Master Services Agreement

SWORKSCYBER, LLC d/b/a Rovally

Cybersecurity & Compliance Services

Service Provider Contact Information

contact@rovally.com

1111 6th Ave Ste 550, PMB 367700, San Diego, California 92101-5211

Last Updated: November 2025

1. INTRODUCTION AND SCOPE

Summary: This section establishes who the parties are and how this agreement works with individual project scopes.

This Master Services Agreement ("Agreement" or "MSA") establishes the general terms and conditions under which SWORKSCYBER, LLC d/b/a Rovally ("Provider" or "Rovally") will provide cybersecurity and IT services to clients ("Client"). This MSA is incorporated by reference into each Statement of Work ("SOW") executed between Rovally and Client.

In the event of any conflict between this MSA and a SOW, the terms of this MSA shall prevail unless the SOW explicitly states otherwise.

2. SERVICES

Summary: This section defines what services Rovally provides, how they're delivered, and who does the work. Key points: services are defined in SOWs; we may use qualified subcontractors; all services are remote unless otherwise agreed.

2.1 Purpose

Provider will deliver to Client cybersecurity and IT solutions—including professional services, managed security services, third-party software and platform management, and any related products or devices (collectively, "Cyber Security Services" or "Services"). The detailed nature, scope, pricing, and deliverables of these Services are set forth in the applicable Statement of Work.

2.2 Statements of Work

"Statement(s) of Work" or "SOWs" means a statement of work, ordering document, accepted proposal, or other agreed upon engagement document issued under this Agreement. Each SOW will incorporate this MSA by reference and will be governed by the terms and conditions of this Agreement. Statements of Work may set out certain "Deliverables", which include all written information (such as reports, specifications, designs, plans, or other technical or business information) that Provider prepares for Client in the performance of the Services.

2.3 Qualified Consultants

Provider will assign qualified consultants to work with Client. These consultants will make all commercially reasonable efforts to provide Client with Services in a professional and satisfactory manner.

2.4 Subcontractors and Third-Party Service Providers

Summary: Rovally may use vetted subcontractors without requiring your approval. We remain responsible for their work and ensure they meet security standards.

Use of Subcontractors

Provider reserves the right to engage qualified subcontractors, including but not limited to Alectrona, LLC, to perform certain Services under this Agreement, particularly IT Operations services as specified in the Statement of Work. Provider may change, add, or remove subcontractors at its discretion without requiring Client's prior approval, provided that all subcontractors meet the requirements set forth in this section.

Provider's Responsibility for Subcontractors

Provider remains fully responsible and liable for all Services performed by subcontractors as if Provider had performed such Services directly. Client's sole recourse for any issues arising from subcontractor performance shall be against Provider, not the subcontractor. Provider shall ensure that all subcontractors:

  • Are bound by written agreements containing confidentiality obligations at least as restrictive as those in this Agreement
  • Maintain appropriate cybersecurity safeguards, controls, and best practices equivalent to or exceeding industry standards
  • Hold current SOC 2 Type II certification or equivalent compliance certification demonstrating adequate security controls
  • Maintain professional liability insurance with coverage limits appropriate for the Services being performed
  • Comply with all applicable data protection laws and regulations
  • Adhere to the same service quality standards required of Provider under this Agreement

Insurance Coverage

All Services performed by subcontractors are covered under Provider's professional liability and cyber liability insurance policies. Provider warrants that it maintains insurance coverage adequate to cover all Services delivered under this Agreement, whether performed directly by Provider or through subcontractors.

Data Security and Compliance

Provider shall ensure that all subcontractors with access to Client data implement and maintain security measures, including encryption, access controls, and monitoring, that meet or exceed the standards described in the "Data Security" section of this Agreement. Subcontractors shall be subject to the same audit rights afforded to Client with respect to Provider's security practices.

Disclosure

Provider will identify in the Statement of Work or otherwise disclose to Client which Services are performed by subcontractors. Where IT Operations services are provided, Client acknowledges that such services are performed by Alectrona, LLC as Provider's subcontractor, unless otherwise specified.

2.5 Service Delivery

Remote Services: All services will be performed remotely, unless otherwise agreed upon in writing with the Client.

On-Site Services: Provider will provide on-site services, such as tabletop security exercises, executive or board meetings on an as needed basis, upon mutual agreement and at the expense of the Client.

After Hours Support: Provider maintains support staff for emergencies 365 days a year, but only responds to emergency-only support requests during weekends and holidays. Provider's holiday schedule will be provided to Client.

2.6 Service Levels

Provider will make every commercially-reasonable effort to meet the needs of Client. Specific response and resolution time targets will be set forth in the applicable SOW or Service Level Agreement.

2.7 Excluded Services

Unless explicitly included in a Statement of Work, this Agreement does not cover:

  • Support for personally owned equipment
  • Home or cellular network issues
  • Unsupported equipment and software
  • Third-party owned equipment or software not explicitly covered
  • Custom application development
  • Training beyond basic system use and cyber security or compliance related content

Provider reserves the right to deny support or charge additional fees for services outside the scope of this Agreement or the applicable SOW.

2.8 Third-Party Software and Services

Summary: Rovally manages various third-party tools on your behalf. We configure and administer these tools, but the vendors themselves are responsible for their platforms. We may substitute equivalent tools to meet SOW requirements.

2.8.1 Service Categories

Provider offers two categories of technology services:

(a) Managed Third-Party Services: Software and services that Provider resells, implements, configures, and manages on Client's behalf, as specified in Schedule B (Third-Party Service Catalog). These include security, compliance, and operational platforms where Provider maintains licensing relationships with vendors and provides ongoing management services.

(b) Client-Managed Applications: Software and services that Client procures, licenses, and manages independently. Provider bears NO responsibility or liability for Client-Managed Applications beyond advisory services if explicitly included in the Statement of Work.

