or repairs. Client agrees not to perform any of these actions without notifying us.
Software Media
Client shall obtain and supply all necessary software media with installation keys (if any) upon request.
Except for any software provided by Provider in connection with the Services, Client is solely responsible for obtaining all required software licenses, including all client access licenses, if any, for the software products installed on your computers.
Security and Regulatory Recommendations
Although it is under no obligation to do so, from time to time, Provider may make recommendations regarding regulatory compliance, safety and security related to Client’s network and practices (e.g., multi-factored authentication). If Client fails to adopt or implement the recommended protocols, Client is responsible for any and all damages related to regulatory, security, privacy, or data protection, including but not limited to fines, data breach notification, malware or ransomware costs, restoration, forensic investigation, restoring backups, or any other costs or damages related to Client’s refusal to implement the recommended protocols.
NETWORK CHANGE COORDINATION
Significant Changes to Client’s Network
Client will notify Provider via email of all significant proposed network changes and will provide us with a reasonable opportunity to comment and follow-up regarding those proposed changes.
Research Regarding Network Changes
Evaluation of network change requests sometimes will require significant research, design, and testing by Provider. These types of requests are not covered by this Service Attachment and will be billed at Provider’s then-current rates for time and materials.
SUITABILITY OF EXISTING ENVIRONMENT
Minimum Standards Required for Services
Client represents, warrants and agrees that its existing environment meets the following requirements or will obtain upgrades to its existing environment to meet the following requirements (“Minimum Standards”):
- All servers must be running a supported version of the operating system with all of the latest recommended patches and updates installed.
- All desktop PCs and notebooks/laptops must be running a supported version of the operating system with all of the latest recommended patches and updates installed.
- All server and desktop software must be genuine, licensed and vendor-supported.
- Provider must have exclusive administrative credentials to Client’s network.
- The environment must have a currently licensed, vendor-supported hardware firewall between the internal network and the internet.
- There must be an outside static IP address assigned to a network device, allowing secure VPN access.
Healthcare Clients
- MS Active Directory, or other identity-management system
PCI-DSS (credit card)
- Segregated payment network
- Segregated wireless network from payment network
- MS Active Directory, or other identity-management system
All costs required to bring Client’s environment up to these minimum standards are not included in this Service Attachment.
If Client’s environment fails to satisfy the above requirements at any time during the Service term, Provider may suspend further delivery of the Services and/or terminate this Service Attachment upon five (5) business days’ advance, written notice.
EXCLUSIONS
Provider is not responsible for failures to provide Services that are caused by the existence of any of the following conditions:
- Expired Manufacturer Warranty or Support – Parts, equipment or software not covered by a current vendor/manufacturer warranty or support.
- Alterations and Modifications not authorized by Provider – Any repairs made necessary by the alteration or modification of equipment other than that authorized by Provider, including alterations, software installations or modifications of equipment made by Client’s employees or anyone other than Provider.
- Hardware or Software Malfunction – Any time there is a defect or malfunction in any hardware or software not caused by Provider that adversely affects Provider’s ability to perform the Services.
- Client Resource Problems – Any time a problem occurs resulting from a Client resource that are not under Provider’s management or control.
- Network Changes – Any changes Client may have made to the networking environment that were not communicated to or approved by Provider.
- Task Reprioritization – Any problems or failures related to a prioritization or reprioritization of tasks by Client.
- Force Majeure – Any problems resulting from a Force Majeure Event as described in the Master Services Agreement.
- Client Actions – Any problem resulting from Client actions or inactions.
- Client Responsibilities – Any problems resulting from Client’s failure to fulfill any responsibilities or obligations under the relevant Agreements.
- Internet Connectivity Loss – Any loss of internet connectivity that occurs at Client locations for any reason.
- Software Maintenance – Any maintenance of applications software packages, whether acquired from Provider or any other source.
- Remote Computers – Home or remote computers that are not covered under the relevant Agreements.
Provider is not responsible for failure to provide Services that occur during any period of time in which any of the following conditions exist:
- Problem Ticket Management – The time interval between the initial occurrence of a desktop malfunction or other issue affecting functionality and the time Client reports the desktop malfunction or issue to Provider.
- Power Supply Malfunction – Instances where the battery, electricity, power-protective equipment or uninterruptable power supply (UPS) malfunctions and renders Provider unable to connect to the network or troubleshoot the device in question.
- Third-Party Criminal Activity – Provider is not responsible for criminal acts of third parties, including but not limited to hackers, phishers, crypto-locker, and any network environment subject to ransom. Client agrees to pay ransom or hold provider harmless for any activity effecting network security on your environment related to third-party criminal activity. Any costs or fees to rebuild or service machines are provided and sold separately by Provider.
- Malware – Provider is not responsible for any harm that may be caused by Client’s access to third party application programming interfaces or the execution or transmission of malicious code or similar occurrences, including without limitation, disabling devices, drop dead devices, time bombs, trap doors, Trojan horses, worms, malware, viruses and similar mechanisms. Any costs or fees to rebuild or service machines are provided and sold separately by Provider.
The following list of items are excluded from the scope of included Services, and may incur additional charges or require a separate billable project:
- Software Maintenance – Unusual work that results from a failed software patch or update that results in an interruption in Client’s business, with the exception of Microsoft Windows updates and patches.
- Programming Modifications – Any programming (modification of software code) and program (software) maintenance occurs.
- Training – Any training service of any kind, unless otherwise agreed to in an Order.
- Software and Web Development – Any Services requiring software and web development work.
- Remote Computers – Unless otherwise specified in an Order, home or remote computers that are not covered under the Agreement.
- Replacement Software – Implementation of new or replacement software.
- Relocation / Satellite Office – Office relocation/satellite office setup.
- Equipment Refresh – Any equipment refreshes.
- Incident Response – Provider will assist Client in the hours immediately following a data breach to identify the likely source of the breach and to begin formulating an appropriate response to the breach. However, any assistance with data breach-remediation efforts past the first twenty-four (24) hours following a breach – including but not limited to breach-notification planning, in-depth forensic examinations of the source of a breach, and significant, post-breach systems reconfiguration – are not within the scope of this Service Attachment. If Client requests Provider’s assistance with such activities, Provider will prepare an Order that will specify what the charges will be for such assistance.
The following list of items are costs that are considered separate from the Service pricing:
- Costs Outside Scope of the Service – The cost of any parts, equipment, or shipping charges of any kind. The cost of any software, licensing, or software renewal or upgrade fees of any kind. The cost of any third-party vendor or manufacturer support or incident fees of any kind. The cost of additional facilities, equipment, replacement parts, software or service contract.
The following is a list of Services Provider does not perform:
- Printer Hardware Repair – Printer hardware repair or maintenance work.
- Third-party Vendor Disputes – The management or involvement with disputes or charges with any third-party vendor, other than issues relating to the technical services.
RIGHT TO ACT AS AGENT AND SITE PREPARATION
Client designates Provider to act as agent for Client in ordering necessary services or entering trouble tickets from phone service carriers and internet access providers, whenever applicable. Client agrees to (a) furnish and install all conduit, raceway or low smoke cable and to create all holes and wireways through concrete, plaster, metal floors, walls or ceilings which may be required for the installation of the Equipment, (b) provide all commercial AC power circuits required for the operation of the Equipment, (c) pay for all electrical current necessary for the operation of the Equipment and (d) provide a suitable space for the operation of the Equipment consistent with the recommendations of the manufacturer, including, but not limited to, providing a dry and dust-free environment. Provider shall have no duty, responsibility or obligation to make any structural alterations or adjustments to the premises to install the Equipment. Client shall provide Provider with reasonable access to the premises during Provider’s working hours and shall furnish elevator service when necessary as well as heat, light, sanitary facilities, electrical power and protection of the Equipment from theft during installation. Provider is not responsible for restoring Client’s premises to its original condition upon removal or relocation of any or all of the Equipment.
VOIP CUTOVER DATE AND ACCEPTANCE
The Service Start Date outlined in the Order for installed Equipment is only an approximate date. IN NO EVENT SHALL VENDOR BE LIABLE FOR SPECIAL, CONSEQUENTIAL OR PUNITIVE DAMAGES FOR CAUSES BEYOND ITS REASONABLE CONTROL OR UNFORESEEN CIRCUMSTANCES CAUSING DELAYS IN DELIVERY OR INSTALLATION OF THE EQUIPMENT.
VOIP CONSULTANT
In the event that Client is represented by a consultant, Provider may require that the consultant provide completed key sheets and floor plans and arrange for all necessary services with the local telephone utility and provide Client training and directories.
VOIP SERVICE LIMITATIONS AND RESTRICTIONS
Emergency Calls
When you dial 911, your call is routed from the Provider network to the Public Safety Answering Point (PSAP) or local emergency service personnel using the address that you provided to us. You acknowledge and understand that when you dial 911 from Provider devices or Provider-provisioned devices, your call will be routed to the general or administrative telephone number for the PSAP or local emergency service provider and will not necessarily be routed to the 911 dispatcher(s) who are specifically designated to receive incoming 911 calls using traditional 911 dialing. Rogue 911 calls are subject $500 fee per call. “Rogue 911 call” means any call placed to 911 through Provider from an unregistered Ani (Caller ID). To avoid Rogue 911 charges please ensure that any call uses a registered Ani and correct address is provided.
Service Interruptions
Emergency Calling Service dialing does not function without power and an active Internet connection. Should there be an interruption in the power supply, the Service and Emergency Calling Service dialing will not function until power is restored. A power failure or disruption may require you to reset or reconfigure affected equipment before using the Service or Emergency Calling Service dialing. In addition, if there is a Service outage for ANY reason – including suspension of your account as a result of billing issues – such outage will prevent ALL Service, including Emergency Calling Service dialing. PROVIDER IS NOT RESPONSIBLE OR LIABLE FOR ANY EVENTS OR OUTCOMES DURING A SUSPENSION OF SERVICE PERIOD.
Contact Information
The address you provided to Provider is the address that is applied to your Service for Emergency Calling Service dialing. Should you need to change this address, you must contact us immediately. It may take up to three business days to effectuate a change of address or update of an address. Failure to provide the current and correct physical address and location of Equipment will result in any Emergency Calling Service communication you may make being routed to the wrong local emergency service provider. In addition, it may not be possible to transmit identification of your phone number or the address that you have listed to the PSAP and local emergency personnel for your area when you use Emergency Calling Service dialing. You may need to state the nature of your emergency promptly and clearly, including your location, as PSAP personnel will NOT have all of this information. You acknowledge and understand that PSAP and emergency personnel will not be able to find your location if the call is unable to be completed, is dropped or disconnected, if you are unable to speak to tell them your location and/or if the Service is not operational for any reason, including without limitation those listed elsewhere in this agreement.
Phone Number and Location Changes
If you change your primary phone number, you will not be able to change your Emergency Calling Service address for seventy-two (72) hours. During that time, any Emergency Calling Service calls that you may make will be routed using the address that was in Provider’s records before you changed your phone number. Emergency Calling Service dialing does not function properly or may not function at all if you take Equipment with you away from the address or physical location that you have designated.
Business Use of Service and Equipment
You shall not resell or transfer the Services or Equipment to any other person or entity for any purpose without Provider’s express, written permission.
International Services
Foreign carriers or regulatory agencies may impose, upon the portion of the end-to-end international service or facilities they provide, certain limitations or restrictions that may limit your ability use the Services. You must conform to any limitations or restrictions imposed by the foreign carriers or agencies. You are responsible for all Service charges.
Foreign Carrier Acts or Omissions
We are not liable for acts or omissions of other carriers or foreign telecommunications administrations.
International calls are priced on the basis of the country and city codes you dial. We are not liable for refunds or damages if those calls do not terminate in the country, city or area codes associated with the called number.
Collect Call and Operator Services
We do not offer collect call or operator services via this Service.
Additional Restrictions
- You shall not use any Provider VoIP service: (1) for any unlawful purpose; (2) for making telephone calls that use automatic dialing devices and terminate into electronic information services, pay-per-call services, or other domestic or international audiotext services; or (3) for international call-back offerings using uncompleted call signaling to any country, when that country has prohibited such an offering by statute or regulatory decision.
- We may (1) deny, for any lawful reason, your request for Service, or (2) limit or allocate the facilities available to or used by any Service, if necessary, to manage our network in an efficient manner; to meet reasonable service expectations; to furnish service to existing and future customers based on forecasted customer requirements; or for any other lawful reason.
- We may, without notice (consistent with governing laws or regulations), block traffic to or from specific countries, country codes, cities, city codes, local telephone exchanges (“NXX exchanges”), individual telephone stations, groups or ranges of individual telephone stations, or calls using certain customer authorization codes, whenever we deem it necessary to take such action to prevent (1) the unlawful use of Services; (2) nonpayment for Services; (3) the use of the Services in violation of this agreement; or (4) network blockage or the degradation of service furnished to you or to other Provider customers.
VOIP INDEMNIFICATION
In addition to your indemnification obligations in the MSA, you shall defend, indemnify, and hold harmless Provider, its officers, directors, employees, affiliates and agents and any other service provider who furnishes services to you in connection with this agreement, from any and all claims, losses, damages, fines, penalties, costs and expenses (including, without limitation, reasonable attorneys’ fees) by, or on behalf of, you or any third party or user of the Service relating to the absence, failure or outage of the Service, including Emergency Calling Service dialing and/or inability of you or any third person or party or user of the Service to be able to dial 911 or to access emergency service personnel.
PROVIDER OBLIGATIONS
In addition to delivery of the Services, Provider accepts the following obligations under this Service Attachment:
Data Security and Privacy
In addition to its other confidentiality obligations under this Service Attachment, Provider shall not use, edit or disclose to any party other than Client any electronic data or information stored by Provider, or transmitted to Provider, using the Services (“Client Data”). Provider further shall maintain the security and integrity of any Client Data under Provider’s direct control, in accordance with any parameters described in this Service Attachment.
As between Provider and Client, all Client Data is owned exclusively by Client. Client Data constitutes Confidential Information subject to the terms of the MSA, and shall be returned to Client upon request, provided that Client is current in all payments, termination fees, and third-party service fees. Provider may access Client’s User accounts, including Client Data, solely to respond to service or technical problems or otherwise at Client’s request.
Maintenance Windows
Routine server and application maintenance and upgrades will occur during scheduled maintenance windows, and some applications, systems or devices may be unavailable or non-responsive during such times.
WARRANTY
- Provider warrants that the Services will be performed materially in accordance with the service documentation previously provided for the Services in a professional and workmanlike manner.
- HOWEVER, PROVIDER DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED, ERROR-FREE, OR COMPLETELY SECURE. THERE ARE RISKS INHERENT IN INTERNET CONNECTIVITY THAT COULD RESULT IN THE LOSS OF YOUR PRIVACY, CONFIDENTIAL INFORMATION, AND PROPERTY. WE HAVE NO OBLIGATION TO PROVIDE SECURITY OTHER THAN AS STATED IN THIS SERVICE ATTACHMENT. WHILE THE SERVICES ARE DESIGNED TO IMPROVE THE PROBABILITY OF THE PROTECTION AND RECOVERY OF INFORMATION COMPARED TO THE CLIENT’S CURRENT METHODS EMPLOYED, PROVIDER MAKES NO CLAIMS OR WARRANTIES THAT DATA BACK-UPS AND DATA / SERVER / DESKTOP RECOVERIES USING THE SERVICES WILL BE ERROR FREE OR THAT ALL RECOVERIES CAN BE PERFORMED WITHIN A CERTAIN TIME FRAME.
