AlignLayerNine® Master Services Agreement
Copyright Notice & Restrictions on Use
Copyright © AlignLayerNine, LLC. All Rights Reserved.
This document contains proprietary, confidential, and commercially valuable information owned exclusively by AlignLayerNine, LLC (“Provider”). It is made available solely for the evaluation, negotiation, and delivery of services between Provider and the Client.
No portion of this document may be copied, reproduced, distributed, published, reverse-engineered, adapted, or used to create derivative works—whether in whole or in part—by any third party, competitor, or service provider, without the Provider’s prior written consent.
Any unauthorized use, including use by managed service providers, cybersecurity firms, consultants, or other technology service companies, is strictly prohibited and constitutes infringement of Provider’s intellectual property rights.
Client may retain a copy solely for internal business purposes related to its engagement with the Provider.
AlignLayerNine®, and any associated names, logos, service names, service marks, and branding are trademarks or registered trademarks of AlignLayerNine, LLC. All rights are reserved.
Use of the AlignLayerNine name or branding by any third party, including managed service providers, technology service companies, cybersecurity firms, consultants, or competitors, is strictly prohibited without the Provider’s prior written consent. No license or right to use any trademark of AlignLayerNine is granted by the distribution or review of this document.
Document Versioning & Interpretation Notice
This Master Services Agreement (“MSA”) may be distributed electronically or in printed form. Printed, saved, downloaded, or cached versions may become outdated over time. The most current and authoritative version of this MSA is the version published by the Provider on its designated website or Client Portal. In the event of any discrepancy between versions, the posted online version shall prevail.
Updates to this MSA may only be made in accordance with Section 15.8 (Amendments). Nothing in this notice modifies or replaces the amendment procedures defined therein.
Headings, formatting styles, bolding, italics, tables, or other stylistic elements are included solely for readability and do not alter the meaning, scope, or enforceability of any provision. Only capitalized terms defined in Section 1 (Definitions) or elsewhere within this MSA carry contractual meaning.
Last Updated: December 30th 2025
This Master Services Agreement is available at: https://alignlayernine.com/legal/msa
Related documents:
- Services Guide: https://alignlayernine.com/legal/services-guide
- Local Law Addendums: https://alignlayernine.com/legal/addendums
TABLE OF CONTENTS
(For reference only; section titles and numbers refer to the corresponding provisions below)
1. Introduction & Agreement Structure
1.1 Parties
1.2 Purpose and Scope of Agreement
1.3 Commercial / Business Use Only
1.4 Agreement Components (MSA, SOWs, Services Guide, Local Law Addendums)
1.5 Order of Precedence (SOW → Services Guide → MSA → Local Law Addendums)
1.6 Updates to the Services Guide and MSA
1.7 Public Availability and Incorporation by Reference
1.8 Independent Contractor Relationship
1.9 Authority to Execute
1.10 Effective Date
1.11 Documents & Hierarchy
1.11.1 Public Availability and Incorporation by Reference
1.11.2 Integration with SOWs
1.11.3 No Other Terms Apply
1.11.4 Client Obligation to Review and Seek Clarification
2. Definitions
2.1 Agreement Structure & Parties (Agreement, Client, Provider, Affiliate)
2.2 Documents & Hierarchy (SOW, Services Guide, Local Law Addendum)
2.3 Core Service Model Definitions (Services, Managed Services, Managed Systems, Co-Managed Services, Co-Managed Systems, Consultative Services, Project Services)
2.4 Service Categories (CORE / AlignCORE, SHIELD / AlignSHIELD, ASSURE / AlignASSURE)
2.5 User, Device & Environment (Onboarded User, Onboarded Device, Client Environment, Provider Environment)
2.6 Operational & Support (Incident, Security Incident, Change Request / Service Request, Authorized Contact, Authorized Approver, Scheduled Maintenance, Emergency Maintenance)
2.7 Technical & Security Boundaries (Minimum Requirements, Unsupported Systems, Risk Declination)
2.8 Commercial & Billing (Consumption Services, Telecom & VoIP Services, Included Services, Chargeable Services, Access Licensing, Billing Cycle Anchor Date, Transitionary Services Period)
2.9 Relationship & Third Parties (Third-Party Provider / 3PP, Upstream Vendor / Upstream Provider)
2.10 Additional Terms (Deliverables, Acceptance, Business Day)
3. Scope of Services
3.1 Services Overview
3.2 Managed Services and Managed Systems
3.3 Co-Managed Services and Co-Managed Systems
3.4 Consultative Services
3.5 Project Services
3.6 Service Categories: CORE (AlignCORE), SHIELD (AlignSHIELD), ASSURE (AlignASSURE)
3.7 Telecom & VoIP Services
3.8 Consumption Services (including Cloud / Metered Services)
3.9 Included Services and Chargeable Services
3.10 Services Guide as Operational Description of Scope
4. Term, Renewal, and Termination
4.1 Term of the Agreement
4.2 Term and Renewal of SOWs
4.3 Flex / Month-to-Month Services
4.4 Termination for Convenience (Client)
4.5 Termination for Cause (Either Party)
4.6 Termination for Unsafe or Non-Compliant Conditions (Minimum Requirements, Risk Declination, Unsupported Systems)
4.7 Effect of Termination on Services, Deliverables, and Access Licensing
4.8 Transitionary Services Period (Onboarding, Migrations, Offboarding)
4.9 Survival of Terms
5. Fees, Billing, Licensing & Payment Terms
5.1 Fees and Rate Structures (Included vs Chargeable Services)
5.2 Invoicing and Billing Cycle Anchor Date
5.3 Payment Terms and Methods
5.4 Late Fees, Interest, and Collection Costs
5.5 Taxes and Regulatory Fees (including Telecom-related fees passed through from Upstream Vendors)
5.6 Invoice Disputes and Resolution Timelines
5.7 Access Licensing Administration
5.7.1 Provider-Managed Access Licensing
5.7.2 Client-Managed Access Licensing
5.7.3 Non-Cancellable License Commitments and True-Up Rules
5.7.4 Licensing-Only Client Billing & Support
5.7.5 Licensing for Provider Administrative Identities
5.8 Consumption Services Billing
5.8.1 Metered Usage and Upstream Vendor Meters
5.8.2 Cloud Continuity and Risk Mitigation Fees
5.8.3 Forced Termination of Consumption Services and No-Restoration Obligation
5.9 Telecom & VoIP Services Billing (Consumption + Regulatory Fees)
5.10 Suspension and Reinstatement for Non-Payment
6. Security, Minimum Requirements & Risk Allocation
6.1 Security Objectives and Shared Responsibility
6.2 Minimum Requirements (Security Baselines, Supported Platforms, Patch Windows)
6.3 Unsupported Systems and Legacy Platforms
6.4 Risk Declination (Client-Declined Controls)
6.5 Effect of Non-Compliance on SLOs and Service Scope
6.6 Provider Rights to Implement Emergency Maintenance and Protective Actions
6.7 Co-Managed Environments and Security Authority
6.8 Upstream Vendor Limitations and Dependencies
6.9 No Guarantee of Threat Prevention or Detection
7. Client Responsibilities
7.1 General Cooperation and Access
7.2 Accuracy of Information and Documentation
7.3 Client Environment Responsibilities (Networks, Power, Facilities)
7.4 Use of Authorized Contacts and Authorized Approvers
7.5 Adherence to Change Request / Service Request Processes
7.6 Ticketing, Communication Channels, and Escalation Procedures
7.7 Staffing Notifications, Onboarded Users, and Terminations
7.8 Management of Third-Party Providers (3PPs) and Shadow IT
7.9 Compliance with Laws and Handling of Regulated / Sensitive Data
7.10 Data Classification and Backup Responsibilities (where Backup Services are not included)
7.11 Client Responsibility for Work Outside Managed Systems / Co-Managed Systems
7.12 Cyber Liability Insurance Requirements
7.13 Compliance Framework Services
8. Provider Responsibilities & Service Operations
8.1 Delivery of Services in Accordance with SOWs and the Services Guide
8.2 Use of Provider Environment, Tools, Automation, and AI-Assisted Operations
8.3 Incident Handling and Security Incident Handling
8.4 Scheduled Maintenance and Emergency Maintenance Practices
8.5 Service Changes and Version Updates (Tools, Platforms)
8.6 Use of Subcontractors and Upstream Vendors
8.7 Documentation, Deliverables, and Acceptance
8.8 Provider Business Continuity
9. Service Levels and Performance
9.1 Service Level Objectives (SLOs) – Nature and Non-Binding Status
9.2 Applicability of SLOs (Managed Systems, Co-Managed Systems, Onboarded Users/Devices Only)
9.3 Conditions that Suspend or Modify SLOs
9.4 Exclusions from SLOs (Unsupported Systems, Risk Declinations, Upstream Vendor Failures, Transitionary Services Period)
9.5 Reporting and Continuous Improvement
10. Intellectual Property & Ownership
10.1 Provider Intellectual Property and Provider Environment
10.2 Client Intellectual Property and Client Environment
10.3 Ownership of Deliverables (Standard vs Customized)
10.4 License Rights Granted to Client
10.5 License Rights Granted to Provider (Use of Client Data, Telemetry, and Operational Data)
10.6 Restrictions on Reverse Engineering, Sharing, or Misuse of Tools
11. Confidentiality, Data Protection & Privacy
11.1 Confidential Information
11.2 Confidentiality Obligations of Each Party
11.3 Exceptions to Confidentiality
11.4 Data Protection, Security Controls, and Logging
11.5 AI-Assisted Operations and Use of Operational Data
11.6 Data Retention, Backups, and Destruction
11.7 Security Breach Notification
11.8 Export Controls and Restricted Data
11.9 Data Protection Addendums and Business Associate Agreements
12. Third Parties, Upstream Vendors & 3PPs
12.1 Upstream Vendors and Limitations of Control
12.2 Third-Party Providers (3PPs) Engaged by Client
12.3 Responsibility for 3PP Actions and Conflicting Changes
12.4 No Warranties for Upstream Vendor Services
12.5 Coordination in Co-Managed or Multi-Provider Environments
13. Limitations of Liability & Indemnification
13.1 Disclaimer of Warranties
13.2 Limitation of Liability
13.3 Exclusion of Indirect, Consequential, and Special Damages
13.4 Client Indemnification Obligations
13.5 Provider Indemnification
13.6 Allocation of Risk
14. Dispute Resolution & Governing Law
14.1 Good-Faith Negotiation and Escalation
14.2 Governing Law and Venue
14.3 Arbitration
14.4 Attorneys’ Fees and Costs
15. General Provisions
15.1 Force Majeure
15.2 Assignment
15.3 Subcontracting
15.4 Notices
15.5 No Waiver
15.6 Severability
15.7 Entire Agreement
15.8 Amendments
15.9 Relationship of the Parties (Independent Contractors)
15.10 Counterparts and Electronic Signatures
15.11 Publicity and Use of Client Name/Logo
15.12 Non-Solicitation
15.13 Automatic Renewal Disclosure
1. Introduction & Agreement Structure
1.1 Parties
This Master Services Agreement (the “MSA” or “Agreement”) is entered into by and between AlignLayerNine LLC (“Provider”) and the customer identified in the applicable Statement of Work (“Client”). Provider and Client may be referred to individually as a “Party” and collectively as the “Parties.”
1.2 Purpose and Scope of Agreement
This Agreement establishes the general terms and conditions governing Provider’s delivery of the Services to Client, including Managed Services, Co-Managed Services, Consultative Services, Project Services, Telecom & VoIP Services, and any applicable Consumption Services, as further described in the Services Guide and the applicable SOWs.
1.3 Commercial / Business Use Only
The Services are intended solely for commercial, business, and organizational use. Client shall not use the Services for personal, consumer, or household purposes.
1.4 Agreement Components
This Agreement consists of the following components, each of which is incorporated herein and made part of the Agreement:
(a) this MSA;
(b) all SOWs executed or approved by Client;
(c) the Services Guide; and
(d) any applicable Local Law Addendums.
(e) any Data Protection Addendum or Business Associate Agreement expressly executed by the Parties (each, if applicable, a “DPA/BAA”).
Except as expressly stated otherwise in an SOW, these documents collectively form the entire Agreement between the Parties with regard to the subject matter herein.
1.5 Order of Precedence
In the event of a conflict among components of this Agreement, the following order of precedence shall apply:
(a) the applicable SOW;
(b) this MSA;
(c) the Services Guide (only to the extent referenced in a SOW or this MSA); and
(d) any applicable Local Law Addendum.
This order of precedence applies only to direct conflicts. Documents shall otherwise be interpreted as complementary whenever possible.
1.6 Updates to the Services Guide and the MSA
Provider may update the Services Guide from time to time to reflect operational improvements, industry changes, technology evolution, new service capabilities, or updated Minimum Requirements. Updates to the Services Guide become effective upon posting or written notice, provided such updates do not materially reduce the core Services already purchased under an active SOW.
Any amendments to this MSA are governed solely by Section 15.8 (Amendments).
1.7 Public Availability and Incorporation by Reference
The current version of the Services Guide, and any subsequent revisions, may be made available through Provider’s website or provided to Client in written or electronic form. Client acknowledges that the Services Guide is incorporated by reference into this Agreement to the extent specified in Section 1.5 and Section 2.2.
1.8 Independent Contractor Relationship
Provider is an independent contractor and is not an agent, employee, joint venturer, fiduciary, or partner of Client. Nothing in this Agreement shall be construed to create any employment, agency, joint venture, or partnership relationship between the Parties.
1.9 Authority to Execute
Each Party represents and warrants that the individual executing or approving this Agreement or any SOW on its behalf has the full right, power, and authority to bind the respective Party to the terms of this Agreement.
1.10 Effective Date
This Agreement becomes effective on the date the first SOW is executed or approved by Client (“Effective Date”) and shall remain in effect until terminated in accordance with Section 4.
For purposes of this Agreement, a SOW is deemed “executed or approved” when any of the following occurs: (i) the SOW is signed by an authorized representative of Client; (ii) Client accepts the SOW through Provider’s electronic contracting platform or Client Portal; (iii) Client provides written acceptance via email from an Authorized Approver; or (iv) Client commences use of the Services described in the SOW after receiving the SOW, which shall constitute acceptance of the SOW terms. Verbal acceptance alone does not constitute execution or approval of a SOW.
1.11 Documents & Hierarchy
This MSA forms part of a multi-document legal framework governing the relationship between Provider and Client. The framework consists of:
- This Master Services Agreement (MSA) – establishes the legal terms, risk allocation, liabilities, and core contractual obligations.
- The Services Guide – defines technical standards, Minimum Requirements, roles and responsibilities, SLOs, exclusions, and operational rules.
- Statements of Work (SOWs), Quotes, or Order Forms – define specific Services, quantities, Fees, Licensing, terms, and service-specific details.
- Local Law Addendums – modify the MSA for Clients whose SOW identifies a Provider entity or incorporates an Addendum requiring jurisdiction-specific terms.
