Master Services Agreement

1. Definitions

The following terms, when capitalized, shall have the meanings set forth below throughout this Agreement and all incorporated documents.

2. Scope of Agreement and Document Structure

2.1 Purpose.

This Agreement establishes the legal and operational framework governing the relationship between Provider and Client. It does not, standing alone, obligate Provider to perform any specific services. Services are activated only upon execution of a Statement of Work incorporating this Agreement by reference.

2.2 Incorporation by Reference.

Each executed Statement of Work and each Service Schedule identified therein is hereby incorporated into and made part of this Agreement. In the event of any conflict among the documents, the order of precedence shall be: (i) this Master Services Agreement; (ii) the applicable Statement of Work; (iii) the applicable Service Schedule(s). No terms or conditions contained in any Client purchase order, vendor portal, or similar document shall modify or supersede this Agreement unless expressly agreed to in a separately executed written amendment signed by an authorized officer of Provider.

2.3 Non-Negotiable Terms.

Provider's standard terms as set forth in this Agreement are non-negotiable. Provider will not accept, incorporate, or be bound by any Client-submitted terms and conditions, whether presented before, during, or after execution of any Statement of Work. The parties acknowledge that Provider's pricing reflects the risk allocation established herein, and any modification to such allocation would require a material adjustment to pricing.

2.4 Orchestration Model.

Client acknowledges and agrees that Provider operates as a security and risk orchestration firm. In delivering Services, Provider may engage Vendors whose platforms, tools, or personnel comprise a component of the Services delivered. Provider serves as the single point of accountability to Client; however, certain service components are subject to the technical capabilities, uptime commitments, and limitations of third-party Vendors. Provider's obligations are limited to those expressly stated in the applicable Service Schedule.

3. Fees, Billing, and Payment Terms

3.1 Fee Structure.

All Fees applicable to Client's engagement are set forth in the executed Statement of Work. Provider offers services under the following billing structures, as applicable:

• Recurring Managed Services: Billed monthly in advance on the first day of each service month.
• Project and Compliance Readiness Engagements: Billed on a milestone schedule of sixty percent (60%) at engagement kickoff, twenty-five percent (25%) upon completion of the milestone defined in the applicable SOW, and fifteen percent (15%) upon final delivery.
• Risk Assessment and Penetration Testing Engagements: Billed one hundred percent (100%) in advance prior to commencement of any work.

3.2 Payment Terms.

All invoices are due and payable within fifteen (15) days of the invoice date. Invoices not paid within fifteen (15) days shall accrue interest at the rate of one and one-half percent (1.5%) per month, or the maximum rate permitted by applicable law, whichever is less, from the due date until the date of payment.

3.3 Suspension for Non-Payment.

If any undisputed invoice remains unpaid for thirty (30) or more days beyond its due date, Provider reserves the right, upon five (5) days' written notice to Client, to suspend delivery of Services until all outstanding balances are satisfied. Suspension of Services under this section shall not relieve Client of its obligation to pay Fees accrued through the date of suspension, nor shall it constitute a breach of this Agreement by Provider.

3.4 Fee Adjustments.

Provider reserves the right to adjust recurring Fees upon no less than sixty (60) days' prior written notice to Client. Fee adjustments shall take effect at the next renewal of the applicable SOW unless Client provides timely written notice of non-renewal in accordance with Section 6.3.

3.5 Disputed Invoices.

Client shall notify Provider in writing of any good-faith dispute with respect to any invoice within ten (10) days of receipt. Client shall pay all undisputed amounts when due. The parties shall work in good faith to resolve any disputed amounts within thirty (30) days of Provider's receipt of Client's dispute notice. Failure to timely dispute an invoice shall constitute acceptance of the amounts therein.

3.6 Taxes.

Fees do not include applicable sales, use, excise, or similar taxes. Client is responsible for all taxes associated with the Services, excluding taxes based on Provider's net income.

4. Client Obligations and Cooperation

4.1 Access and Cooperation.

Client shall provide Provider with timely access to Client's systems, personnel, facilities, and information as reasonably necessary for Provider to deliver the Services. Client acknowledges that Provider's ability to perform is contingent upon Client's cooperation, and that delays or failures attributable to Client shall not constitute a breach by Provider.