- IN ADDITION, CLIENT ACKNOWLEDGES THAT THIS AGREEMENT CONVEYS NO WARRANTIES, EXPRESS OR IMPLIED, BY ANY THIRD-PARTY VENDORS OF SOFTWARE PRODUCTS MADE AVAILABLE TO CLIENT BY PROVIDER AND THAT THOSE VENDORS DISCLAIM ANY AND ALL LIABILITY, WHETHER DIRECT, INDIRECT OR CONSEQUENTIAL, ARISING FROM THE SERVICES.
SERVICE FEES
Onboarding Fee
Prior to the delivery of the Services, Provider may charge an Onboarding Fee in order to deploy and configure the Services under this Service Attachment. Provider will identify the Onboarding Fee in an initial invoice, and Client shall pay the Onboarding Fee, as set forth in the Master Services Agreement (“MSA”). Provider shall have no obligation to continue with the delivery of any Services under this Service Attachment until it receives payment for the Onboarding Fee.
Service Fees Increases
In addition to the Service Fee increases described in the MSA, Provider may adjust the fees for the following reasons:
End-User or Network Growth. During the term of an Order, if the number of users or devices in Client’s environment or the Service or Equipment types or quantities to be covered within the scope of the Order exceeds the numbers, types or quantities previously ordered, Provider may apply an adjustment to the total Service Fees. Client shall pay all Service Fees owed as they become due following any such adjustment.
Similarly, during the term of an Order, if the number of users or devices in Client’s environment or the Service or Equipment types or quantities to be covered within the scope of the Order is less than the numbers, types or quantities previously ordered, upon request, Provider will apply an adjustment to the total Service Fees. Client shall pay all Service Fees owed as they become due following any such adjustment. However, under no circumstances may any such adjustments result in a number of users or devices in Client’s environment or in any Service or Equipment types or quantities to be covered within the scope of the Order that is less than the numbers, types or quantities ordered at the time Client signed that Order.
“User” means Client’s employees, consultants, contractors or agents who are authorized to use the Service and have been supplied user identifications and passwords by Client (or by Provider upon Client’s request). Users do not include any customers of Client or other third parties.
“Device” means any equipment included in the Services, whether owned by Client or provided by Provider for Client’s use, including, but not limited to computers, printers, servers, routers, and mobile or handheld microcomputers as well as the software necessary to operate such equipment.
TERM AND TERMINATION
Term
This Service Attachment is effective as of the Effective Date of the Order referencing the Services herein. Unless properly terminated by either party, this Attachment will remain in effect through the end of the term specified on the Order (the “Initial Term”).
Renewal
“RENEWAL” MEANS THE EXTENSION OF ANY INITIAL TERM SPECIFIED ON AN ORDER FOR AN ADDITIONAL TWELVE (12) MONTH PERIOD FOLLOWING THE EXPIRATION OF THE INITIAL TERM, OR IN THE CASE OF A SUBSEQUENT RENEWAL, A RENEWAL TERM. THIS SERVICE ATTACHMENT WILL RENEW AUTOMATICALLY UPON THE EXPIRATION OF THE INITIAL TERM OR A RENEWAL TERM UNLESS ONE PARTY PROVIDES WRITTEN NOTICE TO THE OTHER PARTY OF ITS INTENT TO TERMINATE AT LEAST SIXTY (60) DAYS PRIOR TO THE EXPIRATION OF THE INITIAL TERM OR OF THE THEN-CURRENT RENEWAL TERM. ALL RENEWALS WILL BE SUBJECT TO PROVIDER’S THEN-CURRENT TERMS AND CONDITIONS.
Month-to-Month Services
If the Order specifies no Initial Term with respect to any or all Services, then we will deliver those Services on a month-to-month basis. We will continue to do so until one party provides written notice to the other party of its intent to terminate those Services, in which case we will cease delivering those Services at the end of the next calendar month following receipt such written notice is received by the other party.
Early Termination by Client With Cause
Client may terminate this Service Attachment for cause following sixty (60) days’ advance, written notice delivered to Provider upon the occurrence of any of the following:
- Provider fails to fulfill in any material respect its obligations under the Service Attachment and fails to cure such failure within thirty (30) days following Provider’s receipt of Client’s written notice.
- Provider terminates or suspends its business operations (unless succeeded by a permitted assignee under the Agreement).
Early Termination by Client Without Cause
If Client has satisfied all of its obligations under this Service Attachment, then no sooner than ninety (90) days following the Service Start Date, Client may terminate this Service Attachment without cause during the Initial or a Renewal Term (the “Term”) upon sixty (60) days’ advance, written notice, provided that Client pays Provider a termination fee equal to any discounts or concessions provided, plus fifty percent (50%) of the recurring, Monthly Service Fees remaining to be paid from the effective termination date through the end of the Term, based on the prices then in effect.
Termination by Provider
Provider may elect to terminate this Service Attachment upon thirty (30) days’ advance, written notice, with or without cause. Provider has the right to terminate this Service Attachment immediately for illegal or abusive Client conduct. Provider may suspend the Services upon ten (10) days’ notice if Client violates a third-party’s end user license agreement regarding provided software. Provider may suspend the Services upon fifteen (15) days’ notice if Client’s action or inaction hinder Provider from providing the contracted Services.
Effect of Termination
As long as Client is current with payment of: (i) the Fees under this Attachment, (ii) the Fees under any Order for off-Boarding, and/or (iii) the Termination Fee prior to transitioning the Services away from Provider’s control, then if either party terminates this Service Attachment, Provider will assist Client in the orderly termination of services, including timely transfer of the Services to another designated provider. Client shall pay Provider at our then-prevailing rates for any such assistance. Termination of this Service Attachment for any reason by either party immediately nullifies all access to our services. Provider will immediately uninstall any affected software from Client’s devices, and Client hereby consent to such uninstall procedures.
Upon request by Client, Provider may provide Client a copy of Client Data in exchange for a data-copy fee invoiced at Provider’s then-prevailing rates, not including the cost of any media used to store the data. After thirty (30) days following termination of this Agreement by either party for any reason, Provider shall have no obligation to maintain or provide any Client Data and shall thereafter, unless legally prohibited, delete all Client Data on its systems or otherwise in its possession or under its control.
Provider may audit Client regarding any third-party services. Provider may increase any Fees for Off-boarding that are passed to the Provider for those third-party services Client used or purchased while using the Service.
Client agrees that upon Termination or Off-Boarding, Client shall pay all remaining third-party service fees and any additional third-party termination fees.
Effective June 26, 2026. This Service Attachment for Managed Compliance Services supersedes and replaces all prior versions.
Service Attachment for Managed Compliance Services
This Service Attachment is between Provider (sometimes referred to as “we,” “us,” or “our”), and Client found on the applicable Order (sometimes referred to as “you,” or “your,”) and, together with the Order, Master Services Agreement, Schedule of Services, and other relevant Service Attachments, forms the Agreement between the parties the terms to which the parties agree to be bound.
The parties further agree as follows:
MANAGED COMPLIANCE SERVICE
Provider will deliver only those Managed Compliance Services expressly itemized in the Services section of the applicable Order (the “Services”). The descriptions below set out the potential scope of Managed Compliance Services that Provider may offer; however, no Service shall be deemed included unless specifically identified as a Service. Any expansion or modification of the Services shall be documented through a mutually agreed written change order or amended Order specifying the additional services, associated fees, and any changes to timelines or responsibilities.
Risk Assessment
- Conduct a comprehensive risk assessment to identify and evaluate potential risks to the privacy and security of non-personal and protected information (“NPI”), including risks associated with information collection, storage, transmission, and disposal.
- Develop a risk-management plan to address and mitigate identified risks, including prioritizing risks based on their likelihood and potential impact on Client’s operations and customer information.
Information Security Program Development
- Assist with developing and implementing a written information security program (WISP) that is tailored to Client’s specific needs, size, and complexity.
- Establish and maintain appropriate administrative, technical, and physical safeguards to protect the privacy and security of NPI, including access controls, encryption, firewalls, secure disposal procedures, and staff training.
Privacy Notice and Policy Development
- Assist with drafting and maintaining privacy notices and policies that include providing customers with clear and conspicuous notice of Client’s privacy practices and customers’ right to opt-out of certain information sharing.
- Review and update privacy notices and policies regularly to ensure they accurately reflect Client’s current practices and comply with applicable laws and regulations.
Employee Training and Awareness
- Develop and implement an ongoing employee training program to educate staff on compliance requirements, policies and procedures, and best practices for protecting customer information.
- Conduct periodic refresher training to ensure employees remain knowledgeable about requirements and any changes to policies and procedures.
Vendor Management
- Establish and maintain a vendor management program to ensure that third-party service providers who have access to NPI are also complying with the requirements
- Review and negotiate contracts with service providers to include appropriate provisions related to privacy and data security, and monitor their compliance with such provisions.
Incident Response and Breach Notification
- Develop and implement an incident response plan to detect, contain, and remediate potential security incidents involving NPI.
- Provide guidance on breach notification requirements and other applicable laws, and assist in coordinating breach notifications to affected customers and regulatory authorities as necessary.
Ongoing Compliance Monitoring and Support
- Conduct periodic reviews and audits of Client’s information security program, privacy notices, and policies to ensure ongoing compliance with regulatory requirements.
- Provide ongoing support and guidance on regulatory compliance issues, including updates on regulatory developments, best practices, and industry trends.
Reporting and Documentation
- Provide regular reports to the Client detailing the status of the Managed Compliance Services, including the progress of risk mitigation activities, employee training completion rates, and vendor compliance assessments.
- Maintain up-to-date documentation of the Client’s WISP, risk management plan, privacy notices, and policies, ensuring that they remain current and accurate in light of changes to the Client’s business or regulatory environment.
ADDITIONAL CLIENT OBLIGATIONS
In addition to the obligations in the Master Services Agreement and other terms and conditions, Client has the following obligations.
Project Coordination
Provider will coordinate with the appropriate contractors and Client representative to ensure the below are completed appropriately.
Ultimate Responsibility for Compliance
Client acknowledges and agrees that, while Provider will use its best efforts to assist Client in complying with the technical requirements of applicable regulatory rules, Client remains ultimately responsible for its own compliance with all applicable laws, regulations, and industry standards.
Client shall cooperate with Provider in good faith to implement, maintain, and monitor the necessary safeguards, policies, and procedures to ensure compliance with other relevant regulations.
Access to Information and Facilities
Client shall provide Provider and its authorized personnel with timely and reasonable access to Client’s facilities, systems, equipment, and network necessary for the Provider to perform the Services in accordance with the terms and conditions of this Attachment.
Client shall ensure that Provider’s access to Client’s facilities and systems complies with the Client’s internal security policies and procedures, as well as any applicable laws and regulations.
Cooperation and Assistance
Client shall cooperate fully with Provider in the performance of the Services, including providing any necessary information, documentation, or assistance reasonably requested by Provider.
Client shall designate a representative or representatives to serve as the primary point(s) of contact with Provider for all matters relating to the Services. Client’s representative(s) shall have the authority to make decisions and provide any necessary approvals on behalf of Client.
Compliance with Laws and Regulations
Client shall comply with all applicable laws, regulations, and industry standards relating to the protection and privacy of (NPI).
Client shall obtain and maintain any necessary permits, licenses, or approvals required for Provider to perform the Services.
Proper Use and Care of Systems and Equipment
Client shall use and operate systems and equipment related to the protection and privacy of NPI in accordance with applicable guidelines, recommendations, and instructions provided by Provider.
Client shall take all reasonable precautions to prevent damage, misuse, or unauthorized access to the systems and equipment.
Notification of Issues or Concerns
Client shall promptly notify Provider of any issues, concerns, or problems relating to the Services, including any non-conforming services, security incidents, or system malfunctions.
Data Backup and Security
Client is responsible for regularly backing up and securing its data and content stored on or transmitted through systems related to the protection and privacy of NPI. Client shall implement appropriate data protection measures, including encryption, access controls, and firewalls, to safeguard its data from unauthorized access, loss, or corruption.
Indemnification
In addition to the indemnification obligations in the Master Services Agreement, Client shall indemnify and hold Provider harmless for any and all defenses, claims, fines, or damages arising out of or related to a regulatory investigation of Client.
Insurance
In addition to the insurance provision in the Master Services Agreement, Client shall also maintain regulatory, privacy, and security insurance coverage.
EXCLUSIONS
Provider is not responsible for failures to provide Services that are caused by the existence of any of the following conditions:
- Compliance with laws, regulations, or standards other than those identified in the relevant Order.
- Any consequences, liabilities, or damages arising from Client’s failure to comply with its obligations under this Agreement or applicable laws and regulations.
- Any consequences, liabilities, or damages resulting from Client’s misuse, unauthorized access, or modification of systems, equipment, or data provided or managed by Provider.
- Loss or corruption of Client’s data or content, including any costs or expenses associated with data recovery or restoration, unless such loss or corruption is directly attributable to Provider’s negligence or willful misconduct.
- Any fines, penalties, or regulatory actions imposed on Client by governmental or regulatory authorities, unless such fines, penalties, or regulatory actions result directly from Provider’s failure to perform the Services in accordance with this Attachment and applicable laws and regulations.
- Any consequences, liabilities, or damages resulting from Client’s failure to implement or maintain appropriate data backup, disaster recovery, or business continuity measures.
- Any consequences, liabilities, or damages resulting from the actions or inactions of third-party service providers or vendors engaged by Client, unless such actions or inactions are directly attributable to Provider’s negligence or willful misconduct.
- Any consequences, liabilities, or damages arising from Client’s failure to inform the Provider of changes to its business operations, systems, or processes that could affect the Services or Client’s compliance with the relevant regulations.
- Provider is not responsible for any downtime, service interruptions, or performance issues resulting from factors beyond its reasonable control, including but not limited to natural disasters, power outages, network issues, or other unforeseen events.
DISCLAIMER OF WARRANTY
Provider does not warrant that the services will meet the requirements of financial or regulatory auditors, and Provider will not issue a certification of compliance.
TERM AND TERMINATION
Term
This Service Attachment is effective as of the Effective Date of the Order referencing the Services herein. Unless properly terminated by either party, this Attachment will remain in effect through the end of the term specified on the Order (the “Initial Term”).
Renewal
“RENEWAL” MEANS THE EXTENSION OF ANY INITIAL TERM SPECIFIED ON AN ORDER FOR AN ADDITIONAL TWELVE (12) MONTH PERIOD FOLLOWING THE EXPIRATION OF THE INITIAL TERM, OR IN THE CASE OF A SUBSEQUENT RENEWAL, A RENEWAL TERM. THIS SERVICE ATTACHMENT WILL RENEW AUTOMATICALLY UPON THE EXPIRATION OF THE INITIAL TERM OR A RENEWAL TERM UNLESS ONE PARTY PROVIDES WRITTEN NOTICE TO THE OTHER PARTY OF ITS INTENT TO TERMINATE AT LEAST SIXTY (60) DAYS PRIOR TO THE EXPIRATION OF THE INITIAL TERM OR OF THE THEN-CURRENT RENEWAL TERM. ALL RENEWALS WILL BE SUBJECT TO PROVIDER’S THEN-CURRENT TERMS AND CONDITIONS.