1.11.1 Public Availability and Incorporation by Reference
The Services Guide and this MSA are available at locations designated by Provider (currently, without limitation):
- https://alignlayernine.com/legal/msa (MSA)
- https://alignlayernine.com/legal/services-guide (Services Guide)
- https://alignlayernine.com/legal/addendums (Addendums)
Client acknowledges that:
(a) the Services Guide is incorporated by reference into this Agreement only to the extent specified in Sections 1.5 and 2.2; and
(b) this MSA may be amended only as set forth in Section 15.8 (Amendments).
Updates to the Services Guide are governed by Section 1.6 and the Services Guide’s own versioning notice.
1.11.2 Integration with SOWs
Each SOW incorporates this MSA and the Services Guide by reference. No SOW is effective unless accepted by Provider. Provider may reject SOWs in its discretion.
1.11.3 No Other Terms Apply
Client purchase orders, procurement terms, vendor portals, or other customer-supplied documents are expressly rejected and do not modify this MSA, the Services Guide, or any SOW unless Provider expressly agrees in a signed writing.
1.11.4 Client Obligation to Review and Seek Clarification
Client acknowledges that the Services Guide is the authoritative description of all Services, inclusions, exclusions, roles, responsibilities, and Minimum Requirements. Client is responsible for reviewing the Services Guide and requesting clarification regarding any Service, definition, responsibility, or requirement that is not understood or appears inconsistent with Client’s expectations.
If Client believes any desired Service is missing, unclear, or not expressly stated in the applicable SOW or the Services Guide, Client must request clarification or request an updated SOW. Any Service not expressly stated as included in a SOW or the Services Guide is deemed excluded. Client’s failure to request clarification does not expand the scope of Services, obligations, or SLOs.
2. Definitions
The following capitalized terms have the meanings set forth below.
These definitions apply uniformly across this Master Services Agreement (“MSA”), the Services Guide, all Statements of Work, Quotes, Order Forms, and any Local Law Addendums (collectively, “SOWs”).
If a term is defined in both this Section and a SOW, the SOW definition controls for that SOW.
2.1 Agreement Structure & Parties
2.1.1 “Agreement”
The MSA, all SOWs, the Services Guide, and any Local Law Addendums.
2.1.2 “Client”
The entity identified as customer in the SOW, including its Affiliates receiving Services.
2.1.3 “Provider”
The Provider entity identified in the applicable SOW. Unless otherwise specified in a SOW or Local Law Addendum, Provider means AlignLayerNine LLC. Provider includes the applicable entity’s Affiliates, employees, contractors, and authorized subcontractors.
2.1.4 “Affiliate”
Any entity controlling, controlled by, or under common control with a party (control = more than 50% voting interest or power to direct management).
2.2 Documents & Hierarchy
2.2.1 “Statement of Work” or “SOW”
A document executed or approved by Client describing specific Services, Fees, quantities, term, licensing, and service-specific conditions. The SOW governs over the Services Guide and the MSA for service-specific matters.
2.2.2 “Services Guide”
“Services Guide” means Provider’s operational guide describing service categories, service inclusions and exclusions, Minimum Requirements, Supported and Unsupported Systems, Risk Declination, Service Level Objective (SLO) targets and suspension factors, and related workflows and roles.
The Services Guide is incorporated by reference into this Agreement solely to:
(a) define the scope of Included Services and Chargeable Services;
(b) describe Minimum Requirements, Unsupported Systems, and Risk Declinations and their effect on Services and SLO applicability; and
(c) describe the contents of Service Categories (including CORE, SHIELD, and ASSURE) purchased under an applicable SOW.
Descriptive statements in the Services Guide regarding Provider’s internal methods, tooling, support structure, scheduling practices, example workflows, or sample communications are provided for operational context only and do not themselves create independent contractual obligations or warranties.
2.2.3 “Local Law Addendum”
A jurisdiction-specific addendum modifying terms of this Agreement for Clients headquartered or primarily operating in that jurisdiction.
2.2.4 “Anchor Date”
The calendar month and day (e.g., December 31 or June 30) specified in a SOW on which
the initial term and all Renewal Terms conclude. Anchor Dates apply only to Managed
Services, Co-Managed Services, CORE Services, SHIELD Services, and ASSURE Services.
Access Licensing, Consumption Services, and vendor-committed services follow their own
renewal cycles as specified in the applicable SOW or vendor terms.
2.3 Core Service Model Definitions
2.3.1 “Services”
All services, deliverables, and activities Provider performs for Client under any SOW.
2.3.2 “Managed Services”
Recurring Services in which Provider manages, monitors, maintains, and administers designated systems (“Managed Systems”) with operational authority and final decision-making responsibility for security configuration of those systems.
2.3.3 “Managed Systems”
Systems, applications, devices, cloud tenants, networks, or infrastructure expressly designated as Managed Services in an SOW or documented during onboarding.
2.3.4 “Co-Managed Services”
Services where operational responsibility is shared between Provider and Client’s internal IT or Third-Party Providers (“Co-Managed Systems”). Provider retains final authority over security and risk mitigation for Co-Managed Systems.
2.3.5 “Co-Managed Systems”
Systems expressly designated as Co-Managed in a SOW.
2.3.6 “Consultative Services”
Advisory, vCISO, vCIO, GRC, assessments, audit prep, and other non-operational Services performed without ongoing administrative responsibility or SLOs.
2.3.7 “Project Services”
Fixed-fee or time-and-materials engagements with defined scope and deliverables performed outside ongoing Managed or Co-Managed Services. Consultative Services may be delivered as Project Services when defined in a Project SOW.
**2.3.8 “Licensing-Only Client”
A Client that obtains Access Licensing, subscriptions, cloud services, or similar third-party services through the Provider but does not receive Managed Services, Co-Managed Services, SHIELD Services, ASSURE Services, or any operational support beyond Tier 1 (first line) support and referral/escalation to the applicable Upstream Vendor. For Licensing-Only Clients, the Provider operates solely as a reseller or procurement agent and does not manage, monitor, secure, configure, maintain, or assume responsibility for the Client’s systems, environment, or security posture.
2.4 Service Categories (CORE / SHIELD / ASSURE)
2.4.1 “CORE” or “AlignCORE”
Provider’s managed IT operations tier (support, endpoint management, monitoring, baseline security) as listed in the SOW.
2.4.2 “SHIELD” or “AlignSHIELD”
Provider’s advanced security tier (MDR/XDR, SIEM, threat detection, zero trust controls) as listed in the SOW.
2.4.3 “ASSURE” or “AlignASSURE”
Provider’s governance, risk, compliance, advisory, and vCISO tier with no operational responsibilities unless expressly stated in the SOW.
2.5 User, Device & Environment Definitions
2.5.1 “Onboarded User”
An individual whose identity, accounts, and assigned devices have been provisioned, configured, enrolled into Provider’s tooling, and accepted into coverage.
2.5.2 “Onboarded Device”
A workstation, server, or supported endpoint enrolled into Provider’s tools and accepted into coverage.
2.5.3 “Client Environment”
All systems, networks, devices, data, cloud tenants, SaaS apps, and infrastructure owned, leased, or controlled by Client.
2.5.4 “Provider Environment”
Systems, tools, automation, software, and infrastructure owned or controlled by Provider and used to deliver Services.
2.6 Operational & Support Definitions
2.6.1 “Incident”
An unplanned interruption or reduction in the quality of a Service, excluding Security Incidents.
2.6.2 “Security Incident”
A suspected or confirmed event involving unauthorized access or misuse of systems or data within Provider’s scope of responsibility, as reasonably determined by Provider using telemetry under its control.
2.6.3 “Change Request” or “Service Request”
A Client-initiated request for configuration changes, access updates, onboarding/offboarding, or other non-incident work.
2.6.4 “Authorized Contact”
A Client-designated individual permitted to submit requests, validate identity, receive security notices, or act operationally on Client’s behalf.
2.6.5 “Authorized Approver”
A Client-designated individual with authority to approve security-sensitive, privileged, or risk-impacting changes.
2.6.6 “Scheduled Maintenance”
Planned downtime or system maintenance performed with notice or within approved maintenance windows.
2.6.7 “Emergency Maintenance”
Urgent, unplanned maintenance required to preserve system integrity or mitigate active threats.
2.7 Technical & Security Boundary Definitions
2.7.1 “Minimum Requirements”
Technical, security, and operational prerequisites Client must meet for Provider to deliver applicable Services and SLOs, as defined in the Services Guide and/or SOW.
2.7.2 “Unsupported Systems”
Systems that are End of Life, unpatched, unlicensed, older than allowed, or otherwise unable to meet modern security or operational standards, as determined by Provider.
2.7.3 “Risk Declination”
Any written or electronically documented action, deferral, override, or non-response after Provider identifies a risk and requests approval, indicating Client declines a recommended action.
2.8 Commercial & Billing Definitions
2.8.1 “Consumption Services”
(Also referenced as “Cloud Consumption Services” or “Metered Services.”)
Usage-based or metered services billed according to compute, storage, minutes, messages, bandwidth, licensing consumption, or other metrics recorded by an Upstream Vendor.
2.8.2 “Telecom & VoIP Services”
Telephony, VoIP, SIP, SMS/MMS, fax/eFax, unified communications, and similar services administered or delivered through Upstream Vendors. Typically billed as Consumption Services.
2.8.3 “Included Services”
Services explicitly listed as included in a SOW or in the Service Category contents.
2.8.4 “Chargeable Services”
Any service not expressly listed as an Included Service, including out-of-scope work, after-hours work, emergency work, remediation, or work necessitated by Client/3PP actions.
2.8.5 “Access Licensing”
Per-user, per-device, or per-tenant licensing required to access vendor platforms, subject to vendor commitment terms.
2.8.6 “Billing Cycle Anchor Date”
The date on which recurring billing cycles are aligned, as stated in the SOW or first invoice.
2.8.7 “Transitionary Services Period”
The period during onboarding, major migrations, or offboarding when SLOs are suspended and environments may be unstable.
2.9 Relationship & Third-Party Definitions
2.9.1 “Third-Party Provider” or “3PP”
Any outside consultant, MSP, VAR, contractor, or IT firm other than Provider and its authorized subcontractors.
2.9.2 “Upstream Vendor” or “Upstream Provider”
Any carrier, SaaS vendor, cloud provider, telecom provider, software publisher, or platform on which Provider relies to deliver Services. Upstream Vendors are not Third-Party Providers.
2.9.3 Incident Commander (IC)
The individual designated by the Client to direct, coordinate, and make decisions related to a Security Incident or other material operational disruption. The Incident Commander has overall authority for incident response activities, including determining priorities, approving protective actions, and coordinating all involved third parties such as the Provider, internal IT personnel, legal counsel, compliance officers, and external Incident Response firms. The Provider does not act as Incident Commander unless expressly authorized in writing under a separate SOW.
2.10 Additional Terms
2.10.1 “Deliverables”
Documents, configurations, reports, or other work product produced under a Project SOW or Consultative engagement.
2.10.2 “Acceptance”
A deliverable or milestone is deemed completed when delivered unless Client objects in writing with specific details within five (5) Business Days.
2.10.3 “Business Day”
A day other than Saturday, Sunday, or a Provider-recognized holiday.
2.10.4 “Notice”
Means written or electronic communication, including email or publication within the Client Portal or on the Provider’s designated website.
3. Scope of Services
3.1 Services Overview
Provider will deliver the Services to Client as defined in the applicable SOWs and supported by the operational detail contained in the Services Guide. Only those Services expressly described in a SOW are included. Any service, function, responsibility, system, user, or device not expressly listed in a SOW is excluded unless later added by written amendment or additional SOW.
The Services may include, as applicable, Managed Services, Co-Managed Services, Consultative Services, Project Services, Telecom & VoIP Services, and Consumption Services.
The absence of a limitation, exclusion, or condition in a SOW does not expand Provider’s obligations beyond those expressly stated in this Agreement and the Services Guide.
3.2 Managed Services and Managed Systems
For Managed Services, Provider will administer, monitor, manage, maintain, and support the Managed Systems designated in the SOW. Provider has operational authority and final decision-making responsibility over the security configuration, monitoring, patching, and required protective controls associated with Managed Systems, subject to the Minimum Requirements and other conditions of this Agreement.
Managed Services apply only to Managed Systems. Systems not designated as Managed Systems are outside Provider’s Managed Services scope regardless of whether they are connected to, adjacent to, or associated with the Client Environment.
3.3 Co-Managed Services and Co-Managed Systems
For Co-Managed Services, Provider and Client share operational responsibility over the Co-Managed Systems expressly identified in the applicable SOW. Unless otherwise stated, Provider retains final authority over required security baselines, threat mitigation, and configuration standards necessary to maintain security and functionality for the portions of the Co-Managed Systems under Provider’s scope.
Client remains responsible for all systems, components, and activities not expressly designated as Co-Managed. If Client, its personnel, or any Third-Party Provider makes changes, overrides controls, or implements configurations in a Co-Managed System that conflict with Provider’s requirements or security baselines:
(a) Client assumes all resulting risk;
(b) Provider may suspend applicable SLOs; and
(c) Provider may require remediation or changes as a condition of continued service.
3.4 Consultative Services
Consultative Services consist of advisory, vCIO, vCISO, risk and governance engagements, assessments, documentation support, strategic planning, architectural design, readiness reviews, and similar services requested by Client. Consultative Services do not include monitoring, administration, SLO commitments, or ongoing operational responsibility unless expressly directed and agreed in writing through a SOW.
Consultative recommendations do not automatically modify Managed Services or Co-Managed Services obligations unless incorporated into an updated SOW.
3.5 Project Services
Project Services are delivered according to a Project SOW describing specific deliverables, milestones, timelines, dependencies, assumptions, and acceptance criteria. Project Services are separate from recurring Managed or Co-Managed Services even if related to systems covered by such services.
Changes in scope, delays caused by Client or Third-Party Providers, or additional work outside the scope defined in the Project SOW will be treated as Chargeable Services.
3.6 Service Categories: CORE, SHIELD, and ASSURE
The Service Categories subscribed to by Client appear in the applicable SOW and determine the service entitlements, inclusions, and exclusions applicable to the Managed Services or Co-Managed Services purchased.
(a) CORE (AlignCORE) defines Provider’s foundational operational IT services.
(b) SHIELD (AlignSHIELD) defines Provider’s advanced cybersecurity and detection services.
(c) ASSURE (AlignASSURE) defines Provider’s governance, compliance, and advisory services.
Service Categories do not create entitlements without corresponding quantities or inclusions in a SOW. Purchasing one Service Category does not grant access to capabilities of another unless expressly provided.
3.7 Telecom & VoIP Services
Telecom & VoIP Services consist of telephony, VoIP, SIP, SMS/MMS, fax/eFax, unified communications, and similar services delivered or administered through Upstream Vendors. Provider’s responsibilities are limited to the configuration and administrative activities described in the applicable SOW. Telecom & VoIP Services are typically billed as Consumption Services and are subject to additional fees, taxes, regulatory costs, and carrier surcharges passed through from Upstream Vendors.