4.2 Accuracy of Information.

Client represents and warrants that all information, documentation, and data provided to Provider is accurate, complete, and current. Provider shall be entitled to rely on Client-provided information without independent verification, and Provider shall have no liability for errors, omissions, or failures arising from inaccurate or incomplete information provided by Client.

4.3 Technology Standards.

Client shall maintain its systems, software, and network infrastructure in accordance with the minimum technology standards set forth in the applicable Service Schedule(s). Provider's performance obligations and any applicable service level commitments are conditioned upon Client's ongoing compliance with such standards. Provider shall not be liable for service failures or degraded performance arising from Client's failure to maintain the required standards.

4.4 Authorized Personnel.

Client shall designate one or more authorized points of contact responsible for coordinating with Provider, approving work, and receiving communications under this Agreement. All Client approvals, authorizations, and acceptances required under this Agreement shall be in writing from an authorized Client representative.

4.5 Compliance with Laws.

Client is solely responsible for its own compliance with applicable laws, regulations, and industry standards, including but not limited to the Cybersecurity Maturity Model Certification (CMMC) requirements, the NIST SP 800-171 framework, and any applicable sector-specific regulations. Provider's advisory, documentation, and readiness services do not constitute legal advice, audit services, or certification, and do not guarantee that Client will achieve or maintain any particular compliance status or certification.

4.6 Shadow IT and Unauthorized Changes.

Client shall not install unauthorized software, hardware, or systems on any network or environment managed by Provider without prior written approval from Provider. Client shall not permit its internal IT personnel or third parties to make changes to managed environments without Provider's knowledge and written consent. Provider shall not be liable for Incidents, service failures, or performance degradation arising from unauthorized changes made by Client or third parties.

5. Limitation of Liability and Disclaimers

5.1 Cap on Liability.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, PROVIDER'S TOTAL CUMULATIVE LIABILITY TO CLIENT ARISING OUT OF OR RELATED TO THIS AGREEMENT, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY, OR ANY OTHER THEORY, SHALL NOT EXCEED THE TOTAL FEES ACTUALLY PAID BY CLIENT TO PROVIDER DURING THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

5.2 Exclusion of Consequential Damages.

IN NO EVENT SHALL PROVIDER BE LIABLE TO CLIENT OR ANY THIRD PARTY FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO LOST PROFITS, LOSS OF REVENUE, LOSS OF DATA, LOSS OF BUSINESS, REGULATORY FINES OR PENALTIES, OR COST OF SUBSTITUTE SERVICES, EVEN IF PROVIDER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

5.3 No Guarantee of Security.

Client expressly acknowledges that no security solution, system, or service can guarantee the prevention of all security Incidents, breaches, cyberattacks, or data loss events. Provider does not warrant or represent that the Services will prevent any particular threat, attack, or unauthorized access. Provider's obligations are limited to delivering the Services as described in the applicable Service Schedule(s) using commercially reasonable efforts consistent with industry standards.

5.4 No Guarantee of Certification or Compliance Outcomes.

Provider's GRC and compliance advisory services are readiness and guidance services only. Provider does not guarantee that Client will achieve, maintain, or pass any compliance certification, audit, or assessment, including but not limited to CMMC certification or SOC 2 attestation. Certification and audit outcomes are determined solely by the applicable third-party assessor or audit firm. Provider shall have no liability for Client's failure to achieve or maintain any certification.

5.5 Third-Party Vendor Limitations.

Certain components of the Services are delivered through or dependent upon third-party Vendors. Provider is not responsible for the performance, availability, security, or acts or omissions of any Vendor, including platform outages, data breaches originating within Vendor systems, or changes to Vendor service terms. Provider shall make commercially reasonable efforts to enforce applicable Vendor obligations on Client's behalf but cannot guarantee Vendor performance.

5.6 Penetration Testing Disclaimer.

Client acknowledges that penetration testing and vulnerability assessment activities carry inherent risks, including the possibility of system instability, service disruption, or data exposure. Provider's penetration testing services are delivered by authorized third-party testing partners. Provider is not liable for any damages, disruptions, or losses arising from authorized testing activities conducted within the scope defined in the applicable Statement of Work and Rules of Engagement exhibit.

5.7 Essential Basis of the Bargain.

Client acknowledges that the limitations of liability set forth in this Section 5 are a material and essential part of this Agreement, that Provider would not have entered into this Agreement absent such limitations, and that such limitations shall apply notwithstanding any failure of essential purpose of any limited remedy.