Month-to-Month Services
If the Order specifies no Initial Term with respect to any or all Services, then we will deliver those Services on a month-to-month basis. We will continue to do so until one party provides written notice to the other party of its intent to terminate those Services, in which case we will cease delivering those Services at the end of the next calendar month following receipt such written notice is received by the other party.
Early Termination by Client With Cause
Client may terminate this Service Attachment for cause following sixty (60) days’ advance, written notice delivered to Provider upon the occurrence of any of the following:
- Provider fails to fulfill in any material respect its obligations under the Service Attachment and fails to cure such failure within thirty (30) days following Provider’s receipt of Client’s written notice.
- Provider terminates or suspends its business operations (unless succeeded by a permitted assignee under the Agreement).
Early Termination by Client Without Cause
If Client has satisfied all of its obligations under this Service Attachment, then no sooner than ninety (90) days following the Service Start Date, Client may terminate this Service Attachment without cause during the Initial or a Renewal Term (the “Term”) upon sixty (60) days’ advance, written notice, provided that Client pays Provider a termination fee equal to all discounts and concessions provided, plus fifty percent (50%) of the recurring, Monthly Service Fees remaining to be paid from the effective termination date through the end of the Term, based on the prices then in effect.
Termination by Provider
Provider may elect to terminate this Service Attachment upon thirty (30) days’ advance, written notice, with or without cause. Provider has the right to terminate this Service Attachment immediately for illegal or abusive Client conduct. Provider may suspend the Services upon ten (10) days’ notice if Client violates a third-party’s end user license agreement regarding provided software. Provider may suspend the Services upon fifteen (15) days’ notice if Client’s action or inaction hinder Provider from providing the contracted Services.
Effect of Termination
As long as Client is current with payment of: (i) the Fees under this Attachment, (ii) the Fees under any Order for Off-Boarding, and/or (iii) the Termination Fee prior to transitioning the Services away from Provider’s control, then if either party terminates this Service Attachment, Provider will assist Client in the orderly termination of services, including timely transfer of the Services to another designated provider. Client shall pay Provider at our then-prevailing rates for any such assistance. Termination of this Service Attachment for any reason by either party immediately nullifies all access to our services. Provider will immediately uninstall any affected software from Client’s devices, and Client hereby consent to such uninstall procedures.
Upon request by Client, Provider may provide Client a copy of Client Data in exchange for a data-copy fee invoiced at Provider’s then-prevailing rates, not including the cost of any media used to store the data. After thirty (30) days following termination of this Agreement by either party for any reason, Provider shall have no obligation to maintain or provide any Client Data and shall thereafter, unless legally prohibited, delete all Client Data on its systems or otherwise in its possession or under its control.
Provider may audit Client regarding any third-party services. Provider may increase any Fees for Off-boarding that are passed to the Provider for those third-party services Client used or purchased while using the Service.
Client agrees that upon Termination or Off-Boarding, Client shall pay all remaining third-party service fees and any additional third-party termination fees.
Effective June 26, 2026. This Service Attachment for Co-managed Services supersedes and replaces all prior versions.
Service Attachment for Co-managed Services
This Service Attachment is between Provider (sometimes referred to as “we,” “us,” or “our”), and the Client found on the applicable Order (sometimes referred to as “you,” or “your”) and, together with the Order, Master Services Agreement, Schedule of Services, and other relevant Service Attachments, forms the Agreement between the parties the terms to which the parties agree to be bound.
The parties further agree to the following responsibility matrix:
Provider will deliver only the Services itemized in the Services section of the Order. Here’s an outline for the co-managed portions of an IT managed services contract, focusing on cooperation and coordination, change management, and the separate schedule for roles and responsibilities:
Cooperation and Coordination
- Designated contact persons from both parties
- Information sharing and access to resources
- Establishing processes and procedures for coordinating activities
- Regular meetings and communication
Change Management
- Mutually agreed-upon change management process
- Documentation, approval, and implementation of changes
- Assessing potential impact of proposed changes
- Notification of affected parties
Roles and Responsibilities Schedule for Co-Managed Environments
Network and Systems Management
Provider Responsibilities:
- Monitor network devices and servers for performance, availability, and security.
- Perform regular maintenance, updates, and patches on managed devices and servers.
- Provide remote and on-site support for network and server-related issues.
Client Responsibilities:
- Provide physical access to network devices and servers as needed for Provider to perform its responsibilities.
- Notify Provider of any planned changes or updates to network devices and servers.
- Maintain an up-to-date inventory of all network devices and servers.
Security Management
Provider Responsibilities:
- Conduct periodic vulnerability assessments and provide remediation recommendations.
- Monitor and manage security devices, such as firewalls and intrusion detection systems.
- Ensure antivirus and anti-malware software is up-to-date on all managed devices.
Client Responsibilities:
- Implement security policies and procedures as recommended by Provider.
- Provide Provider with necessary access to security devices and systems for monitoring and management purposes.
- Promptly notify Provider of any security incidents or breaches.
Backup and Disaster Recovery
Provider Responsibilities:
- Develop and maintain a backup and disaster recovery plan in collaboration with Client.
- Manage and monitor backup processes for managed systems and data.
- Periodically test backup and disaster recovery procedures to ensure data integrity and system recoverability.
Client Responsibilities:
- Ensure critical data and systems are identified for backup and disaster recovery purposes.
- Provide necessary access to systems and data for backup processes.
- Participate in testing and validation of backup and disaster recovery procedures.
Strategy and Planning
Provider Responsibilities:
- Provide guidance and recommendations on IT strategy and planning based on industry best practices and Client’s business needs.
- Assist Client in evaluating and selecting new technologies and solutions.
Client Responsibilities:
- Collaborate with Provider on IT strategy and planning initiatives.
- Make final decisions on technology investments and implementations.
- Communicate IT strategy and goals to internal stakeholders.
EXCLUSIONS
Provider is not responsible for failures to provide Services that are caused by the existence of any of the following conditions:
- Expired Manufacturer Warranty or Support – Parts, equipment or software not covered by a current vendor/manufacturer warranty or support.
- Alterations and Modifications not authorized by Provider – Any repairs made necessary by the alteration or modification of equipment other than that authorized by Provider, including alterations, software installations or modifications of equipment made by Client’s employees or anyone other than Provider.
- Hardware or Software Malfunction – Any time there is a defect or malfunction in any hardware or software not caused by Provider that adversely affects Provider’s ability to perform the Services.
- Client Resource Problems – Any time a problem occurs resulting from a Client resource that are not under Provider’s management or control.
- Network Changes – Any changes Client may have made to the networking environment that were not communicated to or approved by Provider.
- Task Reprioritization – Any problems or failures related to a prioritization or reprioritization of tasks by Client.
- Force Majeure – Any problems resulting from a Force Majeure Event as described in the Master Services Agreement.
- Client Actions – Any problem resulting from Client actions or inactions.
- Client Responsibilities – Any problems resulting from Client’s failure to fulfill any responsibilities or obligations under the relevant Agreements.
- Internet Connectivity Loss – Any loss of internet connectivity that occurs at Client locations for any reason.
- Software Maintenance – Any maintenance of applications software packages, whether acquired from Provider or any other source.
Provider is not responsible for failures to provide Services that occur during any period of time in which any of the following conditions exist:
- Problem Ticket Management – The time interval between the initial occurrence of a desktop malfunction or other issue affecting functionality and the time Client reports the desktop malfunction or issue to Provider.
- Power Supply Malfunction – Instances where an uninterruptable power supply (UPS) device malfunctions and renders Provider unable to connect to the network or troubleshoot the device in question.
The following list of items are excluded from the scope of included Services, and may incur additional charges or require a separate billable project:
- Scheduled Maintenance – Any part of the Service outside designated or scheduled maintenance windows or other agreed-upon periods of time that are necessary for repairs or maintenance.
- Agreed Temporary Exclusions – Any temporary exclusion that Provider we may request, subject to Client’s approval, to implement changes in applications, environments, conversions or system software.
- Software Maintenance – Unusual work that results from a failed software patch or update that results in an interruption in Client’s business, with the exception of Microsoft Windows updates and patches.
- Programming Modifications – Any programming (modification of software code) and program (software) maintenance occurs.
- Training – Any training service of any kind.
- Software and Web Development – Any Services requiring software and web development work.
- Remote Computers -– Unless otherwise specified in an Order, home or remote computers that are not covered under the Agreement.
- Replacement Software – Implementation of new or replacement software.
- Relocation / Satellite Office – Office relocation/satellite office setup.
- Equipment Refresh – Any non-workstation equipment refreshes.
The following list of items are costs that are considered separate from the Service pricing:
Costs Outside Scope of the Service – The cost of any parts, equipment, or shipping charges of any kind. The cost of any software, licensing, or software renewal or upgrade fees of any kind. The cost of any third-party vendor or manufacturer support or incident fees of any kind. The cost of additional facilities, equipment, replacement parts, software or service contract.
DATA LOSS AND SECURITY
Data Loss
Provider is not responsible for the restoration of data to server including site content, email, databases and other types of data. If a hardware failure is experienced and subsequent data loss occurs, Client is ultimately responsible for the data and data restoration. Provider shall not be liable for loss of data under any circumstances.
Client shall maintain insurance in a policy amount sufficient to cover any loss of data, software and/or hardware. In addition, Client acknowledges that it may, at its own option and expense, develop a system that uses mirrored off site servers, offsite backup solutions and/or other means to minimize risk, reduce the loss of revenue and insure continuous hosting of data in the event of a major loss. Provider recommends this approach for all critical web applications including those that generate significant revenue.
Server Audits
Provider does not take responsibility for the overall security of servers. If servers are compromised in any way, Provider reserves the right to immediately audit the server. Security is the responsibility of the Client regardless of the service plan. Provider reserves the right to cancel service if servers are compromised via the implementation of weak password schemes, elderly backend application content and scripting, or for any other reason as deemed necessary by Provider. An hourly labor fee will be incurred with respect to any security related work performed due to any such server being compromised by negligence on the part of the Client.
ACCEPTABLE USE AND SERVICE PARAMETERS
Acceptable Use Policy
Client shall comply with all policies for acceptable use of the Services.
Client Liability
Client is responsible for damages resulting from its violation of this Service Attachment, which damages will be subject to the obligations of indemnification set forth in the MSA. Provider’s hosting of any software solution Services or Client Data does not relieve Client of its responsibility or its obligation to indemnify Provider pursuant to the terms of the MSA.
IP Address Ownership
If Provider assigns Client an Internet Protocol address for Client’s use, the right to use that Internet Protocol address shall belong only to Provider and Client shall have no right to use that Internet Protocol address except as permitted by Provider in its sole discretion in connection with the Services, during the term of this Agreement. Provider shall maintain and control ownership of all Internet Protocol numbers and addresses that may be assigned to Client by Provider, and Provider reserves the right to change or remove any and all such Internet Protocol numbers and addresses, in its sole and absolute discretion. Provider may periodically review IP address usage, and if Provider finds that clients are using IP addresses where name-based hosting could be used, Provider will revoke authorization to use those IP addresses that could be used with name-based hosting.
Domain Names
Client is responsible for its own domain names unless Provider is contracted to provide such services under separate agreements, including, but not limited to, domain name registration information, renewals, payments, conflicts and zone files. Client must have valid and current information on file with Client’s domain name registrar for any domain hosted on the Provider Network. “Provider Network” is defined as the equipment, software, and facilities within the Provider critical network segments, including Provider’s contracted connectivity services to which the Provider hosting environments are connected and are collectively utilized by Provider to provide dedicated and co-location services.
TERM AND TERMINATION
Term
This Service Attachment is effective on the date specified on the Order. Unless properly terminated by either party, this Attachment will remain in effect through the end of the term specified on the Order (the “Initial Term”).
Renewal
“RENEWAL” MEANS THE EXTENSION OF ANY INITIAL TERM SPECIFIED ON AN ORDER FOR AN ADDITIONAL TWELVE (12) MONTH PERIOD FOLLOWING THE EXPIRATION OF THE INITIAL TERM, OR IN THE CASE OF A SUBSEQUENT RENEWAL, A RENEWAL TERM. THIS SERVICE ATTACHMENT WILL RENEW AUTOMATICALLY UPON THE EXPIRATION OF THE INITIAL TERM OR A RENEWAL TERM UNLESS ONE PARTY PROVIDES WRITTEN NOTICE TO THE OTHER PARTY OF ITS INTENT TO TERMINATE AT LEAST SIXTY (60) DAYS PRIOR TO THE EXPIRATION OF THE INITIAL TERM OR OF THE THEN-CURRENT RENEWAL TERM. ALL RENEWALS WILL BE SUBJECT TO PROVIDER’S THEN-CURRENT TERMS AND CONDITIONS.
Month-to-Month Services
If the Order specifies no Initial Term with respect to any or all Services, then we will deliver those Services on a month-to-month basis. We will continue to do so until one party provides written notice to the other party of its intent to terminate those Services, in which case we will cease delivering those Services at the end of the next calendar month following receipt such written notice is received by the other party.
Early Termination by Client With Cause
Client may terminate this Service Attachment for cause following sixty (60) days’ advance, written notice delivered to Provider upon the occurrence of any of the following:
- Provider fails to fulfill in any material respect its obligations under the Service Attachment and fails to cure such failure within thirty (30) days following Provider’s receipt of Client’s written notice.
- Provider terminates or suspends its business operations (unless succeeded by a permitted assignee under the Agreement).
Early Termination by Client Without Cause
If Client has satisfied all of its obligations under this Service Attachment, then no sooner than ninety (90) days following the Service Start Date, Client may terminate this Service Attachment without cause during the Initial or a Renewal Term (the “Term”) upon sixty (60) days’ advance, written notice, provided that Client pays Provider a termination fee equal to all discounts and concessions provided, plus fifty percent (50%) of the recurring, Monthly Service Fees remaining to be paid from the effective termination date through the end of the Term, based on the prices then in effect.
Termination by Provider
Provider may elect to terminate this Service Attachment upon thirty (30) days’ advance, written notice, with or without cause. Provider has the right to terminate this Service Attachment immediately for illegal or abusive Client conduct. Provider may suspend the Services upon ten (10) days’ notice if Client violates a third-party’s end user license agreement regarding provided software. Provider may suspend the Services upon fifteen (15) days’ notice if Client’s action or inaction hinder Provider from providing the contracted Services.
Effect of Termination
As long as Client is current with payment of: (i) the Fees under this Attachment, (ii) the Fees under any Order for Off-Boarding, and/or (iii) the Termination Fee prior to transitioning the Services away from Provider’s control, then if either party terminates this Service Attachment, Provider will assist Client in the orderly termination of services, including timely transfer of the Services to another designated provider. Client shall pay Provider at our then-prevailing rates for any such assistance. Termination of this Service Attachment for any reason by either party immediately nullifies all access to our services. Provider will immediately uninstall any affected software from Client’s devices, and Client hereby consent to such uninstall procedures.