Provider is not responsible for service availability, outages, routing performance, or upstream disruptions originating with telecom carriers or infrastructure providers.
3.8 Consumption Services
Consumption Services (including Cloud Consumption Services and metered workloads) consist of services billed based on usage, storage, compute, call volume, data transfer, messaging, licensing usage, or other consumption metrics recorded by Upstream Vendors.
Consumption Services accrue charges until associated resources are fully deleted or terminated in accordance with vendor requirements. Client is responsible for all Consumption Services costs unless expressly limited in a SOW.
Provider may remove, power down, or delete Consumption Services resources if necessary to mitigate risk, avoid runaway consumption, or enforce Minimum Requirements or Risk Declination terms.
**3.8.1 Licensing-Only Client Scope
For Licensing-Only Clients, the Provider’s role is limited to the procurement, provisioning, renewal, and administration of licensing, subscriptions, or cloud services identified in the applicable SOW or ordering document. No Managed Services, monitoring, security services, operational support, or maintenance activities are included unless separately contracted. The Provider has no responsibility for the Client’s environment, configuration, compliance posture, data protection, risk mitigation, or Minimum Requirements for any systems not expressly covered under a Managed Services SOW.
3.9 Included Services and Chargeable Services
Included Services are those expressly listed in the SOW or the applicable Service Category description. All other services are Chargeable Services, including but not limited to:
(a) out-of-scope work;
(b) emergency work or after-hours support unless included;
(c) remediation caused by Client, its personnel, or a Third-Party Provider;
(d) work on Unsupported Systems;
(e) work required due to environment misconfiguration or noncompliance with Minimum Requirements.
Chargeable Services will be invoiced in accordance with the applicable SOW and the Fees section of this Agreement.
3.10 Services Guide as Operational Description of Scope
The Services Guide provides operational detail regarding the Services, including service inclusions and exclusions, SLO targets and suspension factors, Minimum Requirements, onboarding and offboarding processes, security baselines, escalation paths, workflows, and Client operational obligations.
To the extent this Agreement or an applicable SOW expressly refers to a concept, requirement, limitation, or Service Category defined in the Services Guide, the referenced portions of the Services Guide are incorporated by reference and form part of the Parties’ contractual obligations.
For clarity, Provider’s failure to follow a particular internal workflow, routing path, or example set out in the Services Guide, standing alone, does not constitute a breach of this Agreement, provided Provider performs the Services in a professional and workmanlike manner and otherwise satisfies its express obligations under this MSA and the applicable SOWs.
4. Term, Renewal, and Termination
4.1 Term of the Agreement
This Agreement begins on the Effective Date and continues in effect until terminated in accordance with this Section 4. This Agreement governs all SOWs executed or approved during its term. Termination of this Agreement does not terminate any active SOW unless expressly stated or unless such SOW is terminated pursuant to this Section 4.
4.2 Term and Renewal of SOWs
Each SOW specifies its initial term. Unless expressly stated otherwise in a SOW, all recurring Services automatically renew for successive renewal periods equal to the renewal period stated in the SOW, or if none is stated, one (1) year (each a “Renewal Term”), unless either Party provides written notice of non-renewal at least sixty (60) days prior to the end of the then-current term.
Where a SOW specifies a term length and an Anchor Date (e.g., “36 Month Term, Anchor Date December 31”), the term ends on that Anchor Date, calculated as follows: take the Anchor Date in the year the SOW is signed, then add the term length in whole years. Renewal Terms follow the same pattern. Partial periods are prorated.
Examples:
- “36 Month Term, Anchor Date December 31” signed March 2025 → ends December 31, 2028
- “36 Month Term, Anchor Date June 30” signed August 2025 → ends June 30, 2028
- “12 Month Term, Anchor Date December 31” signed March 2025 → ends December 31, 2026
- “60 Month Term, Anchor Date June 30” signed January 2025 → ends June 30, 2030
Upon commencement of any Renewal Term, all financial, licensing, and service commitments automatically renew for that Renewal Term. Termination or non-renewal mid-Renewal Term does not relieve Client of its obligation to pay all remaining Fees, Access Licensing commitments, and Consumption Services charges due for the entirety of the Renewal Term, unless expressly stated otherwise in the SOW.
Vendor-committed licensing, consumption-based services, or any items bound to an upstream vendor term continue in accordance with the applicable vendor obligations and are not cancelled by termination or non-renewal of a SOW unless the vendor allows cancellation.
Annual adjustments to recurring Fees during a term are governed by Section 5.1.1 (Fee Adjustments by Term Type). Adjustments at the start of each Renewal Term are governed by Section 5.1.2 (Standard Renewal Adjustment).
Client acknowledges and agrees that renewal terms, renewal dates, and renewal pricing adjustments may be disclosed through recurring invoices, invoice line-item descriptions, or account statements, and that such disclosures constitute written notice for purposes of this Agreement.
4.3 Flex / Month-to-Month Services
If a Service is expressly designated in a SOW as “Flex,” “Month-to-Month,” or otherwise non-term-bound, such Service automatically renews monthly until terminated by either Party upon at least thirty (30) days’ prior written notice, unless the SOW specifies a different notice requirement.
The Flex or month-to-month designation applies only to the term of the Service and does not modify, waive, or supersede any Access Licensing, Consumption Services, or vendor commitment terms associated with that Service.
4.4 Termination for Convenience (Client)
Client may terminate a SOW for convenience by providing at least ninety (90) days’ prior written notice, unless the applicable SOW specifies a longer period. Termination for convenience does not relieve Client of its payment obligations for:
(a) all Fees due through the end of the then-current term or Renewal Term, as applicable;
(b) all non-cancellable or committed Access Licensing charges;
(c) all Consumption Services charges that continue to accrue until such services are fully terminated at the vendor level; and
(d) any other committed Fees, minimums, or obligations identified in the SOW.
If a SOW is within a Renewal Term at the time Client provides notice of termination for convenience, Client remains responsible for all Fees, Access Licensing commitments, and Consumption Services charges for the entire Renewal Term, unless expressly stated otherwise in the SOW.
Following notice of termination for convenience, Provider will continue to deliver Services through the end of the then-current term or Renewal Term. Client remains responsible for all Fees during this period.
4.5 Termination for Cause (Either Party)
A Party may terminate this Agreement or any SOW for cause if the other Party materially breaches this Agreement and fails to cure such breach within thirty (30) days after receiving written notice specifying the breach in reasonable detail. If the breach is not reasonably capable of cure within thirty (30) days, the breaching Party must commence cure within that period and diligently pursue such cure thereafter.
Material breach by Client includes, without limitation:
(a) failure to pay Fees when due;
(b) failure to satisfy Minimum Requirements;
(c) continued operation of Unsupported Systems without remediation;
(d) repeated or cumulative Risk Declinations that, in Provider’s reasonable determination, render the Services impractical, unsafe, or commercially unreasonable to deliver, provided that Provider has first notified Client in writing that additional Risk Declinations may constitute material breach and Client has issued a subsequent Risk Declination after receiving such notice;
(e) interference by Client personnel or a Third-Party Provider that prevents Provider from delivering the Services or maintaining security; or
(f) unauthorized access, misuse, or tampering with the Provider Environment or any Managed Systems.
Notwithstanding the cure period above, Provider may immediately suspend or terminate Client’s access to all Services, Managed Systems, and Provider Environment without prior notice upon occurrence of any event described in (b) through (f), or if Client’s conduct or circumstances create a material security risk, material operational impediment, or threat to Client, Provider, or any Upstream Vendor. For non-payment under (a), Provider may suspend access upon seven (7) days’ written notice if payment remains outstanding. Such suspension may remain in effect until the condition is remedied to Provider’s reasonable satisfaction.
4.6 Termination for Unsafe or Non-Compliant Conditions
Provider may terminate this Agreement or any SOW upon written notice if Client:
(a) fails to satisfy or maintain Minimum Requirements;
(b) continues use of Unsupported Systems in a manner that materially increases operational or security risk;
(c) issues or maintains a Risk Declination that renders Services impractical, unsafe, or commercially unreasonable for Provider to continue delivering;
(d) allows or directs a Third-Party Provider or internal personnel to make changes or implement configurations that conflict with Provider’s requirements, baselines, or authority under Managed Services or Co-Managed Services; or
(e) engages in conduct or maintains conditions that materially increase Provider’s risk exposure or materially impair Provider’s ability to deliver the Services.
Upon occurrence of any event described in (a) through (e), Provider may immediately suspend or terminate Client’s access to all Services, Managed Systems, and Provider Environment without prior notice.
Provider may provide Client an opportunity to remediate the condition or accept written risk at Provider’s discretion. Provider is under no obligation to continue providing Services if doing so would expose Client, Provider, or any Upstream Vendor to material or unreasonable risk.
4.7 Effect of Termination on Services, Deliverables, and Access Licensing
Upon termination or expiration of a SOW or this Agreement:
(a) Provider will cease providing all Services except those expressly required during a Transitionary Services Period;
(b) all outstanding Fees, committed Access Licensing charges, Consumption Services charges, and other amounts accrued or committed become immediately due and payable;
(c) all Client rights to use Provider Environment, systems, tools, automation, documentation, and intellectual property immediately cease, except as expressly licensed to Client;
(d) Provider may remove or disable any tooling, agents, integrations, accounts, or configurations deployed as part of the Services;
(e) Provider is not responsible for operational continuity, service levels, or availability following termination; and
(f) Provider has no obligation to retain, preserve, or deliver data, logs, outputs, or configurations beyond its standard retention periods, unless required by law or expressly agreed in writing.
Vendor-committed services, licensing, or Consumption Services continue to accrue until terminated in accordance with applicable vendor terms.
4.8 Transitionary Services Period (Onboarding, Migrations, Offboarding)
A Transitionary Services Period may occur during onboarding, major migrations, re-platforming, or offboarding. During any Transitionary Services Period:
(a) SLOs are suspended;
(b) environmental instability, reduced visibility, or temporary service limitations may occur;
(c) Provider delivers services on a commercially reasonable efforts basis; and
(d) additional Fees may apply for accelerated work, after-hours requirements, remediation, or scope beyond Included Services.
Offboarding support is limited to: removal of Provider’s tools; handover of applicable credentials; reasonable coordination with Client or its designated Third-Party Provider; and delivery of any Deliverables expressly owed under a Project SOW. Provider does not guarantee system stability, security, or continuity after offboarding is complete.
Provider is not responsible for pre-existing conditions, misconfigurations, vulnerabilities, technical debt, unsupported hardware, legacy platforms, undocumented systems, or accumulated instability that existed prior to onboarding. Any remediation of pre-existing conditions may be classified as Chargeable Services.
4.8.1 Exit Assistance
Upon Client’s written request submitted at least sixty (60) days prior to the termination effective date, Provider shall provide reasonable exit assistance to facilitate Client’s transition to a successor provider or internal IT operations, subject to the following:
(a) Data Export. Provider shall export Client Data from Managed Systems in industry-standard formats (such as CSV, JSON, or native application export formats) to the extent such export is technically feasible and within Provider’s control. Data export from Upstream Vendor platforms may be subject to vendor capabilities and limitations.
(b) Documentation. Provider shall provide Client with copies of Provider-maintained documentation directly related to Client’s Managed Systems, including network diagrams, system configurations, and operational procedures, excluding Provider’s proprietary methodologies, templates, and intellectual property.
(c) Knowledge Transfer. Provider shall make available up to eight (8) hours of knowledge transfer meetings with Client’s designated successor provider or internal IT personnel, to be scheduled during Business Hours within the Transitionary Services Period.
(d) Credential Handover. Provider shall transfer or reset administrative credentials for Client-owned systems and accounts to Client’s designated personnel, following appropriate identity verification procedures.
(e) Transition Limitations. Provider will make commercially reasonable efforts to assist with data exports, backup retrieval, and transition of environmental configurations. However, certain transitions may require additional project scoping, Client-purchased media or storage, or may not be feasible depending on Upstream Vendor limitations or the nature of the service. Where immediate transition is not possible, Client may continue individual services on an à la carte basis at then-current rates to allow additional time for migration.
Provider does not guarantee that all data, configurations, or services are exportable or transferable.
Exit assistance activities beyond the scope described above, or exit assistance requested with less than sixty (60) days’ notice, shall be treated as Chargeable Services at Provider’s then-current rates. Provider’s exit assistance obligations are conditioned on Client being current on all payment obligations. Provider is not responsible for delays in transition caused by Client’s failure to designate a successor provider, Upstream Vendor limitations, or Client’s failure to cooperate with exit procedures.
4.9 Survival of Terms
The following provisions survive termination or expiration of this Agreement or any SOW:
Section 2 (Definitions); Section 4.7 (Effect of Termination); this Section 4.9; Section 5 (Fees, Billing, Licensing & Payment Terms); Section 6 (Security, Minimum Requirements & Risk Allocation); Section 7 (Client Responsibilities); Section 8 (Provider Responsibilities & Service Operations); Section 9 (Service Levels & Performance); Section 10 (Intellectual Property & Ownership); Section 11 (Confidentiality, Data Protection & Privacy); Section 12 (Third Parties & Upstream Vendors); Section 13 (Limitations of Liability & Indemnification); Section 14 (Dispute Resolution & Governing Law); and Section 15 (General Provisions).
5. Fees, Billing, Licensing & Payment Terms
5.1 Fees, Rate Structures, and Renewal Rates (Included vs. Chargeable Services)
Fees for Included Services are specified in the applicable SOW. All services not expressly
identified in a SOW as Included Services are deemed Chargeable Services. Chargeable Services
are billed at Provider’s then-current time-and-materials rates or at the rates specified in
the SOW or Services Guide. Provider may adjust time-and-materials rates no more than once
per calendar year upon thirty (30) days’ prior written notice.
Chargeable Services include, without limitation:
(a) any work outside the quantities or scopes stated in a SOW;
(b) after-hours work unless expressly included;
(c) emergency, expedited, or remediation work;
(d) work caused by Client or any Third-Party Provider;
(e) work on Unsupported Systems;
(f) work required due to Client’s failure to meet Minimum Requirements;
(g) work required due to misconfiguration, environmental instability, or security incidents
outside Provider’s control;
(h) requests made through unauthorized channels or by unauthorized personnel; and
(i) Project Services unless explicitly included in the recurring service fee.
Provider will not perform Chargeable Services without Client approval unless for security,
continuity, or risk mitigation purposes deemed necessary by Provider to prevent imminent
harm or material risk.
Provider may suspend Services, access to Managed Systems, or access to the Provider Environment if Client fails to pay any Fees when due and such failure continues for seven (7) days after written notice from Provider. Such suspension may remain in effect until all outstanding amounts, including any applicable late fees and interest, are paid in full.