2.8.2 Provider's Role with Managed Third-Party Services

For Managed Third-Party Services listed in Schedule B, Provider's responsibilities are limited to:

  • Vendor relationship management and license procurement at negotiated rates
  • Initial implementation, configuration, and integration
  • Ongoing administration, monitoring, and optimization
  • Technical support escalation and coordination with vendors
  • Strategic recommendations for effective utilization

Provider does NOT:

  • Develop, host, maintain, or control the underlying third-party platforms
  • Guarantee third-party service uptime, availability, or performance
  • Warrant third-party security practices, compliance certifications, or data handling
  • Control third-party pricing, terms changes, or product roadmaps
  • Provide legal, regulatory, or compliance advice regarding third-party services

2.8.3 Vendor Selection and Substitution Rights

Summary: Rovally may use any qualified vendor that meets the functional requirements of your SOW—not just those listed in Schedule B. This flexibility ensures we can always provide the best solution for your needs.

Provider maintains sole discretion over vendor and tool selection for delivering Services described in each Statement of Work. Schedule B represents a non-exhaustive catalog of vendors that Provider may utilize. Provider expressly reserves the right to:

  • Select, add, remove, or substitute any third-party vendor, platform, or tool at any time without Client approval, provided the replacement meets the functional and security requirements specified in the applicable SOW
  • Use vendors not listed in Schedule B when Provider determines such vendors better serve Client's needs or offer superior capabilities
  • Transition between vendors when necessary due to vendor business decisions, pricing changes, feature deprecation, or security concerns
  • Utilize multiple vendors within a single service category to optimize coverage, cost, or functionality

Client acknowledges that the specific tools and vendors used are implementation details, and that Provider's obligation is to deliver the functional outcomes described in the SOW (such as "endpoint protection," "compliance automation," "mobile device management," or "content filtering") regardless of which specific vendor is utilized. Provider will notify Client of material vendor changes that affect Client's day-to-day operations.

Any vendor used to deliver Services—whether listed in Schedule B or not—is subject to the terms, limitations, and disclaimers set forth in this Section 2.8 and in Schedule B's General Provisions.

2.8.4 Client Acceptance of Third-Party Terms

Client acknowledges that use of Managed Third-Party Services creates a direct legal relationship between Client and each vendor. By purchasing Managed Third-Party Services through Provider, Client agrees to:

(a) Be bound by each vendor's Terms of Service, Acceptable Use Policy, Privacy Policy, and Data Processing Agreement as currently published and as may be updated from time to time;

(b) Comply with all vendor usage restrictions, requirements, and obligations;

(c) Accept that vendors may modify their terms, pricing, or discontinue services with or without notice;

(d) The specific vendor terms and policies accessible at the URLs provided in Schedule B or as otherwise communicated by Provider.

Client certifies that Client or Client's Authorized Representative has reviewed (or will review prior to service activation) the applicable vendor terms for each Managed Third-Party Service. Provider will provide reasonable notice of material vendor terms changes when informed by vendors, but Client remains responsible for monitoring vendor communications and terms updates.

2.8.5 Service-Specific Acknowledgments

Security and Monitoring Services (including but not limited to Turngate, SentinelOne, Dope Security, Jamf Protect):

Client acknowledges that cybersecurity tools reduce but do not eliminate security risks. Provider configures and monitors these tools but is NOT liable for:

  • Malware, ransomware, or threats that evade detection by the third-party service
  • Security breaches resulting from vulnerabilities in the third-party software itself
  • Zero-day exploits or attacks occurring before threat signatures are available
  • Security incidents resulting from Client's failure to implement Provider's recommendations
  • Vendor service outages preventing real-time threat detection or response

Compliance and GRC Platforms (including but not limited to Secureframe, Drata, Vanta):

Client acknowledges that compliance automation platforms are tools that facilitate compliance efforts but do NOT guarantee compliance or audit passage. Provider configures these platforms and provides technical guidance but does NOT:

  • Provide legal or regulatory compliance advice
  • Guarantee that use of these platforms will result in achieving or maintaining any certification (SOC 2, ISO 27001, HIPAA, etc.)
  • Warrant that automated evidence collection captures all necessary compliance artifacts
  • Bear responsibility for audit failures, compliance gaps, or regulatory penalties

Client remains solely responsible for:

  • Determining which compliance frameworks apply to Client's business
  • Implementing policies, procedures, and controls necessary for compliance
  • Engaging qualified legal counsel and compliance professionals
  • Reviewing and validating all compliance evidence and documentation
  • Maintaining compliance with all applicable regulations

Mobile Device Management (including but not limited to Jamf Pro, NinjaOne):

Client acknowledges that MDM platforms provide device management and security enforcement capabilities. Provider configures and manages these platforms but is NOT liable for:

  • Device compliance failures due to user actions or device modifications
  • Data loss on managed devices resulting from user error or device failure
  • Vendor platform outages affecting device management capabilities
  • Limitations in vendor-supported device types or operating system versions

2.8.6 Liability Allocation for Third-Party Services

For issues arising directly from Managed Third-Party Services (vendor outages, software defects, data loss within vendor systems, security breaches of vendor infrastructure, vendor terms changes, vendor service discontinuation, vendor pricing increases), Client's SOLE REMEDY is against the vendor under their terms and conditions.

Provider has ZERO LIABILITY for:

  • Any failure, defect, bug, or limitation in third-party software or services
  • Vendor security incidents, data breaches, or unauthorized access occurring within vendor-controlled systems
  • Vendor service interruptions, degraded performance, or outages
  • Data loss occurring within vendor systems or due to vendor actions
  • Vendor's failure to meet their published service level agreements
  • Changes to vendor pricing, terms, features, or service discontinuation
  • Compatibility issues between different third-party services
  • Vendor's failure to maintain compliance certifications or security standards
  • Regulatory fines or penalties resulting from vendor compliance failures

Provider's liability is LIMITED TO Provider's configuration, implementation, and management services:

  • Scope: Provider is liable only for Provider's gross negligence or willful misconduct in performing implementation or management services
  • Excluded: Provider is NOT liable for simple negligence, errors in judgment, or decisions made based on incomplete information provided by Client
  • Cap: Any liability is subject to the $10,000 aggregate cap in Section 10 of this Agreement
  • No Consequential Damages: Provider is not liable for indirect, consequential, special, or punitive damages of any kind

2.8.7 Client-Managed Applications

For any software, services, or systems that Client procures, licenses, or manages independently (Client-Managed Applications), Provider:

  • Bears ZERO responsibility or liability for performance, security, availability, or compliance
  • May provide advisory services only if explicitly included in the Statement of Work
  • Is not responsible for integration failures between Client-Managed Applications and Managed Third-Party Services
  • May decline to provide services that depend on Client-Managed Applications if Provider determines they are inadequately secured or maintained

Client must disclose all Client-Managed Applications to Provider and notify Provider of any changes, additions, or removals within fourteen (14) days.