Upon request by Client, Provider may provide Client a copy of Client Data in exchange for a data-copy fee invoiced at Provider’s then-prevailing rates, not including the cost of any media used to store the data. After thirty (30) days following termination of this Agreement by either party for any reason, Provider shall have no obligation to maintain or provide any Client Data and shall thereafter, unless legally prohibited, delete all Client Data on its systems or otherwise in its possession or under its control.
Provider may audit Client regarding any third-party services. Provider may increase any Fees for Off-boarding that are passed to the Provider for those third-party services Client used or purchased while using the Service.
Client agrees that upon Termination or Off-Boarding, Client shall pay all remaining third-party service fees and any additional third-party termination fees.
Effective June 26, 2026. This Service Attachment for Artificial Intelligence Services supersedes and replaces all prior versions.
Service Attachment for Artificial Intelligence Services
This Service Attachment is between Provider (sometimes referred to as “we,” “us,” or “our”), and Client found on the applicable Order (sometimes referred to as “you,” or “your,”) and, together with the Order, Master Services Agreement, Schedule of Services, and other relevant Service Attachments, forms the Agreement between the parties the terms to which the parties agree to be bound.
Provider will deliver only the Services itemized in the Services section of the Order. The following is a list of available Services. Additional Services may be added only by entering into a new Order including those Services.
The parties further agree as follows:
Definitions
For the purposes of this Service Attachment, the following terms shall have the meanings specified below:
“AI Services” refers to the artificial intelligence-based services provided by the Provider under this Agreement, including but not limited to AI-driven analytics, process automation, Client interaction services, and AI application development.
“AI-Generated Outputs” means any data, content, analyses, or other materials generated by the AI Services as a result of processing Client’s data or through interactions with Client’s systems.
“AI Models” refers to the computational models developed or used by the Provider that simulate human intelligence processes, including machine learning models, neural networks, and algorithms.
“Client Data” means any data, information, or material provided by Client to the Provider for the purpose of receiving the AI Services, including but not limited to operational data, Client information, and business intelligence.
“Data Sources” refers to the origins of data used by the AI Services, which may include Client Data, publicly available data, and data from third-party providers.
“Implementation Support” encompasses the services provided by the Provider to assist Client in integrating and deploying the AI Services within Client’s operational environment, including vendor and technology selection, proof of concept development, and implementation oversight.
“Innovation Workshops” are collaborative sessions conducted by the Provider with Client’s teams to explore potential AI use cases, innovative applications, and strategic planning for AI deployment.
“Machine Learning” is a subset of AI that involves the development of algorithms allowing computers to learn and make decisions based on data, without being explicitly programmed for each specific task.
“Strategic AI Consulting” involves advisory services provided by the Provider aimed at evaluating Client’s readiness for AI integration, developing AI strategies aligned with business objectives, and facilitating innovation workshops.
“Technical Support” refers to the support services provided by the Provider to address technical issues, troubleshoot problems, and ensure the continuous operation of the AI Services, as specified in the Agreement.
“Third-Party Components” means software, data, or services not developed or owned by the Provider but used in the delivery of the AI Services, including open source software and third-party APIs.
Services
Provider shall provide the following AI Technology Consulting Services to Client under the terms of this Agreement:
Strategic AI Consulting
AI Readiness Assessment: Provider shall evaluate Client’s existing technological infrastructure, data readiness, and organizational culture to assess Client’s readiness for AI integration, documenting findings in a readiness report.
AI Strategy Development: Provider shall assist Client in developing a strategic plan for AI deployment that is aligned with Client’s business objectives. This plan will identify key areas where AI can add substantial value to Client’s operations.
Innovation Workshops: Provider will conduct sessions with Client’s teams to facilitate the identification of potential AI use cases and innovative applications that are particularly relevant to Client’s industry and specific business challenges.
AI Solution Design and Planning
Use Case Identification and Prioritization: Provider shall collaborate with Client to identify, assess, and prioritize AI use cases based on their potential business impact and technical feasibility.
Solution Architecture Design: Provider is responsible for designing the architecture of AI solutions, including the selection of suitable AI models and technologies, establishing data pipelines, and ensuring seamless integration with existing systems of Client.
Roadmap Development: Provider shall develop a phased implementation roadmap, detailing key milestones, resource requirements, and timelines for the effective deployment of AI solutions.
Implementation Support
Vendor and Technology Selection: Provider shall advise Client on selecting the most appropriate AI technologies and vendors, taking into account Client’s specific use cases, budget, and existing infrastructure.
Proof of Concept (PoC) Development: Provider shall assist in the development and execution of PoCs to validate the feasibility and potential impact of the proposed AI solutions before proceeding to full-scale implementation.
Implementation Oversight: Provider shall provide oversight and expert guidance during the implementation of AI projects to ensure they are aligned with the strategic vision and adhere to technical standards.
Training and Change Management
AI Literacy Training: Provider shall offer training sessions aimed at enhancing the AI literacy of Client’s workforce, covering fundamental AI concepts, tools, and best practices.
Change Management Support: Provider shall assist with change management efforts to facilitate the smooth adoption of AI technologies, addressing any cultural shifts, skill gaps, and necessary workflow adjustments.
Data Governance and Ethics
Data Strategy Consulting: Provider shall advise on the creation of a comprehensive data strategy that ensures the integrity, accessibility, and security of data utilized in AI solutions.
AI Ethics and Compliance: Provider shall provide guidance on ethical AI usage, including measures for bias mitigation, ensuring transparency, and adherence to relevant regulations and standards.
Performance Measurement and Optimization
KPIs and Metrics Definition: Provider shall assist Client in defining key performance indicators (KPIs) and metrics to evaluate the effectiveness and impact of AI initiatives.
Continuous Improvement: Provider commits to providing ongoing support to optimize AI solution performance based on analytics, identifying areas for enhancement.
Future Trends and Innovation
Emerging Technologies Advisory: Provider shall keep Client informed about emerging AI technologies and trends that may affect their business or provide new opportunities for innovation.
Innovation Roadmapping: Provider shall assist Client in periodically updating their AI strategy and roadmap to include new technologies and approaches.
AI-Driven Client Interaction Services
Provider will develop and deploy custom AI chatbots and voice assistants, integrate AI-driven Client interaction tools, and provide ongoing training and support. These services are designed to enhance Client service, personalize Client experiences, and optimize Client journey.
Process Automation Services
Provider shall offer process mapping, custom automation solutions, and integration services to automate repetitive tasks and streamline operations. This includes document processing automation, email automation, and support for continuous process improvement.
AI Application Development
Provider will design custom AI applications, integrating AI workflows into Client’s operations, and provide an app builder tool for customization. Ongoing support, updates, and training will ensure the applications meet Client’s evolving needs.
Acceptance Testing – Upon completion of the deployment phase of any AI Service or upon the delivery of any custom AI development, the Provider shall notify Client that the service or development is ready for Acceptance Testing.
Testing Period – Client shall have a period of 15 business days from the date of such notification to conduct Acceptance Testing. Provider shall provide reasonable support to Client during this period, including access to necessary documentation, tools, and technical assistance.
Scope – Acceptance Testing shall cover all functional, performance, and integration aspects of the AI Services as detailed in the service specifications of this Agreement. Client shall use reasonable and industry-standard testing methods appropriate for the services being tested.
Acceptance Criteria – The AI Services will be deemed to have passed Acceptance Testing and thus be accepted by Client if:
- The services perform in accordance with the functional specifications and performance standards set forth in the Order.
- No critical defects are identified that would significantly impact Client’s ability to use the services for their intended purpose.
- Minor defects or non-critical issues identified during Acceptance Testing shall be documented and scheduled for correction by the Provider, but will not preclude acceptance of the AI Services.
Testing Failure – If Client determines that the AI Services have not passed Acceptance Testing, Client shall notify the Provider in writing within ten (10) days of completion of the Testing Period, detailing the deficiencies or defects found.
Upon receipt of such notification, the Provider shall have 30 business days to correct the identified deficiencies and resubmit the services for Acceptance Testing.
Rejection – If after three attempts, the AI Services still fail to meet the Acceptance Criteria, Client may either:
- Reject the AI Services and terminate this Agreement with respect to the failed services without penalty, or
- Agree to accept the AI Services with deficiencies, possibly subject to a negotiated reduction in fees or other remedial measures.
Acceptance – Upon acceptance of the AI Services, whether initially or after correction of deficiencies, Client shall provide the Provider with a written statement that the AI Services are accepted. Acceptance of the AI Services shall not waive any of Client’s rights under the warranty provisions of this Agreement or limit Provider’s obligations to address any subsequently discovered defects.
PROVIDER OBLIGATIONS
Compliance and Standards
Provider shall ensure that all services are performed in compliance with applicable laws, regulations, and industry standards, particularly those relating to data protection, privacy, and AI ethics. Provider agrees to maintain all necessary licenses, certifications, and authorizations required to perform the services.
Data Protection and Security
Provider will implement and maintain robust security measures to protect Client’s data against unauthorized access, disclosure, alteration, or destruction. Provider will notify Client promptly of any data breaches or security incidents that impact Client’s data.
Customization and Integration
Provider shall work with Client to customize and integrate AI-driven services into Client’s existing systems and workflows as necessary to meet Client’s business needs. Provider will reasonably assist Client with required system modifications or integrations related to the service delivery. There may be an additional charge for these services.
Performance Monitoring and Reporting
Provider will monitor the performance of the AI-driven services and provide Client with periodic reports detailing usage, performance metrics, and insights into potential improvements.
Issue Resolution and Escalation
Provider shall establish an issue resolution and escalation process to promptly address any service-related issues or concerns raised by Client.
Innovation and Advice
Provider will advise Client on emerging AI technologies and innovations that could enhance Client’s business operations or offer new opportunities for growth and efficiency.
CLIENT OBLIGATIONS
Client agrees to the following obligations:
Provision of Information
Client shall provide all necessary information regarding its current systems, software, and hardware that the Provider deems necessary for the provision of AI services. Client agrees to promptly disclose any changes in operational processes, technology infrastructure, or business objectives that might impact the services provided by the Provider.
Access and Assistance
Client shall grant the Provider and its authorized personnel access to its facilities, systems, and information as required for the purpose of delivering the services. Client agrees to offer reasonable assistance, including the availability of Client’s personnel, for consultations, meetings, and implementation activities related to the services.
Data Provision and Quality
Client is responsible for providing data necessary for the AI services. The data must meet the quality standards specified by the Provider, including accuracy, completeness, and relevancy. Client shall ensure that it has the right to use and provide such data to the Provider for the purpose of delivering the services, adhering to applicable data protection and privacy laws.
Compliance with Laws
Client is responsible for ensuring that its use of the AI services complies with all applicable laws, regulations, and industry standards. This includes data protection and privacy laws, intellectual property rights laws, and any specific regulations governing Client’s industry.
Security and Confidentiality
Client shall implement reasonable security measures to protect access to its systems and the data used in conjunction with the AI services. Client agrees to maintain the confidentiality of any proprietary information or tools provided by the Provider as part of the services.
Cooperation and Coordination
Client will cooperate with the Provider in good faith and coordinate internally to facilitate the effective delivery and implementation of the AI services. This includes timely feedback and decision-making to support project timelines.
Ethical Use of AI
Client agrees to use the AI services and any related technologies ethically, in a manner that respects privacy rights, avoids discrimination, and complies with ethical guidelines provided by the Provider.
Notification of Issues
Client shall promptly notify the Provider of any issues, concerns, or malfunctions related to the AI services. Client agrees to provide detailed information about such issues to aid in their resolution.
INTELLECTUAL PROPERTY
Ownership of Pre-Existing Intellectual Property
Each party retains all right, title, and interest in and to its pre-existing intellectual property, including without limitation any software, data, or material owned by either party prior to the execution of this Agreement.
Client grants the Provider a non-exclusive, worldwide, royalty-free license to use Client’s pre-existing intellectual property solely for the purpose of performing the services under this Agreement.
AI-Generated Outputs
Client shall own the intellectual property rights in any data, content, or materials generated by AI services specifically for Client’s use under this Agreement, subject to any third-party rights in the underlying data or algorithms.
Use of Outputs: Client is responsible for ensuring that the use of AI-generated outputs complies with applicable laws, including copyright, patent, and trademark laws, and does not infringe upon the intellectual property rights of third parties.
Custom Developments
Any developments, including custom AI models, algorithms, or applications, specifically created by Provider for Client under this Agreement, shall be owned by Client, provided that Client pays all fees associated with such development as agreed upon. Provider shall retain the right to use general knowledge, skills, and experience, including non-Client-specific developments, gained during the performance of this Agreement.
Third-Party Materials and Open-Source Software
Provider may use third-party materials, including open-source software, in the development or delivery of AI services. Provider shall ensure that such use complies with the respective licenses and does not impose any unagreed obligations on Client. Provider shall inform Client of the use of any third-party materials that require attribution or impose restrictions on the use of AI-generated outputs.
Licenses to Provider
Client grants the Provider a non-exclusive, worldwide, royalty-free license to use, reproduce, modify, display, and distribute any Client data and AI-generated outputs as necessary to perform the services under this Agreement and to improve Provider’s AI technologies and services, subject to the confidentiality obligations of this Agreement.
Intellectual Property Indemnification
In addition to the indemnification obligations in the MSA, the parties agree as follows:
Client agrees to indemnify the Provider against any claims, damages, losses, and expenses arising from Client’s use of AI-generated outputs in violation of third-party intellectual property rights.
Data Rights and Ownership
For purposes of this Service Attachment, “AI Data” shall include all data, information, and material provided by Client to Provider for the purpose of receiving AI Services (“Client AI Data”), as well as all data, content, and materials generated by the AI Services as a result of processing Client AI Data or through interactions with Client’s systems (“AI-Generated Data”).
Data Usage Rights
Client grants to Provider the right to use aggregated and anonymized data derived from Client AI Data and AI-Generated Data for analytics, benchmarking, and to improve Provider’s services, provided such use does not reveal the identity of Client, any of its employees, clients, or Clients.
EXCLUSIONS
Provider is not responsible for failures to provide Services that are caused by the existence of any of the following conditions:
- Third-Party Services and Products – Provider is not responsible for issues resulting from third-party services or products not directly supplied or controlled by Provider.
- Client’s Failure to Follow Recommendations – Failures or performance issues resulting from Client’s disregard for Provider’s recommendations or instructions.
- Unauthorized Modifications – Problems stemming from unauthorized alterations to the service or system by Client or third parties.
- Force Majeure – Delays or failures in performance caused by events beyond its reasonable control, including natural disasters, government actions, or terrorism.
- Pre-existing Conditions -Issues pre-dating the Agreement or unrelated to the provided services are excluded from Provider’s responsibilities.
- Compliance with Laws – Ensuring compliance with all applicable laws and regulations remains Client’s obligation, excluding the Provider from related liabilities.
- Unauthorized Access or Security Breaches – Unauthorized access or breaches.
- Bias and Fairness – Outcomes influenced by biases inherent in AI models or data are excluded from Provider’s liabilities.