5.1.1 Fee Adjustments by Term Type
Fee adjustments for recurring Services depend on the term type specified in the applicable SOW:
(a) FLEX (No Committed Term). Provider may adjust recurring fees at any time upon thirty (30) days’ prior written notice. FLEX arrangements provide no rate protection or fee stability guarantees.
(b) 12-Month Term. Recurring fees are fixed during the initial term. At the start of each Renewal Term, recurring fees shall increase by the Standard Renewal Adjustment.
(c) 36-Month and 60-Month Terms. Recurring fees shall increase by five percent (5%) on the first Anchor Date following eleven (11) months and one (1) day after the Effective Date, and on each Anchor Date thereafter during the initial term. For SOWs without an Anchor Date, adjustments occur on each annual anniversary of the Effective Date. At the start of each Renewal Term, recurring fees shall increase by the Standard Renewal Adjustment.
5.1.2 Standard Renewal Adjustment
Except as otherwise stated in an applicable SOW, recurring fees for Managed Services, Co-Managed Services, CORE Services, SHIELD Services, ASSURE Services, and other ongoing services are subject to adjustment upon renewal. Unless otherwise stated in the SOW, at the start of each Renewal Term such recurring fees will automatically increase by a percentage equal to the greater of (i) five percent (5%) or (ii) the percentage change in the Consumer Price Index for All Urban Consumers (CPI-U), U.S. city average, All items, as published by the U.S. Bureau of Labor Statistics for the most recently available twelve (12) month period ending at least sixty (60) days prior to
the start of the applicable Renewal Term, plus three percentage points (3%), provided that in
no event will the total increase under this sentence exceed ten percent (10%) for any Renewal
Term (the “Standard Renewal Adjustment”). The Standard Renewal Adjustment applies automatically at renewal whether or not Provider separately delivers a renewal summary or pricing schedule, and Client’s failure to receive or review any such communication does not affect the effectiveness of the Standard Renewal Adjustment.
5.1.3 Supplemental Adjustments
In addition to the Standard Renewal Adjustment, Provider may implement additional market-based price adjustments for Renewal Terms (including adjustments based on labor costs, inflation,
tooling expenses, security compliance requirements, or vendor-driven changes) that exceed the
Standard Renewal Adjustment (each, a “Supplemental Adjustment”) by providing written Notice to
Client. Provider will provide written Notice of any Supplemental Adjustment at least sixty (60)
days prior to the renewal date. If Provider delivers Notice of a Supplemental Adjustment less
than sixty (60) days but at least thirty (30) days before the renewal date, Client may elect
not to renew the applicable Services by providing written Notice prior to the renewal date,
notwithstanding the ninety (90) day non-renewal requirement in Section 4.2; provided, however,
that if Client’s Notice specifies that its decision not to renew is based on the Supplemental
Adjustment, Provider may, in its sole discretion and by written Notice to Client prior to the
renewal date, withdraw the Supplemental Adjustment and proceed with renewal at only the Standard Renewal Adjustment, in which case Client’s election not to renew under this sentence will be of no force and effect. If Provider delivers Notice of a Supplemental Adjustment less than thirty
(30) days before the renewal date, the Supplemental Adjustment will not apply for that Renewal
Term and only the Standard Renewal Adjustment and any vendor pass-through adjustments described below will apply. For clarity, Client’s special non-renewal right in this paragraph arises only in connection with a Supplemental Adjustment and does not apply solely because of the Standard Renewal Adjustment.
5.1.4 Vendor Pass-Through Adjustments
Adjustments to third-party licensing, cloud services, telecom, or other vendor pass-through
costs may occur at any time and will be billed to Client as incurred, regardless of term type
or fee adjustment schedule.
5.1.5 Effect of Failure to Deliver Notice
Failure by Provider to deliver a separate renewal summary or pricing notice does not affect
the validity of the renewal, the applicability of the Standard Renewal Adjustment or any
annual adjustment under Section 5.1.1, or Client’s obligation to pay Fees for the applicable
term or Renewal Term.
5.2 Invoicing and Billing Cycle Anchor Date
Provider invoices all Fees in advance on a recurring basis aligned to the Billing Cycle Anchor Date stated in the SOW or first invoice. Access Licensing, recurring Services, and other monthly or annual commitments are billed in full cycles according to the Billing Cycle Anchor Date.
Consumption Services, telecom usage, project work, and Chargeable Services are invoiced in arrears or on the schedule specified in the SOW.
If Client adds users, devices, workloads, environments, licenses, or other quantities affecting Fees, charges will be prorated to the Billing Cycle Anchor Date and billed thereafter at full-cycle rates.
Each invoice may include information regarding current service terms, renewal periods, renewal pricing, service classifications (including ‘Flex’ or ‘Non-Renewing’ designations), and term end dates. Client agrees that such information is provided for transparency and shall be deemed part of the ongoing commercial notice under this Agreement.
5.3 Payment Terms and Methods
Unless otherwise stated in a SOW, all invoices are due upon receipt and payable within ten (10) days. Client agrees to maintain an active payment method and authorizes Provider to automatically charge such method for all Fees, including recurring Fees, Access Licensing, Consumption Services, Chargeable Services, taxes, and regulatory fees.
Failure to maintain a valid payment method constitutes non-payment under this Agreement.
Payments must be made in U.S. dollars via ACH, credit card, or other method approved by Provider. Provider may charge additional fees for payments made by credit card or other non-ACH methods, consistent with applicable law.
Client shall not withhold, offset, delay, or reduce payment of any Fees, Access Licensing charges, Consumption Services charges, or other amounts owed under this Agreement, whether due to disputes, claims, pending credits, or alleged service issues, except as expressly permitted in Section 5.6.
5.4 Late Fees, Interest, and Collection Costs
Any undisputed amount not paid when due accrues interest at 1.5% per month (18% annually) or the maximum rate permitted by law, whichever is less. Provider may also charge late fees as permitted by law.
Client is responsible for all reasonable costs of collection, including legal fees, agency fees, expenses, and court costs incurred due to Client’s non-payment or late payment.
Provider may apply payments to the oldest outstanding invoices or Fees at Provider’s discretion.
5.5 Taxes and Regulatory Fees
All Fees are exclusive of taxes. Client is responsible for all federal, state, local, and other taxes, fees, assessments, regulatory charges, carrier surcharges, telecom fees, universal service fees, and any similar charges arising from or related to the Services, Access Licensing, or Consumption Services, whether imposed on Provider or Client.
Provider may invoice such amounts directly or pass them through from Upstream Vendors. Client agrees to pay all such taxes and regulatory fees regardless of whether they appear on the initial SOW.
5.6 Invoice Disputes and Resolution Timelines
Client must notify Provider of any good-faith invoice dispute within thirty (30) days of receipt of the invoice, specifying in reasonable detail the disputed amount, the specific line items or charges in dispute, and the factual basis for the dispute. Undisputed amounts remain payable in accordance with Section 5.3.
Provider and Client will work in good faith to resolve invoice disputes within thirty (30) days of Provider’s receipt of the dispute notice. Failure to dispute an invoice within the thirty-day period constitutes acceptance of the invoice and waiver of any right to dispute such invoice, except for manifest billing errors or fraud.
Client may withhold the specifically disputed amount (and only such amount) pending resolution, provided Client: (i) pays all undisputed amounts when due; (ii) provides written notice of the dispute within the thirty-day period; and (iii) continues to cooperate in good faith to resolve the dispute. Withholding of undisputed amounts, or withholding disputed amounts without proper notice, constitutes non-payment under this Agreement.
Provider may continue billing and collection efforts for undisputed amounts during the dispute resolution period. If a dispute is not resolved within sixty (60) days, either Party may escalate the matter in accordance with Section 14.1.
5.6.1 Billing Scope and Operational Charge Interpretation
Billing personnel are responsible for processing payments, issuing invoices, applying taxes and credits, addressing payment-related questions, and explaining invoice formatting, term dates, and service-period calculations. Billing personnel are not responsible for interpreting the operational reasons behind charges, licensing needs, user counts, billable activities, compliance requirements, or scope changes.
Questions regarding the basis or justification for any charge must be directed to the Client’s Technical Account Manager or other designated operational contact. Invoice disputes submitted to Billing that require operational interpretation will be routed to the appropriate operational team for review.
5.7 Access Licensing Administration
5.7.1 Provider-Managed Access Licensing
Where Provider manages Access Licensing on behalf of Client, Provider will procure, assign, administer, and renew licenses from Upstream Vendors. Client is responsible for all Access Licensing fees, vendor-committed terms, renewal costs, true-up obligations, and any other licensing charges regardless of actual usage.
Licenses added or assigned mid-cycle are prorated to the Billing Cycle Anchor Date. Removal of user accounts or devices does not reduce Access Licensing counts unless the applicable vendor permits reductions.
Provider is not responsible for vendor discontinuation, licensing model changes, pricing updates, SKU changes, or other adjustments by an Upstream Vendor.
5.7.2 Client-Managed Access Licensing
Where Client manages its own Access Licensing, Client is solely responsible for:
(a) maintaining valid and compliant licenses at all times;
(b) ensuring licensing quantities meet Provider’s Minimum Requirements;
(c) providing Provider with administrative access as required; and
(d) resolving any licensing deficiencies, expirations, misalignment, or non-compliance.
If Client-managed Access Licensing becomes non-compliant, expired, limited, or insufficient to support the Services, Provider may suspend affected Services, require remediation, or require Client to transition licensing to Provider-managed licensing.
5.7.3 Non-Cancellable License Commitments and True-Up Rules
Access Licensing purchased through Provider may have fixed terms, minimum commitments, or vendor-imposed non-cancellability. Client is responsible for all fees for the full vendor term even if Services terminate early, unless the vendor expressly permits cancellation.
If true-up adjustments are required by the vendor due to increased usage, account count, device count, workload consumption, tenant growth, or any other metric, Client is responsible for all incremental charges.
**5.7.4 Licensing-Only Client Billing & Support
For Licensing-Only Clients, the Provider’s responsibilities are limited to licensing procurement, account administration, and Tier 1 support as required by the applicable Upstream Vendor. All licensing procured through the Provider is subject to the vendor’s terms and conditions, including non-cancellable and non-refundable commitments. The Provider does not guarantee vendor pricing, availability, service levels, or performance of any third-party service. The Client acknowledges that the Provider does not operate, manage, secure, or support the Client’s systems in any manner unless separately contracted through a Managed Services or Co-Managed Services SOW.
5.7.5 Licensing for Provider Administrative Identities
Client is responsible for purchasing and maintaining all required licensing for Provider administrative identities, including but not limited to management accounts, automation accounts, security operations identities, directory administration identities, and privileged access accounts. Such identities are required for the delivery of Managed Services, Co-Managed Services, SHIELD Services, ASSURE Services, and other operational functions. Provider administrative accounts must remain licensed, active, and excluded from any automated deprovisioning or license reclamation processes. Failure to maintain required licensing may result in suspension of Services or the Provider’s inability to meet Service Level Objectives or security obligations.
5.8 Consumption Services Billing
5.8.1 Metered Usage and Upstream Vendor Meters
Consumption Services, including Cloud Consumption Services and other metered workloads, are billed based on usage metrics recorded by the applicable Upstream Vendor. Provider is not responsible for inaccuracies in vendor meter calculations or reporting.
Consumption Services continue to accrue charges until the associated resource is fully deleted, terminated, or deprovisioned at the vendor level.
5.8.2 Cloud Continuity and Risk Mitigation Fees
Provider may charge Cloud Continuity Fees or administrative/risk mitigation fees related to Consumption Services when Provider must:
(a) perform remediation;
(b) prevent runaway workloads;
(c) address misconfiguration, exposure, or security risks;
(d) maintain additional operational oversight due to Client actions or 3PP actions; or
(e) intervene to prevent increased billing risk or resource exhaustion.
These fees are in addition to the vendor-metered Consumption Services charges.
5.8.3 Forced Termination of Consumption Services and No-Restoration Obligation
If a Consumption Services resource poses an immediate security threat, runaway cost condition, or operational instability, Provider may power down, remove, isolate, or delete the resource at its discretion. Provider has no obligation to restore any such resource and is not liable for data loss or operational impact arising from termination actions taken in good faith to mitigate risk.
Client remains responsible for all Consumption Services charges incurred prior to full termination at the vendor level.
5.9 Telecom & VoIP Services Billing (Consumption + Regulatory Fees)
Telecom & VoIP Services are billed as Consumption Services and may include usage-based charges, per-minute fees, per-SMS/MMS fees, DID charges, emergency service fees, regulatory surcharges, and carrier-imposed taxes or assessments. Provider may pass through such fees without markup.
Telecom & VoIP Services remain billable until fully terminated with the underlying carrier or Upstream Vendor. Provider is not responsible for carrier outages, routing issues, rate changes, or regulatory adjustments.
5.10 Suspension and Reinstatement for Non-Payment
Provider may suspend all or part of the Services immediately upon non-payment, chargeback, declined payment method, or failure to maintain an active payment method. Suspension may include disabling access, removing or disabling agents, or restricting functionality until payment is received.
During suspension:
(a) SLOs are suspended;
(b) Provider has no obligation to perform any Services;
(c) additional Fees may apply for reinstatement; and
(d) Client remains responsible for all Fees, Access Licensing, and Consumption Services charges that continue to accrue.
Provider may require prepayment, deposit, or auto-payment enrollment as a condition of reinstating Services.
6. Security, Minimum Requirements & Risk Allocation
6.1 Security Objectives and Shared Responsibility
Provider delivers Services in accordance with commercially reasonable practices and the security controls applicable to the purchased Service Category and designated Managed Systems or Co-Managed Systems. Security is a shared responsibility between Provider and Client. Provider is responsible for the controls explicitly included in the SOW, while Client remains responsible for its own policies, user behavior, internal processes, Third-Party Providers, unapproved software, Client Environment configurations outside Provider’s scope, and adherence to Minimum Requirements.
Client acknowledges that security controls function effectively only when the Client Environment is maintained according to Minimum Requirements and configured in a manner consistent with Provider’s guidance and industry-standard practices.
Provider’s security responsibilities apply only to the systems, accounts, users, devices, cloud tenants, applications, and environments expressly designated as within Provider’s operational scope under an applicable SOW. Provider has no responsibility or liability for security, monitoring, configuration, or risk mitigation of any systems or data outside its designated scope of control.
6.2 Minimum Requirements (Security Baselines, Supported Platforms, Patch Windows)
Client must satisfy and maintain the Minimum Requirements throughout the term of each SOW, including but not limited to:
(a) supported and actively patched operating systems and platforms;
(b) Provider-approved endpoint protection, monitoring agents, and EDR solutions installed and operational;
(c) multi-factor authentication (MFA) enabled on all supported services and administrative access;
(d) Provider-approved firewall, network segmentation, and security configurations;
(e) a recurring maintenance and patch window adopted by Client; and
(f) adherence to all baseline controls, supported vendor versions, and configuration standards documented in the Services Guide or applicable SOW.