2.8.8 Vendor Relationship Changes

Provider reserves the right to:

  • Substitute equivalent third-party services with sixty (60) days written notice
  • Discontinue reselling specific vendor services with ninety (90) days written notice
  • Adjust pricing to reflect vendor cost changes with thirty (30) days written notice

Upon such changes, Client may:

  • Accept the substitute service or price adjustment and continue service
  • Terminate the affected service without penalty upon written notice
  • Establish a direct relationship with the vendor (if vendor permits)

Provider will reasonably assist with transition to substitute services or direct vendor relationships at no additional charge for up to thirty (30) days following notice.

2.8.9 Vendor Communication and Support

Provider serves as the primary point of contact for technical support related to Managed Third-Party Services. However:

  • Vendors may communicate directly with Client regarding account matters, billing (if applicable), terms changes, or security incidents
  • Client authorizes Provider to communicate with vendors on Client's behalf for technical support and configuration matters
  • Client may communicate directly with vendors for support if needed, but should coordinate with Provider to ensure consistency
  • Provider is not responsible for vendor support quality, response times, or resolution effectiveness beyond Provider's escalation efforts

3. PAYMENT TERMS

Summary: Payment is due on the 1st of each month. Late payments accrue 12% annual interest. You must pay for third-party services regardless of satisfaction—your remedy for vendor issues is with the vendor, not Rovally.

3.1 Fees and Payment

Fees, payment terms, and billing schedules are specified in each Statement of Work. Unless otherwise stated in the SOW, payment for services is due on the 1st of each month for monthly recurring services.

3.2 Late Payment

If any invoice is not paid when due, interest will be added to and payable on all overdue amounts at 12 percent per year, or the maximum percentage allowed under applicable laws, whichever is less. Client shall pay all costs of collection, including without limitation, reasonable attorney fees.

3.3 Third-Party Software and Service Fees

3.3.1 Payment Structure

For Managed Third-Party Services listed in Schedule B, Provider maintains licensing and billing relationships with vendors. Client pays Provider for these services according to the pricing specified in the applicable Statement of Work. Provider's pricing includes:

  • The vendor's license or subscription cost
  • Provider's management and administration services

3.3.2 Payment Independence

Client must pay Provider for Managed Third-Party Services regardless of:

  • Client's satisfaction with the vendor's service performance
  • Vendor service outages or interruptions
  • Disputes between Client and the vendor
  • Whether Client actively uses the service

This reflects that Provider has payment obligations to vendors that are independent of Client's use or satisfaction. Client's remedy for vendor performance issues is against the vendor, not through withholding payment to Provider.

3.3.3 Vendor Price Changes

If a vendor increases pricing for their services, Provider will provide Client with thirty (30) days written notice. Client may:

  • Accept the price increase and continue service
  • Terminate the affected service without penalty upon written notice
  • Work with Provider to negotiate with the vendor (no guarantee of success)

3.3.4 Client-Managed Application Costs

For Client-Managed Applications, Client is solely responsible for all costs, licensing, renewals, and vendor relationships. Provider may assist with procurement advisory services if explicitly included in the Statement of Work, but Provider has no payment obligations or liability related to Client-Managed Applications.

3.3.5 Implementation and Setup Fees

Initial implementation, configuration, and integration services for new Managed Third-Party Services may be billed separately as specified in the Statement of Work. These are one-time professional services fees in addition to ongoing monthly management fees.

3.4 Non-Payment

In addition to any other right or remedy provided by law, if Client fails to pay for the Services when due, Provider has the option to treat such failure to pay as a material breach of this Agreement, and may cancel this Agreement and/or seek legal remedies.

4. TERM AND TERMINATION

Summary: Agreements auto-renew for 24-month terms unless terminated 90 days prior. Either party has 60 days to cure a breach before termination. Non-payment triggers a shorter 15-day cure period.

4.1 Initial Term and Renewal

The initial term and any renewal terms will be specified in the applicable Statement of Work. Unless otherwise stated in the SOW, agreements will automatically renew for successive 24-month terms unless terminated ninety (90) days prior to the end of the applicable term.

4.2 Remedies and Cure for Breach

If either Party (the "Breaching Party") materially breaches this Agreement, the other Party (the "Non-Breaching Party") may invoke the following procedure:

  • Notice of Breach: The Non-Breaching Party shall give written notice describing the breach in reasonable detail
  • 60-Day Cure Period: The Breaching Party has sixty (60) calendar days from receipt of the notice to cure the breach in full
  • Election to Terminate: If the breach is not fully cured within that period, the Non-Breaching Party may terminate this Agreement by giving a second written notice, effective on the date specified in that notice (which may be immediate)

4.3 Termination for Cause

Without prejudice to any other rights or remedies to which the Parties may be entitled, but subject to Section 4.2, either Party may terminate this Agreement without liability to the other if:

  • Material breach handled in accordance with the 'Remedies and Cure for Breach' clause above
  • The other Party becomes the subject of a voluntary or involuntary bankruptcy, insolvency, receivership, or assignment for the benefit of creditors that is not dismissed within forty-five (45) days
  • The other Party ceases, or threatens to cease, to trade
  • The other Party takes or suffers any similar or analogous action in any jurisdiction in consequence of debt

4.4 Payment Default

Notwithstanding the foregoing, if Client fails to pay any undisputed amount when due and does not cure within fifteen (15) days after receiving written notice, Provider may terminate immediately upon further written notice.