- AI Hallucinations – Inaccuracies or fabrications (“hallucinations”) produced by AI models.
- Model Interpretability – Lack of detailed explanations for AI model decisions due to the “black box” nature of some AI technologies.
- Unpredictable AI Behavior – Unforeseen or unpredictable AI system behaviors that result in unintended outcomes.
- Data-Driven Limitations – Limitations arising from inadequate or poor-quality data supplied by Client or inherent in used datasets.
- Ethical Use and Compliance – Client is solely responsible for ensuring the ethical use and legal compliance of AI-driven outputs.
- Continuous Learning Changes – Changes in AI behavior due to continuous learning processes, not directly managed by the Provider.
- Intellectual Property Claims from AI Outputs – Claims of intellectual property infringement arising from AI-generated content or outputs.
- Disruption of Data Sources – Any interruption or cessation of access to essential data sources or third-party services required for the operation of AI services due to reasons outside of Provider’s control, including but not limited to, discontinuation of services, changes in terms of service, or access restrictions imposed by data providers.
- AI Model Failure – Any sudden failure, degradation, or unpredicted behavior of AI models that significantly impacts service delivery, where such issues cannot be promptly resolved through reasonable efforts due to the complex and “black box” nature of certain AI technologies.
- Regulatory or Legal Changes – Any changes in laws, regulations, or government policies that directly prohibit, restrict, or impose additional burdens on the deployment, operation, or use of AI technologies and services contemplated by this Agreement.
- Infrastructure Failures – Failures in critical infrastructure supporting AI services, including cloud computing platforms, data storage systems, and networking services, caused by external factors such as cyberattacks, service provider outages, or natural disasters.
DISCLAIMER OF WARRANTIES
As-Is – Provider furnishes all AI-driven services, including but not limited to AI models, algorithms, software, and any AI-generated content or data, on an “as is” and “as available” basis. Provider expressly disclaims all warranties, whether express, implied, statutory, or otherwise, including but not limited to implied warranties of merchantability, fitness for a particular purpose, non-infringement, and any warranties arising out of the course of dealing or usage of trade.
No Guarantee of Results – Provider makes no warranty that the AI services will meet Client’s requirements or achieve any intended results. Due to the experimental nature of AI technologies, the performance of AI services can be unpredictable, and Client acknowledges that the services are provided without any guarantee of accuracy, completeness, or reliability of AI-generated outputs.
Third-Party Components – Provider disclaims any warranty related to third-party components, data, or materials used in conjunction with the AI services, including any warranty of accuracy, reliability, or effectiveness of such third-party components.
No Warranty of Uninterrupted Use – Provider does not warrant that the provision of AI services will be uninterrupted, timely, secure, or error-free; nor does it make any warranty as to the results that may be obtained from the use of the AI services.
Client Responsibility – Client acknowledges that it assumes full responsibility for the selection of the AI services to achieve its intended results and for the use and results obtained from the AI services. Client further acknowledges that it must regularly review and validate AI-generated outputs for accuracy and appropriateness for the intended use.
TERM AND TERMINATION
Term
This Service Attachment is effective on the date specified on the Order (the “Service Start Date”). Unless properly terminated by either party, this Attachment will remain in effect through the end of the term specified on the Order (the “Initial Term”).
Renewal
“RENEWAL” MEANS THE EXTENSION OF ANY INITIAL TERM SPECIFIED ON AN ORDER FOR AN ADDITIONAL TWELVE (12) MONTH PERIOD FOLLOWING THE EXPIRATION OF THE INITIAL TERM, OR IN THE CASE OF A SUBSEQUENT RENEWAL, A RENEWAL TERM. THIS SERVICE ATTACHMENT WILL RENEW AUTOMATICALLY UPON THE EXPIRATION OF THE INITIAL TERM OR A RENEWAL TERM UNLESS ONE PARTY PROVIDES WRITTEN NOTICE TO THE OTHER PARTY OF ITS INTENT TO TERMINATE AT LEAST SIXTY (60) DAYS PRIOR TO THE EXPIRATION OF THE INITIAL TERM OR OF THE THEN-CURRENT RENEWAL TERM. ALL RENEWALS WILL BE SUBJECT TO PROVIDER’S THEN-CURRENT TERMS AND CONDITIONS.
Month-to-Month Services
If the Order specifies no Initial Term with respect to any or all Services, then we will deliver those Services on a month-to-month basis. We will continue to do so until one party provides written notice to the other party of its intent to terminate those Services, in which case we will cease delivering those Services at the end of the next calendar month following receipt such written notice is received by the other party.
Early Termination by Client With Cause
Client may terminate this Service Attachment for cause following sixty (60) days’ advance, written notice delivered to Provider upon the occurrence of any of the following:
- Provider fails to fulfill in any material respect its obligations under the Service Attachment and fails to cure such failure within thirty (30) days following Provider’s receipt of Client’s written notice.
- Provider terminates or suspends its business operations (unless succeeded by a permitted assignee under the Agreement).
Early Termination by Client Without Cause
If Client has satisfied all of its obligations under this Service Attachment, then no sooner than ninety (90) days following the Service Start Date, Client may terminate this Service Attachment without cause during the Initial or a Renewal Term (the “Term”) upon sixty (60) days’ advance, written notice, provided that Client pays Provider a termination fee equal to fifty percent (50%) of the recurring, Monthly Service Fees remaining to be paid from the effective termination date through the end of the Term, based on the prices then in effect.
Termination by Provider
Provider may elect to terminate this Service Attachment upon thirty (30) days’ advance, written notice, with or without cause. Provider has the right to terminate this Service Attachment immediately for illegal or abusive Client conduct. Provider may suspend the Services upon ten (10) days’ notice if Client violates a third-party’s end user license agreement regarding provided software. Provider may suspend the Services upon fifteen (15) days’ notice if Client’s action or inaction hinder Provider from providing the contracted Services.
Effect of Termination
As long as Client is current with payment of: (i) the Fees under this Attachment, (ii) the Fees under any Project Services Attachment or Statement of Work for Off-Boarding, and/or (iii) the Termination Fee prior to transitioning the Services away from Provider’s control, then if either party terminates this Service Attachment, Provider will assist Client in the orderly termination of services, including timely transfer of the Services to another designated provider. Client shall pay Provider at our then-prevailing rates for any such assistance. Termination of this Service Attachment for any reason by either party immediately nullifies all access to our services. Provider will immediately uninstall any affected software from Client’s devices, and Client hereby consent to such uninstall procedures.
Upon request by Client, Provider may provide Client a copy of Client Data in exchange for a data-copy fee invoiced at Provider’s then-prevailing rates, not including the cost of any media used to store the data. After thirty (30) days following termination of this Agreement by either party for any reason, Provider shall have no obligation to maintain or provide any Client Data and shall thereafter, unless legally prohibited, delete all Client Data on its systems or otherwise in its possession or under its control.
Provider may audit Client regarding any third-party services. Provider may increase any Fees for Off-boarding that are passed to the Provider for those third-party services Client used or purchased while using the Service.
Client agrees that upon Termination or Off-Boarding, Client shall pay all remaining third-party service fees and any additional third-party termination fees.
Effective June 26, 2026. These Service Descriptions supersede and replace all prior versions.
Schedule of Services
MANAGED SERVICES
The Services to be performed for Client by Provider are set forth in the Order. Additional Services may be added only by entering into a new Order including those Services.
Server Monitoring and Management – Provider will perform server monitoring and management including, alert monitoring and management of servers, periodic reporting and performance tuning, and prioritization of alerts to identify high-priority incidents. Provider will also perform remote remediation services as needed, and backup software monitoring and management. The Service Fee does not include major hardware / software upgrades or replacements or new server installations.
Enpoint Monitoring and Management – Provider will perform endpoint monitoring and management including, alert monitoring & management of desktops, prioritization of alerts to identify high-priority incidents, remote remediation services as needed, configuration backups, firmware updates as required by manufacturer, and reporting and performance tuning. The Service Fee does not include hardware replacement or new hardware installations.
Help Desk Services – Provider will provide help desk support via client portal, e-mail, and phone. Provider has the ability to remotely control desktops to support employees. Unless otherwise included in an order, all help desk services will include unlimited remote support as required.
On-site Support – Upon request and subject to the limitations identified in the Order, for Services that are within the scope of this Service Attachment, Provider will also deliver support Services on-site at your location during normal business hours. For on-site support that is not included in the Order, Client will pay Provider’s then-prevailing hourly rate.
Core Security Services – Provider will include in its services monthly Microsoft patch management, antivirus software and management, and remote software installations. Core Security Services also includes new / terminated employee setup and configuration.
Problem Management Services – Provider will undertake problem management as soon as the Provider’s monitoring staff becomes aware of an incident. All incidents, with status or resolution, will be documented by posting updates to the Problem (Incident) Ticket Tracking System assigned to Client (“Problem Tickets”).
MANAGED SECURITY SERVICES
Provider, through its Third-Party Services Providers will make its best effort to ensure the security of Client’s information through third-party security software (“Security Software”). Client designates Provider as its agent to provide the Service to Client, and to enter into any third-party relationship to provide the Service to Client. Use of this Service is subject to the applicable Third-party Service Providers agreements regarding terms of use, which Client and Provider agree has been provided by Provider to Client. Client acknowledges that Third-Party Service Providers and their licensors own all intellectual property rights in and to the Security Software. Client will not engage in or authorize any activity that is inconsistent with such ownership. Client acknowledges and agrees to be bound by any applicable Third-Party Service Provider agreements regarding terms or use or end user licensing terms, and Client understands that any applicable agreement regarding terms of use or end user licensing is subject to change without notice.
Firewall, Anti-malware, and Intrusion Detection – Provider will install and configure firewall traffic policies, apply updated firmware when applicable, and configure changes when needed. With respect to the firewall, Provider will include the following:
- Intrusion Prevention – provides real-time protection against network threats, including spyware, SQL injections, cross-site scripting, and buffer overflows.
- URL Filtering – blocks known malicious sites, and delivers granular content and URL filtering tools to block inappropriate content.
- Gateway Antivirus – continuously updated signatures, identify and block known spyware, viruses, trojans, worms, rogueware and blended threats – including new variants of known viruses.
Security Risk Assessment
- Malware and Vulnerability Review – Using one or more tools to determine the existence of malware or vulnerabilities.
- Personally Identifiable Information (“PII”) – Review practices related to PII, including location, treatment, and risk mitigation.
- Report – Provider’s findings will be included in a Risk Assessment Report.
Network Discovery – generates a visual map of all nodes on your network, making it easy to see where you may be at risk.
Reputation-Based Threat Prevention – Cloud-based web reputation service that aggregates data from multiple feeds to provide real-time protection from malicious sites and botnets, while dramatically improving web processing overhead.
Spam Prevention – Real-time, continuous, and highly reliable protection from spam and phishing attempts.
Application Control – Provides the ability to allow, block, or restrict access to applications based on a user’s department, job function, and time of day.
APT Blocker – detects and stops the most sophisticated attacks including ransomware, zero-day threats, and other advanced malware designed to evade traditional network security defenses.
Data Loss Prevention – works to enforce compliance by scanning text and files to detect sensitive information attempting to exit your network, whether it is transferred via email, web, or FTP.
Threat Detection & Response – Security data collected from the firewall is correlated by enterprise-grade threat intelligence to detect, prioritize and enable immediate action against malware attack.
Intelligent Antivirus – leverages signature-less anti-malware solution that relies on artificial intelligence to automate malware discovery.
DNS Filtering – detects and blocks malicious DNS requests, redirecting users to a safe page with information to reinforce security best practices.
Anti-malware – Provider will provide and install anti-malware software of Provider’s choosing for each Device covered by the Order. While Provider will make reasonable effort to ensure Client Devices and Client’s network are safe from viruses, malware, bugs, hacking, phishing schemes or defective or malicious files, programs or links (“Harmful Content”), of any kind whether now known or hereinafter invented, Provider does not guarantee that Client computers or network cannot be infected by Harmful Content. Where this does happen, Provider will provide commercially reasonable Services to mitigate the Harmful Content. Additional Services will be available upon mutual agreement of the parties.
Remote Access – Provider will install remote access and remote monitoring and management software on Client’s Devices possibly other equipment at Client’s office. Client grants permission to Provider to install any remote access or remote monitoring and management software deemed necessary by Provider.
Client-Side DNS Filtering – Provider will acquire and will assign an appropriate number of licenses to support the deployment of client-side DNS Filtering on all laptop systems. The DNS filtering is designed to detect and block malicious DNS requests, redirecting users to a safe page with information to reinforce security best practices and to protect laptops while away from the corporate network.
Security Awareness Training & Phishing Simulations – Provider will acquire and will assign an appropriate number of licenses to support the client environment. The Service will schedule phishing campaigns to send at random times during a specified period. The campaigns are trackable and fully customizable designed to keep track of every user’s participation, making all cybersecurity education accountable and measurable.
Multi-Factor Authentication Services / Password Credential Management Services – Provider will configure two-factor authentication for compatible software applications, institute single sign-on services for compatible software applications and customized security policies and procedures. After performing a security assessment and assessing the state of Client’s existing policies and procedures pertaining to network security (if any), Provider will work with Client to prepare a new or revised set of policies and procedures that incorporate cutting edge best practices and that take advantage of the other Services delivered by Provider.
Security Operations Center – The Services include:
- Advanced Malware Protection supported by Security Operations Center (SOC).
- Deployment of advanced malware protection applications to all Windows based devices on customer network.
- 24×7 SOC service analyzes quarantined applications and files, reducing false positives.
- Immediate risk identification – Provides rapid recognition of thousands of viruses and malware attack variants, including cryptomining attacks, as well as the root causes of these malicious behaviors, by quickly identifying and diagnosing corrupt source processes and system settings.
- Ransomware rollback – quickly rollback files to previous safe versions through tracking changes in your devices and restoring them to an acceptable risk state.
Security Log Management – Provider will configure log sources to capture and retain information without creating excessive logging, limit user access to log files, avoid logging sensitive or protected information, secure the processes that generate logs, identify and resolve logging errors, and analyze log entries, prioritize entries, and respond to those requiring action.
Security Incident Event Management (SIEM) Services supported by SOC – Provider will deploy SIEM monitoring probes to monitor all critical network devices including; domain controller, firewalls, network switches and routers. When meeting compliance requirement deployment will include all Windows devices as well.
Incident Response – Provider will assist Client in the hours immediately following a data breach to identify the likely source of the breach and to begin formulating an appropriate response to the breach. However, any assistance with data breach-remediation efforts past the first twenty-four (24) hours following a breach – including but not limited to breach-notification planning, in-depth forensic examinations of the source of a breach, and significant, post-breach systems reconfiguration – are not within the scope of this Service Attachment. If Client requests Provider’s assistance with such activities, Provider will prepare a separate Service Attachment for Project Services that will specify what the charges will be for such assistance.
DATA BACKUP AND DISASTER RECOVERY SERVICE
The Services to be performed for Client by Provider are set forth in the Order. Additional Services may be added only by entering into a separate Order including those Services.