Managed Services Clients must maintain Microsoft Entra ID licensing at the level required for their subscribed service tier, including Entra ID P1 for AlignCORE Clients and Entra ID P2 for AlignSHIELD Clients. Equivalent Microsoft bundles that include the applicable Entra ID tier are acceptable. Google Workspace or Google Cloud Identity may be used only in conjunction with an active Entra ID tenant meeting these requirements. Failure to maintain required identity licensing may result in suspension or modification of Services, and Service Level Objectives may not apply.
Minimum Requirements may be updated by Provider as technology standards, threat conditions, or industry expectations evolve, provided such updates do not materially reduce the core Services purchased under an active SOW. Updated Minimum Requirements become effective upon written notice or publication in the Services Guide.
Client must maintain appropriate licensing for Provider administrative identities as part of Minimum Requirements. Such licensing may be obtained directly by the Client or procured through the Provider as part of Access Licensing administration. Provider administrative identities must remain licensed, active, and excluded from any automated deprovisioning or license reclamation processes. Provider may suspend or modify Services, and Service Level Objectives may not apply, if administrative identities required for management, automation, or security operations are unlicensed, removed, or restricted.
Client must ensure that all endpoints, servers, network devices, and related equipment used in the Managed Environment meet commercial-grade specifications including, but not limited to: a business-class operating system (e.g., Windows Pro/Enterprise), commercial warranty coverage, TPM availability, hardware supportability, and compatibility with required security tooling. Consumer-grade devices, home-edition operating systems, or equipment purchased through retail channels may not meet Minimum Requirements and may result in suspension of Service Level Objectives or refusal of support until the device is replaced or remediated.
Hardware and system requirements evolve over time based on operating system supportability, security baselines, vendor deprecations, and the requirements of the Provider’s managed services platform. Client is responsible for verifying that any newly acquired hardware meets the Provider’s then-current Minimum Requirements at the time of purchase. Devices that met Minimum Requirements in prior years may no longer be supported as hardware standards, operating systems, and security requirements advance.
Where applicable, Clients are required to procure hardware directly through the Provider or procure equipment that meets the Provider’s published Minimum Requirements. The Provider may decline to support, manage, or secure devices that do not meet these standards.
Client must adopt and maintain the Provider’s standardized naming conventions for users, devices, groups, cloud resources, and other managed identities. Naming conventions are required to support automation, identity governance, privileged access workflows, security tooling integrations, and Service Level Objective applicability. Failure to follow the Provider’s naming standards may result in suspension of applicable SLOs or the Provider’s inability to deliver certain Services until corrected.
Clients must maintain accurate and compliant domain registration information, including off-domain contact email addresses and valid registrant data as required by ICANN. Client domains must remain under Client ownership; the Provider will not take ownership of any Client domain. For Managed Services, Client domains must utilize the Provider-managed DNS platform, and all DNS changes must be requested through the Provider. Third-party access to DNS is not permitted. Any third-party service that sends email on behalf of a Client domain must be reviewed and approved by the Provider to ensure proper SPF, DKIM, and DMARC configuration.
If Client fails to meet Minimum Requirements, SLOs may be suspended and Provider may require remediation before continuing or restoring Services.
**6.2.1 Minimum Requirements Not Applicable to Licensing-Only Clients
Minimum Requirements apply only to Managed Systems supported under a Managed Services or Co-Managed Services SOW. Licensing-Only Clients are not subject to Minimum Requirements, and the Provider has no responsibility for the Client’s systems, security controls, or risk exposure unless separately contracted.
6.3 Unsupported Systems and Legacy Platforms
Unsupported Systems are excluded from Managed Services and Co-Managed Services except as expressly agreed in writing. Provider shall have no obligation to maintain, secure, patch, troubleshoot, or support Unsupported Systems and may designate systems as Unsupported Systems if:
(a) they are end-of-life or end-of-support;
(b) security updates are unavailable;
(c) they exceed supported age or hardware limits;
(d) they cannot run Provider-required agents or controls;
(e) they materially increase security or operational risk; or
(f) they are incompatible with Provider Environment or Upstream Vendor requirements.
If Client continues to operate Unsupported Systems without remediation, Provider may suspend SLOs for affected systems or Services, require a Risk Declination, or terminate the relevant SOW pursuant to Section 4.6.
6.4 Risk Declination (Client-Declined Controls)
If Client declines, delays, overrides, or fails to implement a recommended security control, configuration, remediation, or upgrade (a “Risk Declination”), whether explicitly or implicitly (including through non-response), then:
(a) Client assumes all risk arising from the declined recommendation;
(b) Provider is not liable for any resulting damages, downtime, loss, or security incidents;
(c) SLOs for affected systems or Services are suspended;
(d) Provider may limit or suspend specific Service functions or access;
(e) Provider may require remediation as a condition of continued Services; and
(f) Provider may terminate the relevant SOW or Service in accordance with Section 4.6.
Provider will document Risk Declinations through written or electronic means, including but not limited to ticketing systems, email, digital approvals, or other recorded communication.
6.5 Effect of Non-Compliance on SLOs and Service Scope
If Client fails to meet Minimum Requirements, operates Unsupported Systems, maintains a Risk Declination, or otherwise prevents Provider from implementing required controls, then Provider may:
(a) suspend applicable SLOs;
(b) limit the scope of Services to commercially reasonable efforts;
(c) treat related work as Chargeable Services;
(d) decline to perform non-essential services on affected systems;
(e) require Client remediation prior to restoring full service functionality; or
(f) treat the condition as a material breach or unsafe condition under Section 4.5 or 4.6.
The suspension of SLOs or Services due to Client non-compliance does not reduce Client’s payment obligations under the Agreement or any SOW.
6.6 Provider Rights to Implement Emergency Maintenance and Protective Actions
Provider may implement Emergency Maintenance, protective actions, or temporary configuration changes, with or without prior notice, if necessary to:
(a) mitigate imminent threats or active security incidents;
(b) prevent material harm to the Client Environment, Provider Environment, Managed Systems, or Co-Managed Systems;
(c) prevent or contain runaway Consumption Services billing;
(d) address material vulnerabilities or exposures; or
(e) comply with security best practices or Upstream Vendor requirements.
Such actions may temporarily impair access, performance, or functionality. Provider is not responsible for data loss, downtime, operational impact, or other consequences of Emergency Maintenance conducted in good faith to reduce risk or prevent harm.
6.7 Co-Managed Environments and Security Authority
In Co-Managed Services, Client acknowledges that:
(a) Provider retains final authority over security baseline configuration for Co-Managed Systems;
(b) Provider may require removal, rollback, or reconfiguration of Client or Third-Party Provider changes that impact security, stability, or compliance;
(c) Client and Third-Party Providers must follow Provider guidance for privileged access, change control, and required tooling; and
(d) any deviation from Provider-required security controls may result in suspension of SLOs, performance limitations, or additional Fees.
If Client or a Third-Party Provider overrides required controls, Provider may:
(i) restrict access;
(ii) isolate affected systems;
(iii) limit responsibilities to commercially reasonable efforts; or
(iv) terminate the affected SOW under Sections 4.5 or 4.6.
6.8 Upstream Vendor Limitations and Dependencies
Client acknowledges that Provider relies on Upstream Vendors for certain Services, including but not limited to cloud workloads, telecom services, licensing, monitoring, security tooling, and Consumption Services. Provider is not responsible for:
(a) outages, service degradations, attacks, or disruptions caused by an Upstream Vendor;
(b) pricing changes, SKU changes, licensing model adjustments, or meter revisions;
(c) data retention, logging availability, or recovery limitations imposed by Upstream Vendors;
(d) failures related to Upstream Vendor APIs, integrations, or dependencies; or
(e) delays or failures caused by circumstances within an Upstream Vendor’s service boundary.
Provider’s obligations are limited to the administrative and configuration responsibilities expressly stated in the applicable SOW.
Provider will use commercially reasonable efforts to pass through to Client any warranties, indemnities, or protections provided by Upstream Vendors to the extent permitted by the applicable vendor agreement. Provider makes no independent representation or warranty regarding Upstream Vendor products or services beyond what is expressly provided by the Upstream Vendor.
6.9 No Guarantee of Threat Prevention or Detection
Client acknowledges that no security service, tool, or control—including those provided by Provider—can guarantee complete prevention, detection, or remediation of all cyber threats, vulnerabilities, or incidents. Provider does not warrant:
(a) that attacks or breaches will be prevented;
(b) that all threats will be detected;
(c) that notifications or alerts will be timely;
(d) that security technologies provided by Upstream Vendors will perform without failure; or
(e) that any particular configuration will eliminate risk.
Provider’s liability for Security Incidents is limited as set forth in Section 13.
Provider is not responsible for detecting or preventing intentional acts, fraud, misuse, or malicious behavior by Client personnel, authorized users, contractors, or Third-Party Providers unless expressly included within the scope of Services in an applicable SOW.
7. Client Responsibilities
7.1 General Cooperation and Access
Client shall cooperate with Provider in all matters relating to the Services and shall provide timely access to facilities, personnel, systems, cloud tenants, documentation, and information as reasonably required for Provider to perform the Services. Client shall ensure Provider has all necessary administrative credentials, permissions, and privileges to access and manage the Managed Systems or the portions of Co-Managed Systems assigned to Provider under an applicable SOW.
Client shall make available qualified personnel who are knowledgeable about the Client Environment and who can provide information, approvals, decisions, and assistance reasonably required for Provider to deliver the Services.
7.2 Accuracy of Information and Documentation
Client shall provide accurate, complete, and timely information reasonably required for Provider to perform the Services. Provider is entitled to rely on the accuracy and completeness of information provided by Client or its personnel without independent verification.
If Client-provided information is inaccurate, incomplete, or outdated, Provider may:
(a) suspend SLOs;
(b) require additional remediation as Chargeable Services; or
(c) reclassify work as out-of-scope if the inaccuracy materially increases Provider’s effort or risk.
Provider is not responsible for inaccuracies, omissions, or outdated information contained in network diagrams, asset inventories, lists, documentation, or representations provided by Client or Third-Party Providers. Provider may rely on such information without independent verification unless otherwise expressly contracted in a SOW.
7.3 Client Environment Responsibilities (Networks, Power, Facilities)
Client is solely responsible for maintaining the physical and environmental conditions of the Client Environment, including:
(a) adequate power, HVAC, physical security, and environmental controls for all equipment;
(b) functional network connectivity, cabling, WAN circuits, ISP services, and carrier relationships;
(c) physical access controls, alarms, and facility access procedures; and
(d) installation, relocation, or replacement of physical equipment, racks, or power infrastructure unless expressly included in the SOW.
(e) Client shall maintain adequate spare hardware, replacement components, backup equipment, and compatible parts necessary to ensure business continuity and minimize downtime. Provider is not responsible for delays, outages, degraded performance, or inability to complete Services resulting from unavailable spare hardware or equipment.
(f) Client shall maintain up-to-date emergency contacts and escalation personnel available for critical incidents, after-hours approvals, and urgent security matters. Provider is not responsible for delays, extended impact, or increased risk resulting from unavailability or non-responsiveness of Client’s designated emergency contacts.
(g) Provider is not responsible for hazardous, unsafe, or non-compliant physical environments, including but not limited to electrical hazards, poor cabling conditions, water damage, environmental contaminants, or unsafe facility conditions. Provider may suspend onsite work until such hazards are remediated.
Provider is not responsible for outages, downtime, configuration failures, or degradation caused by Client’s facilities, power, carrier circuits, environmental factors, or building management systems.
7.4 Use of Authorized Contacts and Authorized Approvers
Client shall maintain an up-to-date list of Authorized Contacts and Authorized Approvers and shall ensure that only such individuals request Services, approve changes, authorize access, or communicate instructions on Client’s behalf.
Provider may refuse to accept instructions or requests from individuals who are not designated as Authorized Contacts or Authorized Approvers. Provider is entitled to rely on any instruction issued by an Authorized Contact or Authorized Approver as binding Client direction.
7.5 Adherence to Change Request / Service Request Processes
Client shall submit Change Requests, Service Requests, onboarding/offboarding requests, and other operational directives through the channels and processes identified in the Services Guide or SOW. Provider is not required to act on requests submitted through unauthorized channels or by unauthorized personnel.
Work performed outside the established processes may be treated as Chargeable Services. Provider may suspend SLOs for any system or request where Change Request procedures were not followed.
7.6 Ticketing, Communication Channels, and Escalation Procedures
Client shall use the designated ticketing system, communication channels, and escalation paths specified in the Services Guide or SOW. Provider is not required to provide Services based on requests sent to individual staff email addresses, text messages, personal contacts, or informal channels.
SLOs apply only to properly submitted tickets. Client is responsible for ensuring its personnel:
(a) follow required ticketing, escalation, and approval procedures;
(b) identify business impact or urgency accurately; and
(c) provide sufficient detail and access for Provider to address the issue.
7.7 Staffing Notifications, Onboarded Users, and Terminations
Client shall notify Provider promptly of new hires, terminations, role changes, access changes, and other identity lifecycle events through the required processes in the Services Guide.
Client is responsible for:
(a) timely submission of onboarding and offboarding requests;
(b) ensuring that Onboarded Users and Onboarded Devices reflect actual personnel and equipment in use;
(c) ensuring that no user retains access beyond their authorized employment or engagement period; and
(d) any delays in account creation, modification, or deactivation resulting from late notifications.
Provider is not responsible for unauthorized access, security risk, or operational impact arising from untimely or incomplete staffing notifications.
7.8 Management of Third-Party Providers (3PPs) and Shadow IT
Client is responsible for managing all Third-Party Providers engaged by Client. Provider is not responsible for acts, omissions, misconfigurations, or interference caused by Third-Party Providers or Shadow IT (any system, software, integration, or provider not expressly approved by Provider).
Client shall:
(a) ensure 3PPs follow Provider’s required security and operational standards;
(b) prevent 3PPs from modifying Managed Systems or Co-Managed Systems without Provider approval;
(c) coordinate all 3PP access through Provider where applicable; and
(d) promptly notify Provider of any 3PP activity affecting Managed Systems, Co-Managed Systems, or supported cloud tenants.
Provider may treat the actions of 3PPs or Shadow IT as Client actions for purposes of this Agreement. Any remediation required due to 3PP activity may be treated as Chargeable Services. Provider may suspend SLOs or terminate Services under Sections 4.5 or 4.6 if 3PP actions create risk or instability.
7.9 Compliance with Laws and Handling of Regulated / Sensitive Data
Client is solely responsible for:
(a) identifying all regulated, sensitive, or classified data in the Client Environment;
(b) ensuring Client’s use of the Services complies with all laws applicable to such data, including HIPAA, GLBA, SOX, FERPA, CJIS, PCI-DSS, NIST, ITAR, and other frameworks;
(c) informing Provider of any legal, regulatory, or contractual restrictions applicable to Client data;
(d) ensuring Provider is granted lawful authority to access such data; and
(e) implementing data governance controls not expressly included in the Services.