6. Term and Termination

6.1 Agreement Term.

This Agreement shall remain in effect from the date of first execution of any Statement of Work referencing it and shall continue until all Statements of Work have expired or been terminated, unless earlier terminated in accordance with this Section 6.

6.2 SOW Initial Term.

Each Statement of Work shall specify an initial term, which shall be twelve (12) months unless otherwise stated. Services shall not be delivered on a month-to-month basis unless expressly specified in the applicable SOW.

6.3 Auto-Renewal.

Each Statement of Work shall automatically renew for successive twelve (12) month terms upon expiration of the initial term or any renewal term, unless either party provides written notice of non-renewal to the other party no less than sixty (60) days prior to the end of the then-current term. Failure to provide timely written notice shall result in automatic renewal and Client's obligation to pay Fees for the full renewal term.

6.4 Termination for Cause.

Either party may terminate this Agreement or any Statement of Work for cause upon thirty (30) days' written notice if the other party materially breaches this Agreement and fails to cure such breach within the thirty (30) day notice period. Material breach by Client includes, without limitation, failure to pay undisputed Fees when due, failure to cooperate as required under Section 4, or violation of any applicable law in connection with the Services.

6.5 Early Termination by Client.

If Client terminates any Statement of Work prior to the end of the then-current term without cause, or if Provider terminates for Client's material breach, Client shall pay to Provider a termination fee equal to one hundred percent (100%) of the remaining monthly Fees that would have been payable through the end of the then-current term. The parties agree that this amount represents a reasonable estimate of Provider's damages and not a penalty, given Provider's vendor commitments, staffing obligations, and license costs.

6.6 Effect of Termination.

Upon termination or expiration of any SOW: (i) Client's access to any platforms or tools provisioned under that SOW shall be decommissioned within thirty (30) days; (ii) Provider shall make available to Client any Client Data in Provider's possession in a reasonably accessible format within thirty (30) days; (iii) all Fees accrued and unpaid through the date of termination shall become immediately due and payable; and (iv) Provider shall have no obligation to maintain, preserve, or return any Client Data after the thirty (30) day wind-down period.

7. Confidentiality

7.1 Mutual Confidentiality Obligation.

Each party agrees to hold the other party's Confidential Information in strict confidence and not to disclose such information to any third party without the prior written consent of the disclosing party. Each party shall use the other party's Confidential Information solely for the purpose of performing its obligations or exercising its rights under this Agreement.

7.2 Standard of Care.

Each party shall protect the other's Confidential Information using at least the same degree of care it uses to protect its own confidential information, but in no event less than reasonable care.

7.3 Exceptions.

Confidentiality obligations shall not apply to information that: (i) is or becomes publicly available through no act or omission of the receiving party; (ii) was rightfully in the receiving party's possession prior to disclosure; (iii) is independently developed by the receiving party without use of the disclosing party's Confidential Information; or (iv) is required to be disclosed by law, regulation, or court order, provided the receiving party gives the disclosing party prompt written notice and cooperates to seek appropriate protective measures.

7.4 Duration.

Confidentiality obligations shall survive the termination or expiration of this Agreement for a period of three (3) years, except that obligations with respect to trade secrets shall survive indefinitely.

8. Intellectual Property

8.1 Provider IP.

Provider retains all right, title, and interest in and to: (i) all methodologies, frameworks, tools, templates, processes, and know-how developed by Provider prior to or independently of any Client engagement; (ii) all pre-existing Provider intellectual property incorporated into deliverables; and (iii) all improvements, enhancements, or derivatives of Provider's pre-existing intellectual property, regardless of whether developed in connection with Client's engagement.

8.2 Client Deliverables.

Subject to Client's payment of all Fees when due, Provider grants Client a limited, non-exclusive, non-transferable license to use any policies, procedures, and written documentation prepared specifically for Client as deliverables under this Agreement, solely for Client's internal business purposes. Client shall not sell, license, sublicense, or otherwise transfer such deliverables to any third party.

8.3 Client Data.

Client retains all right, title, and interest in and to Client Data. Provider is granted a limited license to access, process, and use Client Data solely as necessary to deliver the Services. Provider shall not use Client Data for any other purpose.