Local Backups – Using customer provided hardware and software (backup software), backups will be performed on the basis specified in the Order. Client owns the hardware and software agents (backup software) used to perform the backups. If Client subscribes to periodic Server Maintenance, Provider will review the backups during Maintenance and notify Client of backup failures. Client will notify the Provider of any failures, and upon request, perform simple on-site tasks (e.g., powering down and rebooting hardware).
Remote Backups – Provider, through its Third-Party Service Providers will make its best effort to ensure the protection and recovery of Client’s information. Data files are backed up via a third-party client-side desktop/server software application (the “Application”), encrypted, and then sent to a storage server at third-party vendor’s data center facility. There is no local copy of the backed-up data. Data files can be restored from the cloud but the server itself cannot be recovered or “booted” in the cloud. Therefore, this service is not considered a disaster recovery solution. All data is backed up via a third-party client-side desktop/server software application (the “Application”). Provider will monitor the backups daily, notify Client of any failures, and work with third-party to resolve backup failures.
Cloud Backup – Provider, through its Third-Party Service Providers will make its best effort to ensure the protection and recovery of Client’s information. Data is backed up via a third-party client-side desktop/server application, encrypted, stored locally on a Provider-owned storage device (“Provider Owned Storage”), and then sent to a third-party owned storage server at the Third-Party Services Provider’s data center facility. Provider will monitor the status of all scheduled backup jobs, notify Client of Provider-owned storage failures and corrective actions. Provider will also provide remote administrative services of Data Backup Service as requested by Client. Offsite Backup copies will have one-year retention unless specified in Order. Upon termination of these Services, Provider will request return of the backup hardware and remove the Application from Client systems.
Disaster Recovery
Provider will work with Client to develop a comprehensive disaster-recovery plan that incorporates the Services to be delivered under this Service Attachment.
If Client experiences an event precipitating a major, multi-user loss of data, Client may notify Provider that a data loss event has occurred.
FILE BACKUP AND RECOVERY
Provider will create, monitor, and modify up to the number of file backup jobs listed in the Order. Provider will also notify Client by email of backup drive failures and corrective actions.
Upon request, Provider will remotely restore files, subject to the number of operations listed in the Order.
CLOUD AND HOSTING SERVICES
Public Cloud – Provider will move all Client’s data to a cloud computing platform, allow Client to have access to data via virtual desktop from Client’s own devices or device provided by Provider, and manage the cloud environment for Client.
Hybrid Cloud – Provider will move some of Client’s data to a cloud computing platform, and upon Client’s request, place a server on premises at Client’s location. Any Client data being moved shall be agreed to by the parties in writing prior to moving with specific instructions as to identify which data will be moved, managed or unmanaged by Provider. Any Client data being moved or managed shall be specifically identified as to the location of the data on a particular server. Any Client data not being moved, or that is not specifically identified by Client will be considered not managed. Provider shall not be responsible for the identification, classification, or location of the data. Client is solely responsible for its data up to the outermost point of Provider’s firewall with the public internet (the “Demarcation Point”). Once data has been identified, classified, its final location determined, and moved past the Demarcation Point, Provider shall then become responsible for Client data. Provider will also manage the cloud environment for client and provide hardware that will be owned by Provider and will be licensed using an appropriate license agreement.
Private Cloud or Software Subscriptions – Provider will maintain all Client’s data on premise at Client’s location, manage the cloud environment and software subscriptions for Client, provide unmanaged cloud environment and software subscriptions for Client, and provide hardware that will be owned by Provider and will be licensed using an appropriate license agreement.
Third-Party Cloud & SaaS Vendors – Provider will provide, install, and support the Third-Party Cloud or software-as-a-service vendors listed on the Order, including but not limited to Microsoft. Client designates Provider as its agent to provide the Service to Client, and to enter into any third-party relationship to provide the Service to Client. Use of this software is subject to the applicable third-party cloud or software-as-a-service vendor’s agreement regarding terms of use, which Client and Provider agree has been provided by Provider to Client. Client agrees to be bound by any applicable third-party cloud or software-as-a-service vendor’s agreements regarding terms or use or end user licensing, and Client understands that any applicable agreement regarding terms of user or end user licensing is subject to change by any Third-Party vendor or software-as-a-service provider without notice.
CYBER TRAINING SERVICES
Provider will implement and manage a managed cybersecurity awareness training platform ordered through a third party on Client’s behalf. The program features:
- Enrolling all technology-facing workforce members in the program
- Access to a curriculum of industry-leading cybersecurity awareness education which can be customized to meet the unique needs and regulatory requirements of Client
- Management reporting and visibility into workforce participation and progress in the training
- Regular campaigns to test each workforce member’s ability to recognize and effectively respond to cyberattacks which typically target individuals
- Automated enrollment in remedial training for individual workforce members, when appropriate
- Management reporting and visibility into workforce performance on testing campaigns
- Management reporting and visibility into the improvement in workforce awareness and performance over time
- Lowered risk to (Client) from cyberattacks which target unaware and untrained individuals
VOIP AND COLLABORATION SERVICES
Provider will deliver the Voice over Internet Protocol (“VoIP”) and associated telephony and collaboration services specified and selected by you on the Order or Proposal. Additional Services may be added only by entering into a new Order including those Services.
The VoIP Services may be provided or delivered by Provider through the use of third-party vendors listed on the Order or Proposal. Use of the VoIP Services are subject to any applicable third-party vendor agreements. Client acknowledges and agrees to be bound by those third-party vendor agreements. Provider shall not be responsible for any third-party vendor service failures when accessing or using the Services. Client agrees to be bound by any applicable third-party vendor’s agreements regarding terms and conditions or end user licensing, and Client understands that any applicable agreement regarding terms and conditions or end user licensing is subject to change by any third-party vendor without notice.
Network cabling, conduit, electrical, rack space, and any other required construction or trenching are additional charges are not included with the Service.
**Provider does not provide internet connection. Client is responsible for providing internet connection to use the Service.
THESE DESCRIPTIONS ARE SUBJECT TO CHANGE ANY TIME WITHOUT NOTICE.
Effective June 26, 2026. This Data Processing Agreement supersedes and replaces all prior versions.
Data Processing Agreement
This Data Processing Agreement (the “Agreement”) between Provider (sometimes referred to as “Provider,” “we,” “us,” or “our”), and the Client found on the applicable Order (sometimes referred to as “you,” or “your,”) and, together with the Order, Master Services Agreement, Schedule of Services, and other relevant Service Attachments, forms the Agreement between the parties the terms to which the parties agree to be bound.
The parties agree as follows:
1. Health Insurance Portability and Accountability Act (“HIPAA”) Data Processing.
This Agreement documents the safeguards imposed upon the parties to protect health information that is subject to the Health Insurance Portability and Accountability Act (“HIPAA”). If HIPAA is identified in the Order, and if Provider is engaged as a “Business Associate” under HIPAA, then this Agreement shall apply to Provider’s activities as a Business Associate. If HIPAA applies to Provider’s activities as a Business Associate, in order to demonstrate the parties’ compliance with HIPAA, this Agreement applies to each agreement between Provider or any of Provider’s Affiliates and Client or any of Client’s Affiliates under which Provider engages protected health information as part of its performance.
Definitions.
For purposes of this Business Associate Agreement (“BAA”), the Parties give the following meaning to each of the terms. Any capitalized term used in this BAA, but not otherwise defined, has the meaning given to that term in the Privacy Rule or pertinent law.
- “Affiliate” means a subsidiary or affiliate of Covered Entity that is, or has been, considered a covered entity, as defined by HIPAA.
- “Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR §164.402.
- “Breach Notification Rule” means the portion of HIPAA set forth in Subpart D of 45 CFR Part 164.
- “Data Aggregation” means, with respect to PHI created or received by Business Associate in its capacity as the “business associate” under HIPAA of Covered Entity, the combining of such PHI by Business Associate with the PHI received by Business Associate in its capacity as a business associate of one or more other “covered entity” under HIPAA, to permit data analyses that relate to the Health Care Operations (defined below) of the respective covered entities. The meaning of “data aggregation” in this BAA shall be consistent with the meaning given to that term in the Privacy Rule.
- “Designated Record Set” has the meaning given to such term under the Privacy Rule, including 45 CFR §164.501.B.
- “De-Identify” means to alter the PHI such that the resulting information meets the requirements described in 45 CFR §§164.514(a) and (b).
- “Electronic PHI” means any PHI maintained in or transmitted by electronic media as defined in 45 CFR §160.103.
- “Health Care Operations” has the meaning given to that term in 45 CFR 164.501.
- “HHS” means the S. Department of Health and Human Services.
- “HITECH Act” means the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-005.
- “Individual” has the same meaning given to that term i in 45 CFR §164.501 and 160.130 and includes a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g).
- “Privacy Rule” means that portion of HIPAA set forth in 45 CFR Part 160 and Part 164, Subparts A and E.
- “Protected Health Information” or “PHI” has the meaning given to the term “protected health information” in 45 CFR §§164.501 and 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
- Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
- “Security Rule” means the Security Standards for the Protection of Electronic Health Information provided in 45 CFR Part 160 & Part 164, Subparts A and C.
- “Unsecured Protected Health Information” or “Unsecured PHI” means any “protected health information” as defined in 45 CFR §164.501 and 160.103 that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the HHS Secretary in the guidance issued pursuant to the HITECH Act and codified at 42 USC §17932(h).
Use and Disclosure of PHI.
- Except as otherwise provided in this BAA, Business Associate may use or disclose PHI as reasonably necessary to provide the services described in the Agreement to Covered Entity, and to undertake other activities of Business Associate permitted or required of Business Associate by this BAA or as required by law.
- Except as otherwise limited by this BAA or federal or state law, Covered Entity authorizes Business Associate to use the PHI in its possession for the proper management and administration of Business Associate’s business and to carry out its legal responsibilities. Business Associate may disclose PHI for its proper management and administration, provided that (i) the disclosures are required by law; or (ii) Business Associate obtains, in writing, prior to making any disclosure to a third party (a) reasonable assurances from this third party that the PHI will be held confidential as provided under this BAA and used or further disclosed only as required by law or for the purpose for which it was disclosed to this third party and (b) an agreement from this third party to notify Business Associate immediately of any breaches of the confidentiality of the PHI, to the extent it has knowledge of the breach.
- Business Associate will not use or disclose PHI in a manner other than as provided in this BAA, as permitted under the Privacy Rule, or as required by law. Business Associate will use or disclose PHI, to the extent practicable, as a limited data set or limited to the minimum necessary amount of PHI to carry out the intended purpose of the use or disclosure, in accordance with Section 13405(b) of the HITECH Act (codified at 42 USC §17935(b)) and any of the act’s implementing regulations adopted by HHS, for each use or disclosure of PHI.
- Upon request, Business Associate will make available to Covered Entity any of Covered Entity’s PHI that Business Associate or any of its agents or subcontractors have in their
- Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1).
Safeguards Against Misuse of PHI. Business Associate will use appropriate safeguards to prevent the use or disclosure of PHI other than as provided by the Agreement or this BAA and Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity. Business Associate agrees to take reasonable steps, including providing adequate training to its employees to ensure compliance with this BAA and to ensure that the actions or omissions of its employees or agents do not cause Business Associate to breach the terms of this BAA.
Reporting Disclosures of PHI and Security Incidents. Business Associate will report to Covered Entity in writing any use or disclosure of PHI not provided for by this BAA of which it becomes aware and Business Associate agrees to report to Covered Entity any Security Incident affecting Electronic PHI of Covered Entity of which it becomes aware. Business Associate agrees to report any such event within five business days of becoming aware of the event.
Reporting Breaches of Unsecured PHI. Business Associate will notify Covered Entity in writing promptly upon the discovery of any Breach of Unsecured PHI in accordance with the requirements set forth in 45 CFR §164.410, but in no case later than 30 calendar days after discovery of a Breach. Business Associate will reimburse Covered Entity for any costs incurred by it in complying with the requirements of Subpart D of 45 CFR §164 that are imposed on Covered Entity as a result of a Breach committed by Business Associate.
Mitigation of Disclosures of PHI. Business Associate will take reasonable measures to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of any use or disclosure of PHI by Business Associate or its agents or subcontractors in violation of the requirements of this BAA.
Agreements with Agents or Subcontractors. Business Associate will ensure that any of its agents or subcontractors that have access to, or to which Business Associate provides, PHI agree in writing to the restrictions and conditions concerning uses and disclosures of PHI contained in this BAA and agree to implement reasonable and appropriate safeguards to protect any Electronic PHI that it creates, receives, maintains or transmits on behalf of Business Associate or, through the Business Associate, Covered Entity. Business Associate shall notify Covered Entity, or upstream Business Associate, of all subcontracts and agreements relating to the Agreement, where the subcontractor or agent receives PHI. Such notification shall occur within 30 (thirty) calendar days of the execution of the subcontract by placement of such notice on the Business Associate’s primary website. Business Associate shall ensure that all subcontracts and agreements provide the same level of privacy and security as this BAA.
Audit Report. Upon request, Business Associate will provide Covered Entity, or upstream Business Associate, with a copy of its most recent independent HIPAA compliance report (AT-C 315), HITRUST certification or other mutually agreed upon independent standards based third party audit report. Covered entity agrees not to re-disclose Business Associate’s audit report.
Access to PHI by Individuals.
- Upon request, Business Associate agrees to furnish Covered Entity with copies of the PHI maintained by Business Associate in a Designated Record Set in the time and manner designated by Covered Entity to enable Covered Entity to respond to an Individual’s request for access to PHI under 45 CFR §164.524.
- In the event any Individual or personal representative requests access to the Individual’s PHI directly from Business Associate, Business Associate within ten business days, will forward that request to Covered Entity. Any disclosure of, or decision not to disclose, the PHI requested by an Individual or a personal representative and compliance with the requirements applicable to an Individual’s right to obtain access to PHI shall be the sole responsibility of Covered Entity.
Amendment of PHI.
- Upon request and instruction from Covered Entity, Business Associate will amend PHI or a record about an Individual in a Designated Record Set that is maintained by, or otherwise within the possession of, Business Associate as directed by Covered Entity in accordance with procedures established by 45 CFR §164.526. Any request by Covered Entity to amend such information will be completed by Business Associate within 15 business days of Covered Entity’s
- In the event that any Individual requests that Business Associate amend such Individual’s PHI or record in a Designated Record Set, Business Associate within ten business days will forward this request to Covered Entity. Any amendment of, or decision not to amend, the PHI or record as requested by an Individual and compliance with the requirements applicable to an Individual’s right to request an amendment of PHI will be the sole responsibility of Covered Entity.
Accounting of Disclosures.
- Business Associate will document any disclosures of PHI made by it to account for such disclosures as required by 45 CFR §164.528(a). Business Associate also will make available information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosures in accordance with 45 CFR §164.528. At a minimum, Business Associate will furnish Covered Entity the following with respect to any covered disclosures by Business Associate: (i) the date of disclosure of PHI; (ii) the name of the entity or person who received PHI, and, if known, the address of such entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure which includes the basis for such disclosure.
- Business Associate will furnish to Covered Entity information collected in accordance with this Section 10, within ten business days after written request by Covered Entity, to permit Covered Entity to make an accounting of disclosures as required by 45 CFR §164.528, or in the event that Covered Entity elects to provide an Individual with a list of its business associates, Business Associate will provide an accounting of its disclosures of PHI upon request of the Individual, if and to the extent that such accounting is required under the HITECH Act or under HHS regulations adopted in connection with the HITECH Act.