4.5 Effect of Termination

On termination of this Agreement:

  • Provider shall immediately cease provision of the Services but may provide transition services as agreed upon by the Parties
  • Each Party shall return and make no further use of any equipment, property, materials and other items (and all copies of them) belonging to the other Party
  • The accrued rights of the Parties as at termination, or the continuation after termination of any provision expressly stated to survive or implicitly surviving termination, shall not be affected or prejudiced

5. NOTIFICATIONS

Summary: Rovally will notify you within 24 hours of any suspected data breach. We can work with third parties on your behalf but won't sign contracts or make financial decisions without your approval.

5.1 Data Breach Notifications

Provider will notify Client within twenty-four (24) hours of discovering any actual or suspected unauthorized access to or disclosure of Client's data. This obligation extends to any data breach occurring at a subcontractor's facilities or systems.

5.2 Authority with Third-Party Services

Provider may at their discretion need to contact third parties to resolve cybersecurity related issues. When working with third parties that are not Provider Partners on behalf of the Client, the Client authorizes Provider to act on Client's behalf, for the purposes of providing services under this Agreement. Provider will not sign any agreement or contract on behalf of Client, nor will Provider make any financial decisions without permission from Client.

6. CLIENT OBLIGATIONS

Summary: You need to designate contacts, provide access to systems, maintain proper licenses, notify us of employee changes (14 days for onboarding, 5 days for departures), and carry at least $1M in cyber insurance.

6.1 Authorized Representative

Client will designate at least one person as an Authorized Representative for the purpose of this Agreement. Client's Authorized Representative(s) will be the point of contact for providing services, technology planning, changes in access to privileged information, and provide access to secure information (including payment information). Provider will take the Authorized Representatives' directions as authorized by the Client.

6.2 Safe Work Environment

Client will provide a safe environment for Provider's staff. Provider will not permit its staff to be subjected to dangerous, threatening, or perilous situations, locations, and equipment. Client will take action to remedy any apparent hazards (such as toxic materials, unsafe machinery, or exposed electrical wiring) in the workplace, before requesting Provider's service.

6.3 Professional Behavior

Both Parties agree personnel will be courteous and respectful towards each other.

6.4 Access

Provider will be granted reasonably clear and unfettered access to all devices, systems, networks, and offices relevant to the performance of requested work. This includes access necessary for Provider's subcontractors to perform their designated Services.

6.5 Supported Software & Devices

Provider does not support unlicensed or counterfeit software of any kind. Client agrees to only use licensed software and is responsible for maintaining current software licenses and hardware warranties unless otherwise specified in this Agreement or SOW.

6.6 Employee Records and Personnel Changes

Client will make available to Provider a working directory of all Client's active personnel, their role within the organization, and advance notice (as best possible) of employee onboardings and departures. Client agrees to submit a request at least 14 business days in advance of a new employee's start date and at least 5 business days in advance of an employee's end date, if known in advance by Client.

6.7 Vendor Notification

Client will notify Provider of all other vendors with current or recent access to devices, services, or systems within Client's technology environment. This includes, but is not limited to, former employees, current and former independent contractors, previous technology support vendors, repair technicians, and any other third party granted access by Client or the personnel of Client. Notification will include appropriate contact information for the vendors. Failure to notify Provider of these vendors (and their access to Client's environment) will be viewed as a violation of Client's duties and repeated violations of this will be considered a material breach of this Agreement.

6.8 Environment Changes

Client will notify Provider at least fourteen (14) days in advance of any planned changes to their technology environment that may affect the services provided under this Agreement.

6.9 Staff Training

Client agrees to ensure that its employees participate in any necessary training provided by Provider to facilitate effective service delivery.

6.10 Risk Assessment and Mitigation

Client agrees to participate in annual risk assessment exercises conducted by the Provider. These assessments will identify potential vulnerabilities in Client's technology infrastructure and operations. Client commits to working collaboratively with Provider to implement agreed-upon risk mitigation strategies.

6.11 Personal Information Warranty

Client expressly warrants and agrees that any and all Personal Information furnished or accessible to Provider has been collected, compiled and/or obtained in compliance with any and all applicable laws, statutes, rules, or regulations ("Personal Information Regulation"). Personal Information Regulation includes applicable laws concerning the privacy and/or security of Personal Information, and all regulations promulgated thereunder, including but not limited to HIPAA, HITECH, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, the Fair and Accurate Credit Transaction Act, the Federal Trade Commission Act, the Privacy Act of 1974, the CAN-SPAM Act, the Telephone Consumer Protection Act, the Telemarketing and Consumer Fraud and Abuse Prevention Act, Children's Online Privacy Protection Act, state Social Security number protection laws, state data breach notification laws, state consumer protection laws, and Canada's Personal Information Protection and Electronic Documents Act. Client further warrants and agrees that has (or will have) obtained requisite consent to use any individual's Personal Information before furnishing such Personal Information to Provider for its use as part of the Services.

6.12 Scope of Agency

Client acknowledges and agrees that, in utilizing any Personal Information furnished or accessible to Provider by Client, Provider is acting solely as Client's agent. Client further acknowledges and agrees that Provider does not provide legal or compliance advice of any kind, including but not limited to advice regarding the collection, use or storage of Personal Information. Client warrants and agrees that it is solely responsible for its compliance with any applicable Personal Information Regulation.

6.13 Cybersecurity Insurance

Client agrees to maintain appropriate cybersecurity insurance coverage proportional to their business risk, with minimum coverage limits of $1 million per incident.

7. CONFIDENTIALITY

Summary: Rovally will keep your information confidential. Confidentiality obligations continue for 3 years after the agreement ends. We'll return or destroy your information when our relationship concludes.

7.1 General Confidentiality Obligations

Provider will not share Client's proprietary and confidential information. Client's proprietary data will be treated as strictly confidential by Provider (and all staff of Provider, including subcontractors). No one at Provider or its subcontractors will use Client's information in an unauthorized manner or for personal gain.

When Client's agreement with Provider expires or terminates (and is not renewed), Provider will return to Client all notes, records, documentation, and other items containing proprietary information. Those items that cannot be returned, or which the Client will not accept, will be destroyed.

Provider and its agents, including subcontractors, will not use or disclose Client information, except as necessary to or consistent with providing the contracted services and will protect against unauthorized use.