9. Indemnification

9.1 Client Indemnification of Provider.

Client shall defend, indemnify, and hold harmless Provider and its officers, directors, employees, agents, partners, and Vendors from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to: (i) Client's breach of this Agreement; (ii) Client's violation of any applicable law or regulation; (iii) any claim by a third party arising from Client's use of the Services beyond the scope authorized herein; (iv) any unauthorized changes made by Client or its personnel to managed environments; or (v) Client's failure to implement recommendations made by Provider within a commercially reasonable time.

9.2 Provider Indemnification of Client.

Provider shall defend, indemnify, and hold harmless Client from and against any third-party claims arising from Provider's gross negligence or willful misconduct in the delivery of Services, subject to the limitations set forth in Section 5.

10. Insurance

Provider shall maintain, at its own expense, the following minimum insurance coverage during the term of this Agreement: (i) Commercial General Liability insurance with limits of not less than One Million Dollars ($1,000,000) per occurrence; and (ii) Errors & Omissions (Technology Professional Liability) insurance with limits of not less than One Million Dollars ($1,000,000) per claim. Provider shall provide Client with certificates of insurance upon written request.

11. Force Majeure

Neither party shall be liable for any delay or failure to perform its obligations under this Agreement to the extent such delay or failure is caused by a Force Majeure Event, provided the affected party: (i) gives prompt written notice to the other party describing the Force Majeure Event and its expected duration; and (ii) uses commercially reasonable efforts to mitigate the impact and resume performance as soon as practicable. If a Force Majeure Event affecting Provider's performance continues for more than thirty (30) days, either party may terminate the affected Statement of Work upon written notice without penalty.

12. General Provisions

12.1 Governing Law.

This Agreement shall be governed by and construed in accordance with the laws of the State of Ohio, without regard to its conflict of laws principles.

12.2 Venue and Jurisdiction.

Any legal action or proceeding arising under or relating to this Agreement shall be brought exclusively in the state or federal courts located in Franklin County, Ohio. Each party hereby irrevocably submits to the personal jurisdiction of such courts and waives any objection to venue.

12.3 Dispute Resolution.

Prior to initiating any legal action, the parties agree to attempt to resolve any dispute through good-faith negotiation between senior representatives of each party for a period of not less than thirty (30) days following written notice of the dispute. This requirement shall not apply to disputes involving non-payment of undisputed Fees or requests for emergency injunctive relief.

12.4 Entire Agreement.

This Agreement, together with all executed Statements of Work and incorporated Service Schedules, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements, understandings, negotiations, and representations, whether written or oral.

12.5 Amendments.

No amendment to this Agreement shall be effective unless made in writing and signed by authorized representatives of both parties. Provider reserves the right to update Service Schedules upon sixty (60) days' written notice to Client; updated Service Schedules shall apply to renewals and new SOWs but shall not alter obligations under currently active SOWs.

12.6 Severability.

If any provision of this Agreement is found to be invalid, illegal, or unenforceable, such provision shall be modified to the minimum extent necessary to make it enforceable, and the remaining provisions shall continue in full force and effect.

12.7 Waiver.

No waiver of any provision of this Agreement shall be effective unless in writing. No waiver shall be deemed a continuing waiver or a waiver of any other provision.

12.8 Assignment.

Client may not assign this Agreement or any rights or obligations hereunder without the prior written consent of Provider. Provider may assign this Agreement in connection with a merger, acquisition, or sale of all or substantially all of its assets without Client's consent, provided Provider gives Client written notice of such assignment.

12.9 Notices.

All notices required or permitted under this Agreement shall be in writing and delivered by: (i) email with confirmation of receipt to the addresses set forth in the applicable SOW; (ii) overnight courier; or (iii) certified mail, return receipt requested. Notices shall be deemed received upon confirmed email delivery, one (1) business day after deposit with overnight courier, or three (3) business days after mailing.

12.10 Independent Contractors.

The parties are independent contractors. Nothing in this Agreement creates any partnership, joint venture, agency, franchise, or employment relationship between the parties. Neither party has authority to bind the other or incur any obligation on the other's behalf.

12.11 Counterparts; Electronic Signatures.

This Agreement and any Statement of Work may be executed in counterparts, each of which shall be deemed an original. Electronic signatures shall be deemed valid and binding to the same extent as original signatures.