Provider does not act as the system of record for regulated data, does not determine Client regulatory obligations, and is not responsible for compliance failures arising from Client’s data classification, data handling practices, or failure to disclose regulatory requirements.
7.10 Data Classification and Backup Responsibilities (where Backup Services are not included)
Unless Client has expressly purchased backup services in a SOW, Client is solely responsible for:
(a) classifying its data;
(b) maintaining backups of systems, applications, and data;
(c) validating backup integrity and recoverability; and
(d) retaining data in accordance with Client’s internal policies and regulatory requirements.
Provider has no obligation to retain, recover, or restore data unless expressly included as a Service in a SOW. Any data recovery effort not included in the SOW may be treated as a Chargeable Service and performed on a commercially reasonable efforts basis.
Provider has no responsibility for Client business continuity, disaster recovery, failover capability, or continuity of operations unless expressly stated in an applicable SOW. Provider does not guarantee service availability, system recovery, data restoration, or operational continuity during or after any disaster, outage, or facility event unless Backup or DR Services are specifically purchased.
7.11 Client Responsibility for Work Outside Managed Systems / Co-Managed Systems
For all systems, devices, applications, networks, cloud tenants, integrations, or services not expressly designated as Managed Systems or Co-Managed Systems in a SOW:
(a) Client retains full responsibility for their configuration, security, patching, monitoring, and upkeep;
(b) Provider has no obligation to administer, manage, or support such systems except as Chargeable Services;
(c) Provider may require isolation, segmentation, remediation, or Risk Declination before interacting with such systems; and
(d) SLOs do not apply to work involving systems outside Provider’s designated scope.
Any support or remediation work performed on systems outside Managed Systems or Co-Managed Systems is deemed a Chargeable Service and may require additional approvals or a separate SOW.
7.12 Cyber Liability Insurance Requirements
Client shall maintain an active cyber liability insurance policy meeting Provider’s minimum requirements, including coverage for ransomware, data breach response, business interruption, and cyber extortion. Proof of coverage shall be provided to Provider upon request. Provider may review policy requirements solely to identify technical security controls relevant to the Services. Such review does not constitute legal, insurance, or compliance advice, and Provider does not evaluate policy adequacy or certify Client compliance with any insurance-related obligations. Client remains solely responsible for understanding, interpreting, and complying with its insurance policy.
Client’s Insurance is Client’s Protection. Client acknowledges and agrees that:
(a) Provider’s insurance policies (including professional liability and general liability coverage) do not cover Client’s losses, breach response costs, business interruption, regulatory penalties, or third-party claims against Client;
(b) Client’s cyber liability insurance is Client’s exclusive source of coverage for Security Incidents, data breaches, ransomware events, and related losses affecting Client, regardless of whether such incidents arise from Provider’s acts or omissions;
(c) Client should not rely on Provider’s insurance as a substitute for Client’s own coverage; and
(d) Client’s decision regarding coverage limits and policy terms is Client’s sole responsibility, and Provider makes no representation regarding the adequacy of any coverage amount.
The limitations of liability set forth in Section 13 apply regardless of whether either Party maintains insurance, and the availability of insurance proceeds does not expand either Party’s liability beyond the caps stated in this Agreement.
7.13 Compliance Framework Services
Provider’s standard services do not include compliance certification, audit preparation, or attestation services for any regulatory or industry framework, including but not limited to CMMC, HIPAA, SOC 2, PCI DSS, ISO 27001, or similar programs. Any compliance-specific services, deliverables, or responsibilities must be expressly scoped in an applicable SOW.
Client is solely responsible for achieving and maintaining any certifications, attestations, or compliance status required by Client’s business, contracts, or regulatory obligations. Provider does not act as the certified, audited, or attesting entity on Client’s behalf.
Provider’s agreement to provide services does not constitute acceptance of any regulatory obligations, contract flow-down provisions, or third-party requirements unless expressly agreed in writing.
Client shall not submit regulated data (including but not limited to CUI, PHI, PCI cardholder data, or export-controlled information) to Provider unless expressly authorized in an applicable SOW or Data Processing Agreement.
8. Provider Responsibilities & Service Operations
8.1 Delivery of Services in Accordance with SOWs and the Services Guide
Provider will deliver the Services in a professional and workmanlike manner and in accordance with the applicable SOW and the operational detail set forth in the Services Guide. Provider is responsible only for those systems, users, devices, cloud tenants, applications, and functions expressly designated as within scope under a SOW.
Provider shall have no responsibility for work, remediation, or support relating to:
(a) systems not designated as Managed Systems or Co-Managed Systems;
(b) Unsupported Systems;
(c) environments, integrations, or workloads for which Client has not provided required access or information;
(d) Client actions or inactions, or those of its personnel or Third-Party Providers; or
(e) conditions arising from Client’s failure to satisfy Minimum Requirements.
Provider’s performance is conditioned on Client meeting its obligations under this Agreement. Provider’s obligations do not extend to providing Services outside Included Services unless expressly accepted as Chargeable Services or under a separate SOW.
8.2 Use of Provider Environment, Tools, Automation, and AI-Assisted Operations
Provider may use any combination of tools, security agents, management platforms, automation, scripting, orchestration systems, AI-assisted operations, and the Provider Environment as necessary to deliver the Services. Provider may modify, update, enhance, or replace its tools or the Provider Environment at any time, provided such changes do not materially reduce the core Services purchased by Client.
Unless expressly stated in a SOW, Client is not granted any rights, licenses, or access to the Provider Environment, and shall not:
(a) access Provider tools directly;
(b) copy, reverse engineer, or reproduce Provider scripts, automation, processes, or documentation;
(c) use Provider tools outside the scope of the Services; or
(d) interfere with, disable, or remove any Provider-deployed agent or tooling.
Provider may deploy or remove agents, tooling, and integrations at any time as reasonably required to deliver or discontinue the Services.
AI-assisted operations may include ticket triage, behavioral analysis, anomaly detection, log interpretation, workflow assistance, and operational automation. Provider does not use Client Data for model training except in accordance with its privacy obligations and applicable law.
8.3 Incident Handling and Security Incident Handling
Provider will respond to Incidents and Security Incidents in accordance with the applicable SOW and the triage, escalation, and classification processes described in the Services Guide.
For Incidents:
(a) Provider will provide troubleshooting, remediation, and communication through its designated ticketing system;
(b) SLOs apply only to Incidents affecting Managed Systems or Co-Managed Systems and only when Client is in compliance with Minimum Requirements; and
(c) Provider performs Incident remediation on a commercially reasonable efforts basis.
For Security Incidents:
(a) Provider will investigate, analyze, or escalate Security Incidents affecting in-scope systems using tools within the Provider Environment and telemetry under Provider’s control;
(b) Provider may isolate, limit, or disable affected systems or accounts as necessary to contain active threats;
(c) Client shall cooperate fully and promptly with Provider’s guidance, including providing logs, approvals, privileged access, or system availability; and
(d) Provider’s responsibilities are limited to the systems and functions expressly within Provider’s scope of control under the SOW.
Provider will notify Client of any Incident affecting Client’s systems or data as soon as practical but no later than twelve (12) hours after discovery.
Provider is not liable for Security Incidents arising from Client actions, Third-Party Providers, Unsupported Systems, shadow IT, misconfiguration, failure to follow Provider guidance, or violations of Minimum Requirements.
At all times during a Security Incident, Client is responsible for designating an Incident Commander (IC) in accordance with Section 2.9.3. Provider supports the IC with technical analysis, containment, remediation efforts, and operational recommendations but does not serve as Incident Commander or assume overall incident response responsibility unless expressly authorized under a separate SOW.
8.4 Scheduled Maintenance and Emergency Maintenance Practices
Provider may perform Scheduled Maintenance during designated maintenance windows or with reasonable prior notice to Client. Scheduled Maintenance may result in temporary degradation, unavailability, or reduced functionality of certain systems or tooling.
Provider may also perform Emergency Maintenance at any time, with or without prior notice, when necessary to:
(a) mitigate imminent security threats;
(b) prevent or contain active exploitation;
(c) address system instability or failure;
(d) comply with Upstream Vendor requirements; or
(e) prevent runaway consumption, resource exhaustion, or billing anomalies in Consumption Services.
Provider is not responsible for downtime, performance impact, or data loss caused by Scheduled Maintenance or Emergency Maintenance conducted in good faith to preserve system integrity or protect Client or Provider.
8.5 Service Changes and Version Updates (Tools, Platforms)
Provider may modify, update, or enhance the Services, tools, platforms, security controls, or operational methods used to deliver the Services at any time. This includes version updates, tool replacements, configuration changes, and improvements in monitoring or automation.
Provider will not materially reduce the core capabilities of the Services purchased under an active SOW; however:
(a) specific tools or features may be replaced by functionally equivalent alternatives;
(b) Upstream Vendors may modify or discontinue features, APIs, SKUs, or functionality; and
(c) Provider’s Services may adapt accordingly to align with industry standards and security requirements.
Client acknowledges that ongoing evolution of Provider’s tools and operational methods is necessary to maintain security and service quality.
8.6 Use of Subcontractors and Upstream Vendors
Provider may use subcontractors and Upstream Vendors to deliver the Services. Provider remains responsible for the performance of its subcontractors but is not responsible for:
(a) outages, failures, delays, or degradations attributable to Upstream Vendors;
(b) pricing changes, licensing adjustments, or SKU modifications by Upstream Vendors;
(c) upstream limitations on availability, data retention, or recovery; or
(d) disruptions or constraints caused by Upstream Vendor infrastructure, APIs, or platforms.
Client shall not engage or grant administrative access to Third-Party Providers that interfere with Provider’s ability to deliver the Services. Provider may suspend or limit Services if a Third-Party Provider, subcontractor engaged by Client, or other external party materially impairs Provider’s operations or creates risk.
Provider will use commercially reasonable efforts to pass through to Client any warranties, indemnities, or protections provided by Upstream Vendors to the extent permitted by the applicable vendor agreement. Provider makes no independent representation or warranty regarding Upstream Vendor products or services beyond what is expressly provided by the Upstream Vendor.
8.7 Documentation, Deliverables, and Acceptance
Provider will produce Deliverables identified in an applicable SOW. Unless otherwise stated, Deliverables are accepted when provided to Client, subject to the five (5) Business Day Acceptance period described in Section 2.10.2.
Provider-generated documentation, configurations, automation, procedures, and other artifacts created in the course of delivering the Services (collectively, “Operational Artifacts”) remain the property of Provider unless explicitly transferred under a SOW. Provider grants Client a limited, non-exclusive license to use Operational Artifacts solely for internal business purposes related to the Services.
Provider is not required to provide internal procedures, proprietary configurations, automation scripts, or details regarding the Provider Environment unless expressly included in a SOW.
8.8 Provider Business Continuity
Provider shall maintain reasonable business continuity and disaster recovery capabilities for the Provider Environment, including:
(a) redundant systems and data backup procedures for critical Provider infrastructure used to deliver the Services;
(b) documented incident response and recovery procedures for Provider-side outages or disruptions;
(c) the capability to resume material remote Services within forty-eight (48) hours following a Provider-side incident affecting the Provider Environment, excluding incidents caused by:
(i) widespread regional disasters or force majeure events;
(ii) Upstream Vendor or third-party infrastructure failures;
(iii) cyberattacks, ransomware, nation-state attacks, or similar security events;
(iv) incidents originating from or caused by Client, Client Environment, or Third-Party Providers; or
(v) government action, regulatory seizure, or legal process.
Provider’s business continuity obligations do not extend to the Client Environment, Client-owned systems, or Upstream Vendor platforms. Provider is not responsible for Client’s business continuity, disaster recovery, or data backup unless such services are expressly included in an applicable SOW.
Upon Client’s reasonable written request, Provider shall provide a summary of its business continuity capabilities, subject to Provider’s confidentiality requirements regarding security-sensitive information.
9. Service Levels and Performance
9.1 Service Level Objectives (SLOs) – Nature and Non-Binding Status
Any Service Level Objectives (“SLOs”) described in a SOW or the Services Guide represent Provider’s operational targets and guidelines, not binding service level agreements. SLOs are aspirational indicators of expected performance under normal operating conditions and do not constitute warranties, guarantees, service credits, financial penalties, or remedies of any kind.
SLOs are measured only on a commercially reasonable efforts basis and do not apply when Provider’s performance is affected by factors outside its control, including Client non-compliance with this Agreement.
9.2 Applicability of SLOs (Managed Systems, Co-Managed Systems, Onboarded Users/Devices Only)
SLOs apply only to:
(a) Managed Systems expressly identified in an applicable SOW;
(b) the Provider-assigned portion of Co-Managed Systems;
(c) Onboarded Users and Onboarded Devices; and
(d) requests properly submitted through designated ticketing channels.
SLOs do not apply to:
(i) systems, users, devices, networks, or applications not expressly included in a SOW;
(ii) Client-managed portions of Co-Managed Systems;
(iii) any system or device not fully Onboarded at the time of the request; or
(iv) tasks outside the operational responsibility of Provider as defined in the SOW.
Provider has no SLO obligations for any Service that is not recurring Managed Services or Co-Managed Services.
**9.2.1 SLO Inapplicability for Licensing-Only Clients
Licensing-Only Clients are not eligible for Service Level Objectives (SLOs), response targets, or performance commitments of any kind. SLOs apply only to Managed Systems and only under an active Managed Services or Co-Managed Services SOW.
9.3 Conditions that Suspend or Modify SLOs
SLOs are suspended, tolled, or modified under any of the following conditions:
(a) Client’s failure to satisfy Minimum Requirements;
(b) presence of Unsupported Systems affecting service stability or security;
(c) active Risk Declination related to the affected system or function;
(d) incomplete or inaccurate information provided by Client;
(e) failure of Client personnel or Third-Party Providers to follow required processes (ticketing, change control, approvals, escalation paths);
(f) Client-caused delays, access limitations, or failure to provide required credentials or system availability;
(g) heavy load, major incident response, or other conditions requiring emergency prioritization;
(h) upstream failures or issues originating with an Upstream Vendor;
(i) Client environment instability, corrupted configurations, or misconfigured assets; or
(j) disruptions or limitations caused by the Transitionary Services Period.
During suspension or modification of SLOs, Provider will provide Services on a commercially reasonable efforts basis.
9.3.1 Unsupported or Consumer-Grade Hardware
Service Level Objectives do not apply to devices that do not meet the Provider’s Minimum Requirements, including consumer-grade PCs, home-edition operating systems, or non-commercial warranty equipment. SLOs resume only once the device is remediated or replaced.