- In the event an Individual delivers the initial request for an accounting directly to Business Associate, Business Associate will within ten business days forward such request to Covered Entity.
Availability of Books and Records. Business Associate will make available its internal practices, books, agreements, records, and policies and procedures relating to the use and disclosure of PHI, upon request, to the Secretary of HHS for purposes of determining Covered Entity’s and Business Associate’s compliance with HIPAA, and this BAA.
Responsibilities of Covered Entity. With regard to the use and/or disclosure of Protected Health Information by Business Associate, Covered Entity agrees to:
- Notify Business Associate of any limitation(s) in its notice of privacy practices in accordance with 45 CFR 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
- Notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
- Notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
- Except for data aggregation or management and administrative activities of Business Associate, Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.
Data Ownership. Business Associate’s data stewardship does not confer data ownership rights on Business Associate with respect to any data shared with it under the Agreement, including any and all forms thereof.
Effect of BAA.
- This BAA is a part of and subject to the terms of the Agreement, except that to the extent any terms of this BAA conflict with any term of the Agreement, the terms of this BAA will
- Except as expressly stated in this BAA or as provided by law, this BAA will not create any rights in favor of any third party.
Regulatory References. A reference in this BAA to a section in HIPAA means the section as in effect or as amended at the time.
Amendments and Waiver. This BAA may not be modified, nor will any provision be waived or amended, except in writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.
HITECH Act Compliance. The Parties acknowledge that the HITECH Act includes significant changes to the Privacy Rule and the Security Rule. The privacy subtitle of the HITECH Act sets forth provisions that significantly change the requirements for business associates and the agreements between business associates and covered entities under HIPAA and these changes may be further clarified in forthcoming regulations and guidance. Each Party agrees to comply with the applicable provisions of the HITECH Act and any HHS regulations issued with respect to the HITECH Act. The Parties also agree to negotiate in good faith to modify this BAA as reasonably necessary to comply with the HITECH Act and its regulations as they become effective but, in the event that the Parties are unable to reach agreement on such a modification, either Party will have the right to terminate this BAA upon 30- days’ prior written notice to the other Party.
2. Gramm-Leach-Bliley Act (“GLBA”) Data Processing.
This section documents the safeguard standards imposed to protect Client financial information subject to the Gramm-Leach Bliley Act (“GLBA”). If GLBA is identified in the Order, and if Provider’s services constitute processing of financial information governed by GLBA, these provisions shall apply.
1. DEFINITIONS
All capitalized terms in this Addendum which are not otherwise defined in this Addendum or in the MSA have the meaning set forth in Title V of the Gramm-Leach-Bliley Act (P. L. 106-102; 15 USC §6801 et seq.) and the regulations issued pursuant thereto by the Financial Institution’s Functional Regulator.
2. RECEIPT OF INFORMATION
To perform its duties under the Agreement, Provider is authorized and permitted to receive, hold and, to the extent necessary, review Nonpublic Personal Information of Client in order to provide services for Client at Client’s direction as provided under the MSA. Provider may further use and disclose Nonpublic Personal Information for the proper management and administration of the business of Provider.
3. OBLIGATIONS OF SERVICE PROVIDER
Provider will take reasonable steps to:
- Implement and maintain a written comprehensive information security program containing administrative, technical and physical safeguards for the security and protection of Nonpublic Personal Information and further containing each of the elements set forth in § 314.4 of the Gramm Leach Bliley Standards for Safeguarding Client Information (16 C.F.R. § 314) and the Red Flag Rules issued by the Federal Trade Commission;
- Ensure the security and confidentiality of Nonpublic Personal Information received from Client;
- Protect against any anticipated threats or hazards to the security or integrity of Nonpublic Personal Information;
- Protect against unauthorized access to or use of such information that could result in harm or inconvenience to Client;
- Ensure the proper disposal of Nonpublic Personal Information, as set forth in the MSA or in Service Attachments signed under the MSA, and
- Notify Client of any loss or breach of the security or Confidentiality of Client’s Nonpublic Personal Information.
4. PERMITTED USES AND DISCLOSURES
Provider may disclose the information received by it under the Agreement only if the disclosure is required by law.
5. PERMISSIBLE REQUESTS
Client shall not request Provider to use or disclose Nonpublic Personal Information in any manner that would not be permissible Title V of the Gramm-Leach-Bliley Act (P. L. 106-102; 15 USC §6801 et seq.) and the regulations issued pursuant thereto if done by Client.
3. Department of Defense Standards for Controlled Unclassified Information (“CUI”).
This section documents the safeguards imposed to protect CUI subject to the DoD and CMMC’s standards. If CUI or CMMC are identified in the Order, and to the extent Provider’s services involve CUI subject to DoD or CMMC standards or regulations, these provisions shall apply.
- System Environment. Provider will prepare a detailed description of system boundaries, system interconnectedness, and key devices.
- Requirements. Provider will thoroughly describe how the CMMC requirements have been implemented for each of the following:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communication Protection
- System and Information Integrity
- Definitions . As used in this section —
Compromise means disclosure of information to unauthorized persons, for a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred.
Controlled technical information means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.
Covered defense information means unclassified controlled technical information or other information (as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html) that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is—
(1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
(2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
Cyber incident means actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.
Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
Media means physical devices or writing surfaces including, but is not limited to, magnetic tapes, optical disks, magnetic disks, large-scale integration memory chips, and printouts onto which covered defense information is recorded, stored, or printed within a covered contractor information system.
Technical information means technical data or computer software, as those terms are defined in the clause at DFARS 252.227-7013, Rights in Technical Data—Other Than Commercial Products and Commercial Services, regardless of whether or not the clause is incorporated in this solicitation or contract. Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.
- Restrictions.
- Provider agrees that the following conditions apply to any information it receives or creates in the performance of this contract that is information obtained from a third-party’s reporting of a cyber incident pursuant to DFARS clause252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (or derived from such information obtained under that clause):
(1) Provider shall access and use the information only for the purpose of furnishing advice or technical assistance directly to the Government in support of the Government’s activities related to clause 252.204-7012, and shall not be used for any other purpose.
(2) Provider shall protect the information against unauthorized release or disclosure.
(3) Provider shall ensure that its employees are subject to use and non-disclosure obligations consistent with this clause prior to the employees being provided access to or use of the information.
(4) The third-party contractor that reported the cyber incident is a third-party beneficiary of the non-disclosure agreement between the Government and Contractor, as required by paragraph (b)(3) of this clause.
(5) A breach of these obligations or restrictions may subject Provider to—
- Criminal, civil, administrative, and contractual actions in law and equity for penalties, damages, and other appropriate remedies by the United States; and
- Civil actions for damages and other appropriate remedies by the third party that reported the cyber incident, as a third-party beneficiary of this clause.
- Subcontracts.The Contractor shall include this clause, including this paragraph(c), in subcontracts, or similar contractual instruments, for services that include support for the Government’s activities related to safeguarding covered defense information and cyber incident reporting, including subcontracts for commercial products and commercial services, without alteration, except to identify the parties.
LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Local laws and practices affecting compliance with the Clauses
- The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorizing access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
- The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
- the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
- the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorizing access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards; any relevant contractual, technical or organizational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of
- The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
- The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
- The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). [For Module Three: The data exporter shall forward the notification to the controller.]
- Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organizational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation [for Module Three: , if appropriate in consultation with the controller]. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by [for Module Three: the controller or] the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
Obligations of the data importer in case of access by public authorities
Notification
- The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary, with the help of the data exporter) if it:
- receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
- becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer. The data exporter shall forward the notification to the controller.
- If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
- Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.). The data exporter shall forward the information to the
- The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
- Paragraphs (a) to (c) are without prejudice to the obligation of the data importer to inform the data exporter promptly where it is unable to comply with these Clauses.
Review of legality and data minimization
- The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer.
- The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request. [For Module Three: The data exporter shall make the assessment available to the controller.]
- The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
FINAL PROVISIONS
Non-compliance with the Clauses and termination
- The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
- In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated.
- The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
- the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
- the data importer is in substantial or persistent breach of these Clauses; or
- the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
- Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
- Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.
Governing law
These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.
Choice of forum and jurisdiction
Any dispute arising from these Clauses shall be resolved by the courts of Ireland.
STATEMENT OF WORK
The subject matter and duration of the Processing, the nature and purpose of the Processing, and the type of Personal Data and categories of data subjects will be described in a statement of work, purchase order or written agreement signed by the parties’ authorized representatives, which forms an integral part of the Agreement.
INSURANCE
In addition to any other insurance required under the Agreement, Client will maintain insurance coverage for privacy and cybersecurity liability (including costs arising from data destruction, hacking or intentional breaches, crisis management activity related to data breaches, and legal claims for security breach, privacy violations, and notification costs) of at least $2,000,000 US per occurrence.
TERM AND TERMINATION
(a) Term. The Term of this Agreement shall be effective as of the date signed by both parties below, and shall terminate upon the termination of the Agreement or upon the date Client terminates for cause as authorized in paragraph (b) of this Section, whichever is sooner.
(b) Termination for Cause. Provider authorizes termination of this Agreement by Client, if Client determines Provider has violated a material term of the Agreement and Provider has not cured the breach or ended the violation within ten (10) business days.
(c) Effect of Termination. Upon termination of this Agreement for any reason, Provider, with respect to Personal Data received from Client, or created, maintained, or received by Provider on behalf of Client, shall:
(i) Retain only that Personal Data which is necessary for Provider to continue its proper management and administration or to carry out its legal responsibilities;
(ii) Return to Client [or, if agreed to by Client, destroy] the remaining Personal Data that the Provider still maintains in any form;
(iii) Continue to use appropriate safeguards with respect to Personal Data to prevent use or disclosure of the Personal Data, other than as provided for in this Section, for as long as Provider retains the Personal Data;
(iv) Not use or disclose the Personal Data retained by Provider other than for the purposes for which such Personal Data was retained and subject to the same conditions set forth in this Agreement; and
(v) Return to Client [or, if agreed to by Client, destroy] the Personal Data retained by Provider when it is no longer needed by Provider for its proper management and administration or to carry out its legal responsibilities.
In addition, Client’s termination of this Agreement for cause constitutes good cause for Client to terminate any Service Attachments signed under the Agreement in connection with which Provider received any Personal Data from Client.
(d) Survival. The obligations of Provider under this Section shall survive the termination of this Agreement.
Effective June 26, 2026. This Data Processing Agreement supersedes and replaces all prior versions.
Data Processing Agreement
This Data Processing Agreement (the “Agreement”) between Provider (sometimes referred to as “Provider,” “we,” “us,” or “our”), and the Client found on the applicable Order (sometimes referred to as “you,” or “your,”) and, together with the Order, Master Services Agreement, Schedule of Services, and other relevant Service Attachments, forms the Agreement between the parties the terms to which the parties agree to be bound.
The parties agree as follows:
1. Health Insurance Portability and Accountability Act (“HIPAA”) Data Processing.
This Agreement documents the safeguards imposed upon the parties to protect health information that is subject to the Health Insurance Portability and Accountability Act (“HIPAA”). If HIPAA is identified in the Order, and if Provider is engaged as a “Business Associate” under HIPAA, then this Agreement shall apply to Provider’s activities as a Business Associate. If HIPAA applies to Provider’s activities as a Business Associate, in order to demonstrate the parties’ compliance with HIPAA, this Agreement applies to each agreement between Provider or any of Provider’s Affiliates and Client or any of Client’s Affiliates under which Provider engages protected health information as part of its performance.
Definitions.
For purposes of this Business Associate Agreement (“BAA”), the Parties give the following meaning to each of the terms. Any capitalized term used in this BAA, but not otherwise defined, has the meaning given to that term in the Privacy Rule or pertinent law.
- “Affiliate” means a subsidiary or affiliate of Covered Entity that is, or has been, considered a covered entity, as defined by HIPAA.
- “Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR §164.402.
- “Breach Notification Rule” means the portion of HIPAA set forth in Subpart D of 45 CFR Part 164.
- “Data Aggregation” means, with respect to PHI created or received by Business Associate in its capacity as the “business associate” under HIPAA of Covered Entity, the combining of such PHI by Business Associate with the PHI received by Business Associate in its capacity as a business associate of one or more other “covered entity” under HIPAA, to permit data analyses that relate to the Health Care Operations (defined below) of the respective covered entities. The meaning of “data aggregation” in this BAA shall be consistent with the meaning given to that term in the Privacy Rule.
- “Designated Record Set” has the meaning given to such term under the Privacy Rule, including 45 CFR §164.501.B.
- “De-Identify” means to alter the PHI such that the resulting information meets the requirements described in 45 CFR §§164.514(a) and (b).
- “Electronic PHI” means any PHI maintained in or transmitted by electronic media as defined in 45 CFR §160.103.
- “Health Care Operations” has the meaning given to that term in 45 CFR 164.501.
- “HHS” means the S. Department of Health and Human Services.
- “HITECH Act” means the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-005.
- “Individual” has the same meaning given to that term i in 45 CFR §164.501 and 160.130 and includes a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g).
- “Privacy Rule” means that portion of HIPAA set forth in 45 CFR Part 160 and Part 164, Subparts A and E.
- “Protected Health Information” or “PHI” has the meaning given to the term “protected health information” in 45 CFR §§164.501 and 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
- Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
- “Security Rule” means the Security Standards for the Protection of Electronic Health Information provided in 45 CFR Part 160 & Part 164, Subparts A and C.
- “Unsecured Protected Health Information” or “Unsecured PHI” means any “protected health information” as defined in 45 CFR §164.501 and 160.103 that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the HHS Secretary in the guidance issued pursuant to the HITECH Act and codified at 42 USC §17932(h).
Use and Disclosure of PHI.
- Except as otherwise provided in this BAA, Business Associate may use or disclose PHI as reasonably necessary to provide the services described in the Agreement to Covered Entity, and to undertake other activities of Business Associate permitted or required of Business Associate by this BAA or as required by law.
- Except as otherwise limited by this BAA or federal or state law, Covered Entity authorizes Business Associate to use the PHI in its possession for the proper management and administration of Business Associate’s business and to carry out its legal responsibilities. Business Associate may disclose PHI for its proper management and administration, provided that (i) the disclosures are required by law; or (ii) Business Associate obtains, in writing, prior to making any disclosure to a third party (a) reasonable assurances from this third party that the PHI will be held confidential as provided under this BAA and used or further disclosed only as required by law or for the purpose for which it was disclosed to this third party and (b) an agreement from this third party to notify Business Associate immediately of any breaches of the confidentiality of the PHI, to the extent it has knowledge of the breach.
- Business Associate will not use or disclose PHI in a manner other than as provided in this BAA, as permitted under the Privacy Rule, or as required by law. Business Associate will use or disclose PHI, to the extent practicable, as a limited data set or limited to the minimum necessary amount of PHI to carry out the intended purpose of the use or disclosure, in accordance with Section 13405(b) of the HITECH Act (codified at 42 USC §17935(b)) and any of the act’s implementing regulations adopted by HHS, for each use or disclosure of PHI.