7.2 Definition of Confidential Information

"Confidential Information" of a Party hereto shall be deemed to include all information, materials, and data disclosed or supplied by such Party to the other party that is designated to be of a confidential nature. If disclosed in written or other tangible form or electronically, Confidential Information shall be marked as "Confidential." If disclosed orally or visually, Confidential Information shall be identified as such at the time of disclosure and designated as "Confidential" in a written memorandum summarizing the Confidential Information sufficiently for identification, to be delivered within thirty (30) days of such disclosure.

7.3 Exclusions from Confidential Information

The following information shall not be considered Confidential Information:

  • Information that is or becomes generally known within the relevant industry through no wrongful act or omission or breach of obligations under this Agreement
  • Information which can be established and documented by contemporaneous written proof was in possession or known prior to receipt, without any obligation of confidentiality
  • Information that is rightfully disclosed by a third party with no obligation of confidentiality
  • Information which is independently developed without use of or reference to Confidential Information, with the burden of proving such independent development

7.4 Use and Disclosure Restrictions

Confidential Information may not be used except in the performance of obligations under this Agreement. Provider shall maintain the confidentiality of all of Client's Confidential Information and shall not disclose such Confidential Information to any person or entity, except as provided in this Agreement.

7.5 Required Disclosure

To the extent Provider is required to disclose Confidential Information pursuant to any court or regulatory order, Provider shall promptly notify Client in writing of the existence, terms, and circumstances surrounding such disclosure so that Client may seek a protective order or other appropriate remedy from the proper authority. Provider agrees to cooperate with Client in seeking such order or remedy. Provider further agrees that if required to disclose Confidential Information, Provider shall furnish only that portion that is legally required and shall exercise all reasonable efforts to obtain reliable, written assurances that confidential treatment shall be accorded to Confidential Information.

7.6 Return of Confidential Information

Provider shall promptly return to Client all correspondence, memoranda, papers, files, records, and other tangible materials embodying Client's Confidential Information or from which such information may be derived, including all copies, extracts, or other reproductions thereof, when Provider no longer needs such Confidential Information to accomplish the performance of Provider's obligations under this Agreement or when Client requests its return, whichever occurs first, or certify to Client that all such materials have been destroyed if Client requests such destruction.

7.7 Subcontractor Confidentiality

Provider shall ensure that all subcontractors are bound by confidentiality obligations at least as restrictive as those set forth in this section. Provider remains fully liable for any breach of confidentiality by its subcontractors.

7.8 Post-Term Confidentiality Obligations

Notwithstanding the termination or expiration of this Agreement, Provider agrees to maintain the confidentiality of all Client Confidential Information and shall not disclose, use, or permit the use of such information for a period of three (3) years following the termination or expiration of this Agreement. This obligation shall survive termination and remain in full force and effect, except where disclosure is required by law, provided that Provider complies with the notification obligations outlined above. This obligation extends to all subcontractors engaged by Provider.

8. INTELLECTUAL PROPERTY AND DATA

Summary: Your data and materials remain yours. We encrypt everything in transit and at rest. We're not liable for data loss in third-party systems—that risk comes with using cloud services.

8.1 Client Materials

Any materials or data provided by Client remain the property of Client. Client grants Provider a limited license to use such materials solely for the purpose of providing the Services under this Agreement. This license extends to Provider's subcontractors solely as necessary for performance of their designated Services.

8.2 Data Security - Storage & Transmission

All Provider computers with access to Client systems will be encrypted and secured. All Client data collected by Provider and stored on Provider equipment will be encrypted. All access by Provider personnel to records of Client's proprietary information is secured, monitored, and audited.

In performing the services pursuant to this Agreement, Provider and its personnel may be required to store confidential information about and for Client.

Provider is not responsible for data loss resulting from data not stored on Provider's servers, this includes but is not limited to data lost as a result of a failure of a third-party service provider.

Client is wholly responsible for delivering data to Provider in a secure manner. Provider is not responsible for the insecure transmission and storage of data by Client or Client personnel. Provider will provide assistance to any and all Client employees who request assistance encrypting or otherwise securing their data for transmission to Provider.

When any device is encrypted by Provider at Client's request, the storage of any encryption keys is solely the responsibility of Client.

Client is solely responsible and liable for the content of Client's data. Provider is not responsible or liable for any data provided by Client to Provider or a third party for any purpose, and will not screen or monitor any content of Client's data stored on Provider's servers.

8.2.1 Third-Party Service Data Security

When Client's data is stored in or processed by Managed Third-Party Services, Client acknowledges that:

(a) The vendor's security controls, encryption standards, access management, and data protection practices govern data security within their systems;

(b) Provider does not control the vendor's security infrastructure, practices, or certifications;

(c) Provider will configure security settings available within each third-party service according to industry best practices and Client's requirements;

(d) Provider is NOT liable for security breaches, unauthorized access, or data loss occurring within vendor-controlled systems or resulting from vendor security failures;

(e) Client should review each vendor's security documentation, certifications (SOC 2, ISO 27001, etc.), and data processing agreements independently;

(f) Provider will assist with vendor security incident response but cannot guarantee vendor responsiveness or outcomes.

Provider's Security Responsibilities:

Provider remains fully responsible for securing:

  • Provider's own systems used to manage or access Client's environment
  • Credentials and access keys for Client's third-party services in Provider's custody
  • Configuration backups and documentation stored on Provider systems
  • Communications and data transmission between Provider and Client

Provider will notify Client within twenty-four (24) hours of any security incident involving Provider's systems that may affect Client data, and will cooperate with Client in any required breach notifications to regulators or affected parties.

8.3 Subcontractor Data Security

Provider shall ensure that all subcontractors implement and maintain data security measures that meet or exceed the standards described in this section, including encryption, access controls, monitoring, and audit capabilities. Provider shall verify subcontractor compliance with these standards and remains fully responsible for any data security incidents involving subcontractors.

8.4 Data Loss

Provider will invest enormous energy and effort to protect Client against data loss. Provider will give advice, recommend solutions, and encourage comprehensive data protection practices.