9.4 Exclusions from SLOs (Unsupported Systems, Risk Declinations, Upstream Vendor Failures, Transitionary Services Period)
SLOs do not apply to any Services, systems, or circumstances involving:
(a) Unsupported Systems;
(b) systems for which Client has issued a Risk Declination;
(c) Third-Party Provider actions or interference;
(d) shadow IT, unapproved software, or unapproved provider usage;
(e) outages, delays, degradations, or constraints caused by Upstream Vendors;
(f) failures or delays arising from Client-controlled network, facilities, power, or cloud tenants not under Provider operational control;
(g) system degradation, instability, or limited visibility during onboarding, migrations, major reconfiguration, or offboarding as part of a Transitionary Services Period;
(h) work classified as Chargeable Services; and
(i) Services performed outside Included Services.
Provider is not responsible for SLO performance for any Service impacted by Client-controlled factors or conditions outside Provider’s operational authority.
**9.5 Reporting and Continuous Improvement
Provider may provide periodic reporting or metrics related to SLO performance, incident trends, ticket volumes, consumption patterns, or service quality, as described in the applicable SOW or Services Guide. Such reporting is informational only and does not create warranties, guarantees, or service commitments beyond those expressly stated in the Agreement.
Provider may review performance indicators and operational data to identify improvements to security posture, operational efficiency, or service delivery. Continuous improvement recommendations do not modify SOW scope or constitute Included Services unless expressly agreed in writing.
10. Intellectual Property & Ownership
10.1 Provider Intellectual Property and Provider Environment
Provider retains all right, title, and interest in and to the Provider Environment, including all tools, software, configurations, scripts, automation, processes, documentation, methodologies, AI-assisted workflows, templates, operational procedures, and other intellectual property used to deliver the Services, whether existing prior to or developed during the term of this Agreement.
Nothing in this Agreement transfers ownership of any Provider intellectual property (“Provider IP”) to Client. Provider IP may be used by Client only as expressly permitted in this Agreement or in an applicable SOW.
10.2 Client Intellectual Property and Client Environment
Client retains all right, title, and interest in and to Client Data, the Client Environment, and all intellectual property created or owned by Client. Provider’s use of Client Data and access to the Client Environment is limited to what is reasonably required to deliver the Services, comply with law, or exercise Provider’s rights under this Agreement.
Provider acquires no ownership interest in Client Data or Client intellectual property.
10.3 Ownership of Deliverables (Standard vs Customized)
Deliverables created under a SOW fall into two categories:
(a) Standard Deliverables.
Templates, reports, playbooks, scripts, operational artifacts, and other materials that are part of Provider’s standard methodology remain Provider IP. Provider grants Client a limited license under Section 10.4 to use Standard Deliverables solely for its internal business purposes.
(b) Customized Deliverables.
Deliverables expressly identified in a SOW as “custom,” “client-owned,” or “work made for hire,” and paid for in full by Client, are owned by Client upon completion and Acceptance. Provider retains a non-exclusive right to reuse generalized know-how, techniques, and non-identifying elements incorporated therein.
Except as expressly stated in a SOW, Deliverables are Standard Deliverables.
10.4 License Rights Granted to Client
Provider grants Client a limited, non-exclusive, non-transferable license to use:
(a) Deliverables provided under a SOW;
(b) Standard Deliverables solely for internal business operations; and
(c) documentation provided by Provider solely for use in connection with the Services.
Client shall not:
(i) sublicense, transfer, or disclose Deliverables or Provider IP to any Third-Party Provider without Provider’s prior written consent;
(ii) remove proprietary notices; or
(iii) use Deliverables or Provider IP to provide services to third parties, including internal IT outsourcing or MSP-like services.
This license automatically terminates upon termination of the Services or this Agreement, except with respect to Customized Deliverables owned by Client.
10.5 License Rights Granted to Provider (Use of Client Data, Telemetry, and Operational Data)
Client grants Provider a limited license to use Client Data, telemetry, logs, behavioral signals, metadata, and operational data generated through the Services (“Operational Data”) solely to:
(a) deliver the Services;
(b) monitor, secure, and improve Provider’s tooling and operational practices;
(c) analyze performance, threat patterns, and incidents;
(d) produce anonymized or aggregated analytics; and
(e) comply with applicable laws, subpoenas, or legal requests.
Provider will not disclose Client Data except in accordance with Section 11.
Operational Data may be aggregated or anonymized to improve Provider’s services, provided such data does not identify Client or its personnel.
10.6 Restrictions on Reverse Engineering, Sharing, or Misuse of Tools
Client shall not, and shall not permit any third party to:
(a) access, modify, reverse engineer, copy, or derive source code from Provider IP;
(b) share Provider tools, credentials, configurations, or automation outside Client’s internal staff;
(c) interfere with, disable, or remove Provider agents, scripts, or monitoring tools; or
(d) use Provider IP to develop or offer competing services.
Violation of this Section constitutes a material breach not subject to cure where the breach involves disclosure, reverse engineering, or misuse of proprietary technology.
11. Confidentiality, Data Protection & Privacy
11.1 Confidential Information (definition cross-reference)
“Confidential Information” has the meaning set forth in Section 2 and includes all non-public information disclosed by either Party that is marked or reasonably understood to be confidential, including Client Data, Provider IP, security methods, credentials, and any proprietary business, operational, or technical information.
Confidential Information does not include information that is publicly available without breach, independently developed without reference to the other Party’s materials, or obtained lawfully from a third party without confidentiality obligations.
11.2 Confidentiality Obligations of Each Party
Each Party agrees to:
(a) use the other Party’s Confidential Information solely to perform its obligations under this Agreement;
(b) restrict disclosure to personnel and subcontractors with a need to know;
(c) maintain administrative, technical, and physical safeguards consistent with industry standards; and
(d) notify the other Party promptly of any unauthorized disclosure or breach.
Provider’s subcontractors and Upstream Vendors are bound by confidentiality obligations consistent with this Section, either through contract or lawful binding terms.
11.3 Exceptions to Confidentiality
Either Party may disclose Confidential Information to the extent required by:
(a) law, regulation, subpoena, court order, or government request; or
(b) audit or compliance obligations under a recognized regulatory framework,
provided that, where legally permissible, the receiving Party gives prompt notice to allow the disclosing Party to seek protective measures.
Confidential Information may also be used or disclosed in connection with the Party’s legal counsel, auditors, or insurance providers under customary confidentiality obligations.
11.4 Data Protection, Security Controls, and Logging
Provider will implement commercially reasonable administrative, physical, and technical safeguards to protect Client Data within Provider’s operational control. Provider may monitor, log, and analyze activity across the Provider Environment and any Managed Systems or Co-Managed Systems necessary to deliver or secure the Services.
Client is responsible for:
(a) data classification, handling, labeling, and retention;
(b) compliance with laws applicable to Client Data (HIPAA, GLBA, CJIS, PCI-DSS, NIST, ITAR, etc.);
(c) securing systems and data outside Provider’s scope of responsibility.
Provider’s obligations do not extend to systems, networks, applications, or data locations not expressly designated in the applicable SOW.
11.5 AI-Assisted Operations and Use of Operational Data
Provider may use AI-assisted tools to analyze logs, telemetry, behavior, anomalies, incidents, and operational patterns to enhance service quality, detection capabilities, and workflow efficiency.
Provider will not:
(a) train public AI models using identifiable Client Data;
(b) share Client Data with third parties except as permitted by this Agreement; or
(c) disclose Client Data in a manner that identifies Client in aggregated or anonymized datasets.
AI-assisted operations may rely on Operational Data as described in Section 10.5.
11.6 Data Retention, Backups, and Destruction (at end of Service)
Unless otherwise stated in a SOW:
(a) Provider retains Client Data only for the duration of the Services and the applicable retention periods in Provider’s workflows;
(b) Provider is not responsible for Client backups unless Backup Services are purchased;
(c) upon termination, Provider may delete Client Data from the Provider Environment after the Transitionary Services Period unless legally prohibited;
(d) any restoration, export, or transfer of Client Data during offboarding may be treated as a Chargeable Service; and
(e) Provider has no obligation to recover or restore data after termination.
Data retained by Upstream Vendors after termination is governed by the vendor’s retention and deletion policies.
11.7 Security Breach Notification
This Section addresses each Party’s obligation to notify the other in the event of a security breach affecting the notifying Party’s own systems or data. This Section does not modify, limit, or define Provider’s security monitoring, alerting, incident response, or other Services delivered to Client, which are governed by the applicable SOW and Services Guide.
For confirmed Security Incidents involving unauthorized access to Client’s Managed Systems or the Provider Environment, Provider shall notify Client as soon as practical but no later than twelve (12) hours after confirmation.
For breaches involving exposure of Confidential Information or Client Data (such as business contact information or account metadata), the discovering Party shall notify the other Party within seventy-two (72) hours of discovery.
Each Party shall provide reasonable cooperation and information necessary for the other Party to meet its legal or contractual notification obligations. Nothing in this Section requires Provider to disclose internal security methods or information that would compromise Provider’s security posture.
11.8 Export Controls and Restricted Data
Client shall not provide Provider access to any data, systems, or information subject to export control regulations, ITAR, EAR, government-classified restrictions, or similar requirements unless expressly agreed in writing in an applicable SOW. Provider has no obligations to support or maintain systems containing restricted or controlled information unless explicitly contracted.
11.9 Data Protection Addendums and Business Associate Agreements
If the Parties execute a DPA/BAA, that document is incorporated into this Agreement and applies only to the specific data types, jurisdictions, and regulatory frameworks identified therein. In the event of any direct conflict between this MSA and a DPA/BAA with respect to data protection, security, or breach notification obligations, the DPA/BAA will control solely for the regulated data and processing activities within its scope.
12. Third Parties, Upstream Vendors & 3PPs
12.1 Upstream Vendors and Limitations of Control
Provider relies on Upstream Vendors and carrier services, including cloud platforms, SaaS vendors, telecom providers, security tooling, and other third-party infrastructure to deliver the Services. Client acknowledges that Provider does not control and is not responsible for:
(a) outages, degradations, delays, failures, or vulnerabilities attributable to an Upstream Vendor;
(b) pricing changes, SKU modifications, licensing model changes, or meter revisions made by an Upstream Vendor;
(c) data retention, backup limitations, or recovery restrictions imposed by an Upstream Vendor;
(d) API changes, discontinued services, forced upgrades, or version end-of-life; or
(e) any limitations, constraints, or operational boundaries inherent to an Upstream Vendor’s platform.
Provider’s obligations with respect to Upstream Vendor services are strictly limited to the administrative, configuration, and operational tasks expressly assumed by Provider under an applicable SOW.
Provider will use commercially reasonable efforts to pass through to Client any warranties, indemnities, or protections provided by Upstream Vendors to the extent permitted by the applicable vendor agreement. Provider makes no independent representation or warranty regarding Upstream Vendor products or services beyond what is expressly provided by the Upstream Vendor.
12.2 Third-Party Providers (3PPs) Engaged by Client
Client is solely responsible for any Third-Party Provider (3PP) or vendor it engages, including but not limited to consultants, contractors, MSPs, VARs, account managers, or offshore personnel. Provider does not supervise, monitor, or control 3PPs unless expressly stated in a SOW.
Client shall ensure 3PPs:
(a) do not modify Managed Systems or Co-Managed Systems without Provider approval;
(b) adhere to security requirements and Minimum Requirements;
(c) coordinate access through Provider where required; and
(d) follow Provider’s change control, escalation, and approval procedures.
Provider may refuse access to or coordination with 3PPs that create risk, instability, or operational conflict.
12.3 Responsibility for 3PP Actions and Conflicting Changes
Client is responsible for the actions, omissions, misconfigurations, access, and changes made by any 3PP. Any impact caused by 3PPs—including security events, system instability, configuration drift, downtime, or operational conflict—will be treated as if caused by Client.
Provider may:
(a) require remediation as a condition of continuing the Services;
(b) suspend SLOs for affected systems;
(c) classify remediation as Chargeable Services;
(d) isolate, roll back, or undo 3PP changes; or
(e) terminate the affected SOW pursuant to Section 4.6 if 3PP actions create persistent or material risk.
12.4 No Warranties for Upstream Vendor Services
Provider does not warrant and expressly disclaims responsibility for the functionality, availability, performance, security, or support obligations of any Upstream Vendor service. Upstream Vendor warranties, remedies, service levels, and commitments apply solely between Client and the Upstream Vendor unless expressly stated otherwise in a SOW.
Provider does not guarantee that Upstream Vendor services will remain available, unchanged, or compatible throughout the term of the Agreement.
12.5 Coordination in Co-Managed or Multi-Provider Environments
In environments involving multiple providers, internal IT staff, or 3PPs:
(a) Provider’s scope is strictly limited to the responsibilities designated in the applicable SOW;
(b) Provider’s SLOs apply only to the systems and responsibilities under Provider’s operational control;
(c) Provider may require defined boundaries, permissions, and coordination procedures to avoid conflict;
(d) any conflict between providers may result in suspension of SLOs or reclassification of Services as Chargeable; and
(e) Provider retains final authority over security baselines for any Managed Systems or Co-Managed Systems under Provider’s scope.
Provider is not responsible for multi-provider overhead, reconciliation, or mediation between Client’s vendors except as expressly included in a SOW.
13. Limitations of Liability & Indemnification
13.1 Disclaimer of Warranties
Except as expressly stated in this Agreement or a SOW, Provider disclaims all warranties, whether express, implied, statutory, or otherwise, including but not limited to warranties of merchantability, fitness for a particular purpose, non-infringement, system performance, uptime, SLO achievement, threat detection, or threat prevention.
Provider does not warrant that:
(a) the Services will be uninterrupted or error-free;
(b) all threats, incidents, or vulnerabilities will be detected or prevented;
(c) solution components from Upstream Vendors will function without failure; or
(d) Deliverables will satisfy Client’s internal compliance obligations unless expressly contracted.
**13.2 Limitation of Liability
To the maximum extent permitted by law, Provider’s total aggregate liability arising out of or relating to this Agreement, any SOW, or the Services, whether in contract, tort, negligence, or otherwise, shall not exceed an amount equal to the total Fees paid by Client to Provider for Services (excluding Access Licensing charges, Consumption Services charges, taxes, regulatory fees, and other vendor pass-through amounts paid or payable to Upstream Vendors) under the applicable SOW during the twelve (12) months immediately preceding the event giving rise to the claim.
If multiple claims arise, the cap applies in the aggregate—not per incident. This limitation applies regardless of:
(a) the number of incidents;
(b) the nature of the claim;
(c) the number of claimants; or
(d) the theory of liability asserted.
Notwithstanding the foregoing, the limitations set forth in this Section 13.2 shall not apply to:
(i) either Party’s gross negligence or willful misconduct;
(ii) fraud or intentional misrepresentation by either Party;
(iii) either Party’s breach of its confidentiality obligations under Section 11;
(iv) either Party’s indemnification obligations under Sections 13.4 and 13.5;
(v) Client’s payment obligations under this Agreement;
(vi) either Party’s infringement or misappropriation of the other Party’s intellectual property rights; or
(vii) damages arising from either Party’s violation of applicable law.
For purposes of this Section, “gross negligence” means conduct that demonstrates a reckless disregard for the rights or safety of others, and “willful misconduct” means intentional wrongful conduct undertaken with knowledge that such conduct is wrongful.