- Upon request, Business Associate will make available to Covered Entity any of Covered Entity’s PHI that Business Associate or any of its agents or subcontractors have in their
- Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1).
Safeguards Against Misuse of PHI. Business Associate will use appropriate safeguards to prevent the use or disclosure of PHI other than as provided by the Agreement or this BAA and Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity. Business Associate agrees to take reasonable steps, including providing adequate training to its employees to ensure compliance with this BAA and to ensure that the actions or omissions of its employees or agents do not cause Business Associate to breach the terms of this BAA.
Reporting Disclosures of PHI and Security Incidents. Business Associate will report to Covered Entity in writing any use or disclosure of PHI not provided for by this BAA of which it becomes aware and Business Associate agrees to report to Covered Entity any Security Incident affecting Electronic PHI of Covered Entity of which it becomes aware. Business Associate agrees to report any such event within five business days of becoming aware of the event.
Reporting Breaches of Unsecured PHI. Business Associate will notify Covered Entity in writing promptly upon the discovery of any Breach of Unsecured PHI in accordance with the requirements set forth in 45 CFR §164.410, but in no case later than 30 calendar days after discovery of a Breach. Business Associate will reimburse Covered Entity for any costs incurred by it in complying with the requirements of Subpart D of 45 CFR §164 that are imposed on Covered Entity as a result of a Breach committed by Business Associate.
Mitigation of Disclosures of PHI. Business Associate will take reasonable measures to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of any use or disclosure of PHI by Business Associate or its agents or subcontractors in violation of the requirements of this BAA.
Agreements with Agents or Subcontractors. Business Associate will ensure that any of its agents or subcontractors that have access to, or to which Business Associate provides, PHI agree in writing to the restrictions and conditions concerning uses and disclosures of PHI contained in this BAA and agree to implement reasonable and appropriate safeguards to protect any Electronic PHI that it creates, receives, maintains or transmits on behalf of Business Associate or, through the Business Associate, Covered Entity. Business Associate shall notify Covered Entity, or upstream Business Associate, of all subcontracts and agreements relating to the Agreement, where the subcontractor or agent receives PHI. Such notification shall occur within 30 (thirty) calendar days of the execution of the subcontract by placement of such notice on the Business Associate’s primary website. Business Associate shall ensure that all subcontracts and agreements provide the same level of privacy and security as this BAA.
Audit Report. Upon request, Business Associate will provide Covered Entity, or upstream Business Associate, with a copy of its most recent independent HIPAA compliance report (AT-C 315), HITRUST certification or other mutually agreed upon independent standards based third party audit report. Covered entity agrees not to re-disclose Business Associate’s audit report.
Access to PHI by Individuals.
- Upon request, Business Associate agrees to furnish Covered Entity with copies of the PHI maintained by Business Associate in a Designated Record Set in the time and manner designated by Covered Entity to enable Covered Entity to respond to an Individual’s request for access to PHI under 45 CFR §164.524.
- In the event any Individual or personal representative requests access to the Individual’s PHI directly from Business Associate, Business Associate within ten business days, will forward that request to Covered Entity. Any disclosure of, or decision not to disclose, the PHI requested by an Individual or a personal representative and compliance with the requirements applicable to an Individual’s right to obtain access to PHI shall be the sole responsibility of Covered Entity.
Amendment of PHI.
- Upon request and instruction from Covered Entity, Business Associate will amend PHI or a record about an Individual in a Designated Record Set that is maintained by, or otherwise within the possession of, Business Associate as directed by Covered Entity in accordance with procedures established by 45 CFR §164.526. Any request by Covered Entity to amend such information will be completed by Business Associate within 15 business days of Covered Entity’s
- In the event that any Individual requests that Business Associate amend such Individual’s PHI or record in a Designated Record Set, Business Associate within ten business days will forward this request to Covered Entity. Any amendment of, or decision not to amend, the PHI or record as requested by an Individual and compliance with the requirements applicable to an Individual’s right to request an amendment of PHI will be the sole responsibility of Covered Entity.
Accounting of Disclosures.
- Business Associate will document any disclosures of PHI made by it to account for such disclosures as required by 45 CFR §164.528(a). Business Associate also will make available information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosures in accordance with 45 CFR §164.528. At a minimum, Business Associate will furnish Covered Entity the following with respect to any covered disclosures by Business Associate: (i) the date of disclosure of PHI; (ii) the name of the entity or person who received PHI, and, if known, the address of such entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure which includes the basis for such disclosure.
- Business Associate will furnish to Covered Entity information collected in accordance with this Section 10, within ten business days after written request by Covered Entity, to permit Covered Entity to make an accounting of disclosures as required by 45 CFR §164.528, or in the event that Covered Entity elects to provide an Individual with a list of its business associates, Business Associate will provide an accounting of its disclosures of PHI upon request of the Individual, if and to the extent that such accounting is required under the HITECH Act or under HHS regulations adopted in connection with the HITECH Act.
- In the event an Individual delivers the initial request for an accounting directly to Business Associate, Business Associate will within ten business days forward such request to Covered Entity.
Availability of Books and Records. Business Associate will make available its internal practices, books, agreements, records, and policies and procedures relating to the use and disclosure of PHI, upon request, to the Secretary of HHS for purposes of determining Covered Entity’s and Business Associate’s compliance with HIPAA, and this BAA.
Responsibilities of Covered Entity. With regard to the use and/or disclosure of Protected Health Information by Business Associate, Covered Entity agrees to:
- Notify Business Associate of any limitation(s) in its notice of privacy practices in accordance with 45 CFR 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
- Notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
- Notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
- Except for data aggregation or management and administrative activities of Business Associate, Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.
Data Ownership. Business Associate’s data stewardship does not confer data ownership rights on Business Associate with respect to any data shared with it under the Agreement, including any and all forms thereof.
Effect of BAA.
- This BAA is a part of and subject to the terms of the Agreement, except that to the extent any terms of this BAA conflict with any term of the Agreement, the terms of this BAA will
- Except as expressly stated in this BAA or as provided by law, this BAA will not create any rights in favor of any third party.
Regulatory References. A reference in this BAA to a section in HIPAA means the section as in effect or as amended at the time.
Amendments and Waiver. This BAA may not be modified, nor will any provision be waived or amended, except in writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.
HITECH Act Compliance. The Parties acknowledge that the HITECH Act includes significant changes to the Privacy Rule and the Security Rule. The privacy subtitle of the HITECH Act sets forth provisions that significantly change the requirements for business associates and the agreements between business associates and covered entities under HIPAA and these changes may be further clarified in forthcoming regulations and guidance. Each Party agrees to comply with the applicable provisions of the HITECH Act and any HHS regulations issued with respect to the HITECH Act. The Parties also agree to negotiate in good faith to modify this BAA as reasonably necessary to comply with the HITECH Act and its regulations as they become effective but, in the event that the Parties are unable to reach agreement on such a modification, either Party will have the right to terminate this BAA upon 30- days’ prior written notice to the other Party.
2. Gramm-Leach-Bliley Act (“GLBA”) Data Processing.
This section documents the safeguard standards imposed to protect Client financial information subject to the Gramm-Leach Bliley Act (“GLBA”). If GLBA is identified in the Order, and if Provider’s services constitute processing of financial information governed by GLBA, these provisions shall apply.
1. DEFINITIONS
All capitalized terms in this Addendum which are not otherwise defined in this Addendum or in the MSA have the meaning set forth in Title V of the Gramm-Leach-Bliley Act (P. L. 106-102; 15 USC §6801 et seq.) and the regulations issued pursuant thereto by the Financial Institution’s Functional Regulator.
2. RECEIPT OF INFORMATION
To perform its duties under the Agreement, Provider is authorized and permitted to receive, hold and, to the extent necessary, review Nonpublic Personal Information of Client in order to provide services for Client at Client’s direction as provided under the MSA. Provider may further use and disclose Nonpublic Personal Information for the proper management and administration of the business of Provider.
3. OBLIGATIONS OF SERVICE PROVIDER
Provider will take reasonable steps to:
- Implement and maintain a written comprehensive information security program containing administrative, technical and physical safeguards for the security and protection of Nonpublic Personal Information and further containing each of the elements set forth in § 314.4 of the Gramm Leach Bliley Standards for Safeguarding Client Information (16 C.F.R. § 314) and the Red Flag Rules issued by the Federal Trade Commission;
- Ensure the security and confidentiality of Nonpublic Personal Information received from Client;
- Protect against any anticipated threats or hazards to the security or integrity of Nonpublic Personal Information;
- Protect against unauthorized access to or use of such information that could result in harm or inconvenience to Client;
- Ensure the proper disposal of Nonpublic Personal Information, as set forth in the MSA or in Service Attachments signed under the MSA, and
- Notify Client of any loss or breach of the security or Confidentiality of Client’s Nonpublic Personal Information.
4. PERMITTED USES AND DISCLOSURES
Provider may disclose the information received by it under the Agreement only if the disclosure is required by law.
5. PERMISSIBLE REQUESTS
Client shall not request Provider to use or disclose Nonpublic Personal Information in any manner that would not be permissible Title V of the Gramm-Leach-Bliley Act (P. L. 106-102; 15 USC §6801 et seq.) and the regulations issued pursuant thereto if done by Client.
3. Department of Defense Standards for Controlled Unclassified Information (“CUI”).
This section documents the safeguards imposed to protect CUI subject to the DoD and CMMC’s standards. If CUI or CMMC are identified in the Order, and to the extent Provider’s services involve CUI subject to DoD or CMMC standards or regulations, these provisions shall apply.
- System Environment. Provider will prepare a detailed description of system boundaries, system interconnectedness, and key devices.
- Requirements. Provider will thoroughly describe how the CMMC requirements have been implemented for each of the following:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communication Protection
- System and Information Integrity
- Definitions . As used in this section —
Compromise means disclosure of information to unauthorized persons, for a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred.
Controlled technical information means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.
Covered defense information means unclassified controlled technical information or other information (as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html) that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is—
(1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
(2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
Cyber incident means actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.
Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
Media means physical devices or writing surfaces including, but is not limited to, magnetic tapes, optical disks, magnetic disks, large-scale integration memory chips, and printouts onto which covered defense information is recorded, stored, or printed within a covered contractor information system.
Technical information means technical data or computer software, as those terms are defined in the clause at DFARS 252.227-7013, Rights in Technical Data—Other Than Commercial Products and Commercial Services, regardless of whether or not the clause is incorporated in this solicitation or contract. Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.
- Restrictions.
- Provider agrees that the following conditions apply to any information it receives or creates in the performance of this contract that is information obtained from a third-party’s reporting of a cyber incident pursuant to DFARS clause252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (or derived from such information obtained under that clause):
(1) Provider shall access and use the information only for the purpose of furnishing advice or technical assistance directly to the Government in support of the Government’s activities related to clause 252.204-7012, and shall not be used for any other purpose.
(2) Provider shall protect the information against unauthorized release or disclosure.
(3) Provider shall ensure that its employees are subject to use and non-disclosure obligations consistent with this clause prior to the employees being provided access to or use of the information.
(4) The third-party contractor that reported the cyber incident is a third-party beneficiary of the non-disclosure agreement between the Government and Contractor, as required by paragraph (b)(3) of this clause.
(5) A breach of these obligations or restrictions may subject Provider to—
- Criminal, civil, administrative, and contractual actions in law and equity for penalties, damages, and other appropriate remedies by the United States; and
- Civil actions for damages and other appropriate remedies by the third party that reported the cyber incident, as a third-party beneficiary of this clause.
- Subcontracts.The Contractor shall include this clause, including this paragraph(c), in subcontracts, or similar contractual instruments, for services that include support for the Government’s activities related to safeguarding covered defense information and cyber incident reporting, including subcontracts for commercial products and commercial services, without alteration, except to identify the parties.
LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Local laws and practices affecting compliance with the Clauses
- The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorizing access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
- The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
- the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
- the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorizing access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards; any relevant contractual, technical or organizational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of
- The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
- The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
- The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). [For Module Three: The data exporter shall forward the notification to the controller.]
- Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organizational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation [for Module Three: , if appropriate in consultation with the controller]. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by [for Module Three: the controller or] the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
Obligations of the data importer in case of access by public authorities
Notification
- The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary, with the help of the data exporter) if it:
- receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
- becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer. The data exporter shall forward the notification to the controller.
- If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
- Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.). The data exporter shall forward the information to the
- The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
- Paragraphs (a) to (c) are without prejudice to the obligation of the data importer to inform the data exporter promptly where it is unable to comply with these Clauses.
Review of legality and data minimization
- The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer.
- The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request. [For Module Three: The data exporter shall make the assessment available to the controller.]
- The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
FINAL PROVISIONS
Non-compliance with the Clauses and termination
- The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
- In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated.
- The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
- the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
- the data importer is in substantial or persistent breach of these Clauses; or
- the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
- Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
- Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.
Governing law
These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.
Choice of forum and jurisdiction
Any dispute arising from these Clauses shall be resolved by the courts of Ireland.
STATEMENT OF WORK
The subject matter and duration of the Processing, the nature and purpose of the Processing, and the type of Personal Data and categories of data subjects will be described in a statement of work, purchase order or written agreement signed by the parties’ authorized representatives, which forms an integral part of the Agreement.
INSURANCE
In addition to any other insurance required under the Agreement, Client will maintain insurance coverage for privacy and cybersecurity liability (including costs arising from data destruction, hacking or intentional breaches, crisis management activity related to data breaches, and legal claims for security breach, privacy violations, and notification costs) of at least $2,000,000 US per occurrence.
TERM AND TERMINATION
(a) Term. The Term of this Agreement shall be effective as of the date signed by both parties below, and shall terminate upon the termination of the Agreement or upon the date Client terminates for cause as authorized in paragraph (b) of this Section, whichever is sooner.
(b) Termination for Cause. Provider authorizes termination of this Agreement by Client, if Client determines Provider has violated a material term of the Agreement and Provider has not cured the breach or ended the violation within ten (10) business days.
(c) Effect of Termination. Upon termination of this Agreement for any reason, Provider, with respect to Personal Data received from Client, or created, maintained, or received by Provider on behalf of Client, shall:
(i) Retain only that Personal Data which is necessary for Provider to continue its proper management and administration or to carry out its legal responsibilities;
(ii) Return to Client [or, if agreed to by Client, destroy] the remaining Personal Data that the Provider still maintains in any form;
(iii) Continue to use appropriate safeguards with respect to Personal Data to prevent use or disclosure of the Personal Data, other than as provided for in this Section, for as long as Provider retains the Personal Data;
(iv) Not use or disclose the Personal Data retained by Provider other than for the purposes for which such Personal Data was retained and subject to the same conditions set forth in this Agreement; and
(v) Return to Client [or, if agreed to by Client, destroy] the Personal Data retained by Provider when it is no longer needed by Provider for its proper management and administration or to carry out its legal responsibilities.
In addition, Client’s termination of this Agreement for cause constitutes good cause for Client to terminate any Service Attachments signed under the Agreement in connection with which Provider received any Personal Data from Client.
(d) Survival. The obligations of Provider under this Section shall survive the termination of this Agreement.