The nature of Provider's work prevents any kind of guarantee against data loss due to a third party not adequately protecting Client's data or hardware failure. Provider commits to protect Client's data whenever it is stored on one of Provider's computers or hard drives but will not be held liable for data losses resulting from any third-party services, including services provided by Provider's subcontractors beyond the liability limits set forth in this Agreement. Data loss risks come with working with third party services when dealing with technology and agreeing on this point is fundamental to Client's business relationship with Provider.

9. WARRANTIES AND DISCLAIMERS

Summary: We provide professional services but can't guarantee third-party software performance, security tool effectiveness, or compliance outcomes. Your remedy for vendor issues is with the vendor, not Rovally.

PROVIDER MAKES NO WARRANTIES OF ANY KIND, EXPRESSED OR IMPLIED ON ITS OWN REGARDING THE FUNCTIONALITY OF HARDWARE OR SOFTWARE, BUT INSTEAD RELIES ON THE WARRANTIES PROVIDED BY THE MANUFACTURER OF EACH SUCH PRODUCT.

THIRD-PARTY SOFTWARE AND SERVICES DISCLAIMERS:

PROVIDER RESELLS AND MANAGES THIRD-PARTY SOFTWARE AND SERVICES BUT DOES NOT DEVELOP, MANUFACTURE, OR CONTROL THESE PRODUCTS. PROVIDER MAKES NO WARRANTIES WHATSOEVER REGARDING THIRD-PARTY SERVICES LISTED IN SCHEDULE B OR UTILIZED PURSUANT TO SECTION 2.8.3, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, SECURITY, AVAILABILITY, UPTIME, DATA INTEGRITY, COMPLIANCE WITH REGULATIONS, OR NON-INFRINGEMENT.

CLIENT ACKNOWLEDGES THAT THIRD-PARTY SERVICES ARE PROVIDED BY THEIR RESPECTIVE VENDORS "AS IS" AND SUBJECT TO THE VENDOR'S TERMS, WARRANTIES (IF ANY), AND DISCLAIMERS. PROVIDER'S SOLE WARRANTY REGARDING THIRD-PARTY SERVICES IS THAT PROVIDER WILL USE COMMERCIALLY REASONABLE EFFORTS TO IMPLEMENT, CONFIGURE, AND MANAGE SUCH SERVICES PROFESSIONALLY.

FOR COMPLIANCE AND GRC PLATFORMS (INCLUDING BUT NOT LIMITED TO SECUREFRAME, DRATA, VANTA), PROVIDER SPECIFICALLY DISCLAIMS ANY WARRANTY THAT USE OF THESE PLATFORMS WILL RESULT IN ACHIEVING OR MAINTAINING ANY COMPLIANCE CERTIFICATION, PASSING ANY AUDIT, OR SATISFYING ANY REGULATORY REQUIREMENT.

FOR SECURITY SERVICES (INCLUDING BUT NOT LIMITED TO TURNGATE, SENTINELONE, DOPE SECURITY, JAMF PROTECT, JAMF RADAR), PROVIDER SPECIFICALLY DISCLAIMS ANY WARRANTY THAT THESE SERVICES WILL DETECT OR PREVENT ALL SECURITY THREATS, MALWARE, UNAUTHORIZED ACCESS, OR DATA BREACHES. CLIENT ACKNOWLEDGES THAT NO SECURITY SOLUTION PROVIDES ABSOLUTE PROTECTION AND THAT CYBERSECURITY REQUIRES LAYERED DEFENSES AND ONGOING VIGILANCE.

FOR MOBILE DEVICE MANAGEMENT SERVICES (INCLUDING BUT NOT LIMITED TO JAMF PRO, NINJAONE), PROVIDER SPECIFICALLY DISCLAIMS ANY WARRANTY THAT THESE SERVICES WILL PREVENT ALL DEVICE SECURITY INCIDENTS, DATA LOSS, OR COMPLIANCE FAILURES ON MANAGED DEVICES.

FOR HELP DESK AND SUPPORT SERVICES (INCLUDING BUT NOT LIMITED TO FIXIFY), PROVIDER SPECIFICALLY DISCLAIMS ANY WARRANTY REGARDING RESOLUTION TIMES, FIRST-CALL RESOLUTION RATES, OR USER SATISFACTION, AS THESE DEPEND ON FACTORS OUTSIDE PROVIDER'S CONTROL.

CLIENT'S EXCLUSIVE REMEDIES FOR DEFECTS, FAILURES, OR ISSUES WITH THIRD-PARTY SERVICES ARE AGAINST THE RESPECTIVE VENDORS UNDER THEIR TERMS AND CONDITIONS.

EXCEPT AS STATED IN THIS AGREEMENT, PROVIDER DOES NOT MAKE, AND HEREBY DISCLAIMS ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, INTEROPERABILITY, AND TITLE, AND ANY WARRANTIES ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. PROVIDER DOES NOT WARRANT THE WORK AND SERVICE PROVIDED HEREUNDER WILL BE UNINTERRUPTED AND ERROR FREE. PROVIDER DOES NOT MAKE AND HEREBY DISCLAIMS ALL EXPRESS AND IMPLIED WARRANTIES AGAINST LOSS OF DATA, SECURITY NETWORKS, AND EXPOSURE OR RELEASE OF PERSONALLY IDENTIFIABLE INFORMATION, REGARDLESS OF CAUSE. ALL WARRANTIES PROVIDED HEREIN ARE PERSONAL TO, AND INTENDED SOLELY FOR THE BENEFIT OF CLIENT, AND DO NOT EXTEND TO ANY THIRD PARTY. NOTWITHSTANDING ANYTHING TO THE CONTRARY HEREIN, CLIENT ACKNOWLEDGES THAT PROVIDER SHALL BEAR NO RESPONSIBILITY FOR THE PERFORMANCE, REPAIR OR WARRANTY OF ANY OF CLIENT'S SOFTWARE, HARDWARE PRODUCTS OR SERVICES PROVIDED TO CLIENT OR BY A THIRD PARTY, UNLESS OTHERWISE SET FORTH HEREIN. THESE WARRANTY DISCLAIMERS APPLY TO SERVICES PROVIDED DIRECTLY BY PROVIDER AND SERVICES PROVIDED BY PROVIDER'S SUBCONTRACTORS.