13.3 Exclusion of Indirect, Consequential, and Special Damages
To the maximum extent permitted by law, Provider shall not be liable for any indirect, consequential, special, exemplary, punitive, or incidental damages, including but not limited to:
(a) lost profits, revenue, or business;
(b) loss of use, data, goodwill, reputation, or opportunity;
(c) business interruption;
(d) cost of replacement services;
(e) cost of data restoration or re-creation; or
(f) errors or failures attributable to Upstream Vendors, 3PPs, Client personnel, Client-controlled systems, or the Client Environment.
These exclusions apply even if Provider was advised of the possibility of such damages.
**13.3.1 Additional Limitation for Licensing-Only Clients
For Licensing-Only Clients, and notwithstanding the general cap in Section 13.2, Provider’s total aggregate liability arising out of or relating to licensing, subscriptions, or cloud services provided without Managed Services or Co-Managed Services shall not exceed the total amounts paid by Client to Provider solely for the applicable licensing or subscription services during the twelve (12) months immediately preceding the event giving rise to the claim.
13.4 Client Indemnification Obligations
Client shall indemnify, defend, and hold harmless Provider, its Affiliates, subcontractors, and personnel from and against all claims, damages, liabilities, penalties, costs, and expenses (including reasonable attorneys’ fees) arising from or related to:
(a) Client’s breach of this Agreement or any SOW;
(b) Client’s failure to satisfy Minimum Requirements;
(c) Unsupported Systems or Risk Declination;
(d) actions or omissions of Client personnel or Third-Party Providers;
(e) violations of law, regulation, or industry obligations related to Client Data;
(f) use of Deliverables or Provider IP outside the scope permitted in this Agreement; or
(g) Client’s misconfiguration, unauthorized changes, or insecure practices in the Client Environment.
Provider will provide Client reasonable notice of any claim for which it seeks indemnification.
Provider shall not be liable for any data infiltration, unauthorized access, or data breach resulting from Client’s negligence, gross negligence, or willful misconduct, including but not limited to Client’s failure to implement Minimum Requirements, disregard of Provider recommendations, or actions taken pursuant to a Risk Declination.
**13.5 Provider Indemnification
Provider shall indemnify and defend Client against third-party claims alleging that the Services, as provided by Provider and used by Client in accordance with this Agreement, infringe a U.S. patent, copyright, or trade secret. Provider’s indemnification obligations do not apply to:
(a) combinations with products or services not supplied by Provider;
(b) modifications made by Client or a Third-Party Provider;
(c) continued use of allegedly infringing material after Provider provides a non-infringing alternative;
(d) use of the Services in violation of this Agreement; or
(e) claims arising from Client Data or Client’s business operations.
If the Services are found to infringe, Provider may:
(i) obtain a license;
(ii) modify the Services;
(iii) replace the infringing component; or
(iv) terminate the affected portion of the Services and refund prepaid Fees for the unused portion of the term.
This Section 13.5 constitutes Client’s exclusive remedy and Provider’s sole liability for IP infringement claims.
13.5.1 Data Protection Indemnification
Provider shall indemnify, defend, and hold harmless Client from and against third-party claims, damages, liabilities, and reasonable costs (including attorneys’ fees) arising directly from Provider’s material breach of its confidentiality and data protection obligations under Section 11, but only to the extent such breach: (i) results from Provider’s gross negligence or willful misconduct; (ii) occurs with respect to Client Data within Provider’s direct operational control; and (iii) is not caused by Client’s failure to meet Minimum Requirements, unauthorized Client or Third-Party Provider access, or Client’s failure to disclose regulated data pursuant to Section 7.9.
Provider’s indemnification obligations under this Section 13.5.1 are subject to the limitations set forth in Section 13.2 and the carve-outs applicable thereto. Client must provide Provider with prompt written notice of any claim, allow Provider to control the defense and settlement, and cooperate with Provider’s defense. This Section 13.5.1 does not apply to Security Incidents, data infiltration, or unauthorized access arising from: (a) Upstream Vendor failures; (b) Third-Party Provider actions; (c) Client Environment systems outside Provider’s Managed Systems or Co-Managed Systems; or (d) Client’s negligence, gross negligence, or willful misconduct.
13.6 Allocation of Risk
The Parties acknowledge that the Fees reflect the allocation of risk under this Agreement, including:
(a) the disclaimer of warranties;
(b) the limitations on liability;
(c) the indemnification provisions; and
(d) the responsibilities allocated between the Parties.
Provider’s pricing and willingness to enter into this Agreement are conditioned on these limitations. The limitations and exclusions stated in this Section 13 apply even if any remedy fails of its essential purpose.
The Parties acknowledge that each Party’s insurance coverage protects only that Party and does not provide coverage for the other Party’s losses. Client shall not assert any claim against Provider’s insurers, and Provider’s insurance policies shall not be considered a source of recovery for Client’s damages.
14. Dispute Resolution & Governing Law
14.1 Good-Faith Negotiation and Escalation
Before initiating formal dispute resolution, the Parties shall attempt to resolve any dispute arising out of or relating to this Agreement through good-faith negotiations. Each Party shall escalate the matter to senior management with authority to settle the dispute. If the dispute is not resolved within thirty (30) days of written notice of the dispute, either Party may pursue resolution in accordance with this Section 14.
14.2 Governing Law and Venue
Unless otherwise specified in an applicable SOW or Local Law Addendum, this Agreement is governed by and construed in accordance with the laws of the State of Florida, without regard to its conflict-of-laws principles. Any legal action permitted under this Agreement shall be brought exclusively in the state or federal courts located in Collier County, Florida, and the Parties consent to the personal jurisdiction and venue of such courts.
Notwithstanding the foregoing, if a Local Law Addendum applies to Client, the governing law and venue provisions of such Addendum shall control.
14.3 Arbitration
Except for claims seeking injunctive or equitable relief, or claims related to misuse or infringement of intellectual property rights, any dispute arising out of or relating to this Agreement that cannot be resolved under Section 14.1 shall be finally resolved by binding arbitration administered by the American Arbitration Association (“AAA”) under its Commercial Arbitration Rules then in effect, using a single arbitrator selected in accordance with those rules. If the AAA is unable or unwilling to administer the arbitration, the Parties shall mutually agree on an alternative arbitration administrator; if the Parties cannot agree within fifteen (15) days, either Party may petition a court of competent jurisdiction to appoint an arbitrator.
The arbitration shall take place in the venue identified in Section 14.2, unless the Parties agree otherwise. The arbitration may be conducted in person, by videoconference, or by submission of documents, as determined by the arbitrator based on the nature and complexity of the dispute.
Each Party shall bear its own attorneys’ fees and costs incurred in connection with the arbitration, subject to Section 14.4. The arbitrator’s fees and administrative costs of the arbitration shall be shared equally by the Parties, unless the arbitrator determines that a different allocation is appropriate based on the conduct of the Parties or the outcome of the arbitration.
The arbitrator shall have authority to award monetary damages consistent with the limitations set forth in Section 13. The arbitrator shall not have authority to award punitive, exemplary, or indirect damages except to the extent such damages are excluded from the limitations in Section 13.2.
The arbitration proceedings, including any discovery, submissions, hearings, and the arbitration award, shall be confidential and shall not be disclosed to any third party except: (i) as necessary to enforce the award; (ii) as required by law; (iii) to each Party’s legal counsel, accountants, and insurers under obligations of confidentiality; or (iv) with the written consent of both Parties.
The arbitrator shall issue a written decision explaining the basis for the award within thirty (30) days of the close of the arbitration proceedings. Judgment on the arbitration award may be entered in any court having jurisdiction.
The Parties agree that this arbitration provision shall survive termination or expiration of this Agreement.
14.4 Attorneys’ Fees and Costs
The prevailing Party in any action, arbitration, or proceeding arising out of or relating to this Agreement shall be entitled to recover its reasonable attorneys’ fees, expert fees, and costs, in addition to any other relief to which it is entitled, except as otherwise limited by Section 13.
15. General Provisions
15.1 Force Majeure
Neither Party is liable for delays or failures to perform due to events beyond its reasonable control, including natural disasters, acts of government, civil unrest, labor disputes, widespread outages or attacks affecting Upstream Vendors or critical infrastructure, supply chain disruptions, or other force majeure events. Obligations affected by a force majeure event are suspended for the duration of the event.
Force majeure does not excuse Client from payment obligations already incurred or from Access Licensing or Consumption Services commitments.
15.2 Assignment
Client may not assign, transfer, or delegate this Agreement or any SOW, whether by operation of law or otherwise, without Provider’s prior written consent. Provider may assign this Agreement, in whole or in part, to an Affiliate or in connection with a merger, acquisition, reorganization, or sale of substantially all assets, provided the assignee assumes Provider’s obligations.
Any attempted assignment in violation of this Section is void.
15.3 Subcontracting
Provider may use subcontractors to deliver the Services. Provider remains responsible for the performance of its subcontractors, subject to the limitations set forth in this Agreement. Client acknowledges that certain elements of the Services depend on Upstream Vendors, whose performance is governed exclusively by their own terms, warranties, and commitments.
15.4 Notices
Provider Notices
All notices required or permitted to be given by Provider under this Agreement may be delivered by electronic means, including email, Client Portal postings, invoices, account statements, or other electronic communications reasonably designed to provide notice to Client, using the contact information specified in the applicable SOW or otherwise designated by Client. Provider may, but is not required to, deliver notices by courier or mail.
Client Notices
All notices required or permitted to be given by Client under this Agreement must be delivered in writing by email to legal@aln.co, unless an alternate address is expressly designated by Provider in writing. Notices sent to any other email address, individual employee, support channel, ticketing system, Client Portal, or Client-controlled system do not constitute notice to Provider. Any notice of termination or non-renewal provided under this Section serves only to initiate the applicable termination or non-renewal process and is subject to the procedures, confirmations, and effective dates specified elsewhere in this Agreement.
Portal Directionality
Client Portal postings constitute effective notice only when posted by Provider to Client. Client postings within its own systems, tenants, or portals do not constitute notice to Provider unless expressly acknowledged by Provider in writing.
Timing
Notices delivered by electronic means are deemed received upon transmission if sent during normal business hours, or on the next business day if sent outside normal business hours.
Exclusions
Operational communications, support requests, service tickets, and change approvals are not legal notices and must be submitted through the channels described in the Services Guide.
No Waiver; Cross-Reference
No failure or delay in the delivery of any notice shall be deemed a waiver of any right, remedy, or obligation under this Agreement unless expressly stated in a written waiver executed by the waiving party. Notice delivery under this Section does not alter the acceptance or modification provisions set forth elsewhere in this Agreement.
15.5 No Waiver
Failure or delay by either Party to exercise any right under this Agreement does not constitute a waiver. A waiver is effective only if in writing and signed by an authorized representative of the waiving Party.
15.6 Severability
If any provision of this Agreement is found unenforceable, the remaining provisions remain in full force. The unenforceable provision shall be modified to the minimum extent necessary to make it enforceable while preserving the Parties’ intent.
15.7 Entire Agreement
This Agreement, together with all SOWs, the Services Guide (to the extent incorporated), and any Local Law Addendums, constitutes the entire agreement between the Parties and supersedes all prior proposals, discussions, or agreements relating to the subject matter. No other terms, whether in purchase orders or other documents submitted by Client, apply unless expressly accepted in writing by Provider.
15.8 Amendments
Provider may update or modify this Agreement from time to time. When material changes are made, Provider will provide notice to Client, which may include email notice, posting the updated Agreement on Provider’s website or Client Portal, or other reasonable means.
Unless Client objects in writing within thirty (30) days of such notice, the updated Agreement will become effective and will govern all existing and future Services following the notice period. Client’s continued use of the Services after the effective date of the updated Agreement constitutes acceptance of the updated terms.
Notwithstanding the foregoing, updates to the Services Guide may be made by Provider as set forth therein and do not constitute amendments to this Agreement. In the event of any conflict between the Services Guide and this Agreement, this Agreement controls.
15.9 Relationship of the Parties (Independent Contractors)
The Parties are independent contractors. Nothing in this Agreement creates a partnership, joint venture, franchise, fiduciary relationship, employer-employee relationship, or agency relationship. Neither Party has authority to bind the other except as expressly stated in this Agreement.
15.10 Counterparts and Electronic Signatures
This Agreement may be executed in counterparts, each of which is deemed an original. Electronic signatures, scanned signatures, and signatures executed through electronic contracting platforms have the same legal effect as original signatures.
15.11 Publicity and Use of Client Name/Logo
Provider may reference Client’s name and logo in its customer lists, proposals, and marketing materials unless Client expressly prohibits such use in writing. Any case studies, press releases, or public announcements referencing Client shall require Client’s prior written consent.
15.12 Non-Solicitation
For the duration of this Agreement and for twelve (12) months thereafter, neither Party shall solicit for employment, hire, or contract with any employee or subcontractor of the other Party who was materially involved in the delivery or receipt of the Services, without the other Party’s prior written consent.
This restriction does not apply to individuals who respond to general solicitations not specifically directed at the other Party’s personnel.
15.13 Automatic Renewal Disclosure
IMPORTANT NOTICE REGARDING AUTOMATIC RENEWAL: THIS AGREEMENT AND EACH SOW CONTAIN AUTOMATIC RENEWAL PROVISIONS. UNLESS CLIENT PROVIDES WRITTEN NOTICE OF NON-RENEWAL AT LEAST SIXTY (60) DAYS BEFORE THE END OF THE THEN-CURRENT TERM, SERVICES WILL AUTOMATICALLY RENEW FOR SUCCESSIVE RENEWAL TERMS AS SPECIFIED IN SECTION 4.2. UPON RENEWAL, FEES WILL BE SUBJECT TO THE STANDARD RENEWAL ADJUSTMENT AND ANY APPLICABLE SUPPLEMENTAL ADJUSTMENT AS DESCRIBED IN SECTION 5.1. CLIENT’S FAILURE TO PROVIDE TIMELY NON-RENEWAL NOTICE WILL RESULT IN CONTINUED SERVICE AND PAYMENT OBLIGATIONS FOR THE FULL RENEWAL TERM. PROVIDER WILL MAKE COMMERCIALLY REASONABLE EFFORTS TO NOTIFY CLIENT OF UPCOMING RENEWALS AT LEAST THIRTY (30) DAYS PRIOR TO RENEWAL.
Client acknowledges that it has read and understands this automatic renewal disclosure.
15.14 Electronic Acceptance
Client may accept this Agreement and any SOW by: (a) signing the applicable document; (b) completing the Provider’s online Terms Acceptance form; (c) clicking “I Accept” or similar affirmation in an electronic system; or (d) any other method that demonstrates intent to be bound. Electronic acceptances are legally binding and equivalent to a handwritten signature. Provider may rely on the electronic record of acceptance, including metadata such as timestamp, IP address, and signer identification, as evidence of agreement.