10. LIMITATION OF LIABILITY

Summary: Rovally's total liability is capped at $10,000. We're not liable for indirect damages, lost profits, or issues with third-party vendors. This cap is necessary to provide affordable services to startups.

NEITHER PARTY SHALL BE LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE OR CONSEQUENTIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO LOSS OF DATA, BUSINESS INTERRUPTION, OR LOSS OF PROFITS, ARISING OUT OF THE USE OF OR THE INABILITY TO USE THE COVERED COMPUTER SYSTEMS.

IN RECOGNITION OF THE RELATIVE RISKS AND BENEFITS OF THE SERVICES TO BOTH PROVIDER AND THE CLIENT, TO THE FULLEST EXTENT PERMITTED BY LAW, THE TOTAL MAXIMUM LIABILITY OF PROVIDER TO THE CLIENT FOR ANY AND ALL CLAIMS, LOSSES, COSTS, DAMAGES OF ANY NATURE WHATSOEVER OR CLAIMS EXPENSES FROM ANY CAUSE OR CAUSES (INCLUDING ATTORNEYS' FEES AND COSTS AND EXPERT WITNESS FEES AND COSTS), UNDER OR IN CONNECTION WITH THIS AGREEMENT SHALL BE LIMITED TO $10,000; AND IN NO EVENT SHALL PROVIDER, ITS LICENSORS, OR SUPPLIERS PAY FOR INCIDENTAL, INDIRECT, SPECIAL, OR CONSEQUENTIAL DAMAGES, EVEN IF THEY HAVE BEEN ADVISED OF OR SHOULD HAVE FORESEEN THE POSSIBILITY OF SUCH DAMAGES. THE INTENTION IS FOR THIS LIMITATION ON LIABILITY TO APPLY TO ALL CAUSES OF ACTION, HOWEVER ALLEGED OR ARISING, UNLESS OTHERWISE PROHIBITED BY LAW. THIS LIMITATION OF LIABILITY APPLIES TO ALL SERVICES PROVIDED UNDER THIS AGREEMENT, WHETHER PERFORMED DIRECTLY BY PROVIDER OR THROUGH SUBCONTRACTORS, AND PROVIDER SHALL REMAIN SOLELY LIABLE TO CLIENT FOR ANY CLAIMS ARISING FROM SUBCONTRACTOR PERFORMANCE.

ADDITIONAL LIMITATIONS FOR THIRD-PARTY SERVICES:

NOTWITHSTANDING ANY OTHER PROVISION IN THIS AGREEMENT, PROVIDER SHALL HAVE ZERO LIABILITY FOR ANY CLAIMS, DAMAGES, LOSSES, OR EXPENSES ARISING FROM OR RELATED TO:

(A) THIRD-PARTY SERVICE FAILURES: Any failure, defect, error, bug, outage, degraded performance, or limitation of any Managed Third-Party Service listed in Schedule B or utilized pursuant to Section 2.8.3, regardless of cause;

(B) VENDOR SECURITY INCIDENTS: Any security breach, unauthorized access, data loss, ransomware, malware, or other security incident occurring within vendor-controlled systems or resulting from vulnerabilities in third-party software;

(C) VENDOR BUSINESS DECISIONS: Any change to third-party service pricing, terms, features, functionality, discontinuation of service, or vendor's cessation of business operations;

(D) COMPLIANCE FAILURES: Any failure to achieve or maintain compliance certifications, audit failures, regulatory penalties, or fines, even where Provider configured or managed compliance platforms;

(E) UNDETECTED THREATS: Any security threats, malware, or attacks that evade detection by security tools managed by Provider;

(F) VENDOR TERMS DISPUTES: Any disputes between Client and vendors regarding interpretation or enforcement of vendor terms of service;

(G) CLIENT-MANAGED APPLICATIONS: Any issues, failures, security incidents, or losses involving Client-Managed Applications that Client procures or manages independently.

FOR THE AVOIDANCE OF DOUBT, PROVIDER'S TOTAL AGGREGATE LIABILITY UNDER THIS AGREEMENT REMAINS LIMITED TO $10,000 AS SET FORTH ABOVE, AND THIS LIMIT APPLIES TO ALL CLAIMS INCLUDING THOSE RELATED TO PROVIDER'S IMPLEMENTATION, CONFIGURATION, OR MANAGEMENT OF THIRD-PARTY SERVICES. CLIENT'S SOLE REMEDY FOR ISSUES WITH THIRD-PARTY SERVICES THEMSELVES IS AGAINST THE APPLICABLE VENDOR.

THE LIMITATIONS OF LIABILITY IN THIS SECTION APPLY REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR OTHERWISE, AND WILL APPLY EVEN IF PROVIDER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

11. FORCE MAJEURE

Summary: Neither party is liable for delays caused by events outside reasonable control (natural disasters, pandemics, wars, acts of God, etc.). If such an event persists, either party may terminate.

If performance of this Agreement or any obligation under this Agreement is prevented, restricted, or interfered with by causes beyond either Party's reasonable control ("Force Majeure"), and if the Party unable to carry out its obligations gives the other Party prompt written notice of such event, then the obligations of the Party invoking this provision shall be suspended to the extent necessary by such event. The term Force Majeure shall include, without limitation, acts of God, epidemic, pandemic, fire, explosion, vandalism, storm or other similar occurrence, orders or acts of military or civil authority, or by national emergencies, insurrections, riots, or wars, or strikes, lock-outs, work stoppages, or supplier failures. The excused Party shall use reasonable efforts under the circumstances to avoid or remove such causes of non-performance and shall proceed to perform with reasonable dispatch whenever such causes are removed or ceased. An act or omission shall be deemed within the reasonable control of a Party if committed, omitted, or caused by such Party, or its employees, officers, agents, or affiliates. Provider may exercise this termination right after thirty (30) consecutive days, whereas Client may do so after forty-five (45) consecutive days.

12. DISPUTE RESOLUTION

Summary: Disputes over $1,000 go to arbitration in Orange County, CA under California law. This is instead of going to court—it's typically faster and less expensive for both parties.

12.1 Arbitration

All disputes exceeding USD $1,000 that are not exclusively within the jurisdiction of California small-claims court shall be settled by arbitration by the American Arbitration Association.

Arbitration shall be in accordance with the Commercial Arbitration Rules of the American Arbitration Association, using a single arbitrator format regardless of the amount in dispute, and judgment on the award rendered by the arbitrator may be entered in any court having jurisdiction thereof. If all Parties to the dispute agree, a mediator involved in the Parties' mediation may be asked to serve as the arbitrator. The prevailing Party in any such dispute shall be entitled to an award inclusive of reimbursement of any fees paid to the arbitrator, and any case filing fees or case management fees paid to the arbitration association. This arbitration procedure is in lieu of any right that might otherwise exist to a trial by jury.

12.2 Governing Law

The terms of this Agreement shall be governed by and construed in accordance with the laws of the State of California without resort to conflict of law rules. The United States Arbitration Act shall govern the interpretation, enforcement, and proceedings pursuant to the arbitration clause in this agreement. The place of arbitration shall be Orange County, California.

13. ADDITIONAL PROVISIONS

Summary: Standard legal provisions including: don't poach each other's employees, this agreement survives mergers, this document is the complete agreement, and any changes must be in writing.

13.1 Mutual Non-Solicitation of Personnel

Neither Provider or Client shall assist, solicit, coach, and encourage any personnel and associated persons of either Party to discontinue employment in their established place of employment. Client shall not offer employment or consultancy to any personnel and associated persons of the other Party, without written authorization. Client shall not offer employment or consultancy to any former personnel and associated persons within two years of the date on which such personnel and associated persons terminated their relationship with the other Party. This provision extends to personnel of Provider's subcontractors who are directly involved in providing Services to Client.

13.2 Merger, Transfer of Assets, or Dissolution

This Agreement will not be terminated by any voluntary or involuntary dissolution of either Client or Provider resulting from either a merger or consolidation in which the affected Party is not the consolidated or surviving entity named under this Agreement, or a transfer of all or substantially all of the assets of the affected Party.

In the event of any such merger or consolidation or transfer of assets of either Party, the rights, benefits, and obligations hereunder may be assigned to the surviving or resulting entity or the transferee of the Party's assets.

13.3 Entire Agreement

This Agreement, with all incorporated SOWs and Appendices, contains the entire agreement of the Parties, and there are no other promises or conditions in any other agreement whether oral or written concerning the subject matter of this Agreement. This Agreement supersedes any prior written or oral agreements between the Parties.

13.4 Construction

This Agreement shall be interpreted as if Client and Provider jointly prepared it, and any uncertainty and ambiguity in the Agreement shall not be construed or interpreted against either Party individually.

13.5 Severability

If any provision of this Agreement will be held to be invalid or unenforceable for any reason, the remaining provisions will continue to be valid and enforceable. If a court finds that any provision of this Agreement is invalid or unenforceable, but that by limiting such provision it would become valid and enforceable, then such provision will be deemed to be written, construed, and enforced as so limited.

13.6 Amendment

This Agreement may be modified or amended in writing, if the writing is signed by the Party obligated under the amendment.

13.7 Notice

Any notice or communication required or permitted under this Agreement shall be sufficiently given if delivered in person or by certified mail, return receipt requested, to the address set forth in the applicable Statement of Work or to such other address as one Party may have furnished to the other in writing.

13.8 Waivers

The failure of either Party to enforce any provision of this Agreement shall not be construed as a waiver or limitation of that Party's right to subsequently enforce and compel strict compliance with every provision of this Agreement.

This Master Services Agreement is effective as of the date specified in the applicable Statement of Work.

SCHEDULE B
THIRD-PARTY SERVICE CATALOG

Summary: This schedule lists example vendors Rovally may use. This is NOT exhaustive—Rovally may use other qualified vendors to deliver services. For each category, we explain what we do and what we're not responsible for.

This schedule identifies representative Managed Third-Party Services that Provider may resell and manage on Client's behalf. Pursuant to Section 2.8.3 of this Agreement, Provider maintains discretion over vendor selection and may utilize vendors not listed herein. Specific services included for Client are specified in the applicable Statement of Work.

1. SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)

Representative Vendor: Turngate, Inc.

Category: SIEM for SaaS Applications

Vendor Terms: Provided upon request

Provider's Role:

  • Initial implementation and integration with Client's SaaS applications
  • Configuration of monitoring rules, alerts, and incident detection policies
  • Ongoing monitoring of security events and anomalies
  • Investigation and triage of security alerts
  • Escalation of confirmed incidents to Client
  • Regular review and optimization of detection rules

Provider is NOT Responsible For:

  • Platform availability, uptime, or performance
  • Threats that evade the platform's detection capabilities
  • Security incidents in SaaS applications not integrated with the SIEM
  • Data retention policies or data loss within vendor systems
  • Changes to vendor pricing, features, or terms of service
  • Vendor security breaches or unauthorized access to vendor systems

2. ENDPOINT DETECTION AND RESPONSE (EDR)

Representative Vendors: SentinelOne, Inc.; Jamf Software, LLC (Jamf Protect)

Category: Endpoint Detection and Response for workstations and servers

Vendor Terms: 

Provider's Role:

  • Deployment of EDR agents to Client endpoints
  • Configuration of protection policies and response actions
  • Monitoring of endpoint security alerts and threats
  • Investigation and remediation of detected threats
  • Quarterly review of protection efficacy and policy optimization
  • Coordination with vendor support for complex incidents

Provider is NOT Responsible For:

  • Platform availability, uptime, or agent functionality
  • Malware or threats that evade detection engines
  • Zero-day exploits before threat signatures are available
  • Security of unmanaged or unprotected endpoints
  • Endpoints where Client has disabled or removed EDR agents
  • Vendor security breaches or vulnerabilities in vendor software
  • Changes to vendor pricing, features, or licensing models

Critical Client Acknowledgment: No endpoint security solution provides 100% protection. Client acknowledges that sophisticated threats may evade detection and that endpoint security is one layer of a comprehensive security strategy.

3. THREAT DETECTION AND INTELLIGENCE

Representative Vendor: Jamf Software, LLC (Jamf Radar)

Category: Threat Detection, Phishing Prevention, and Security Intelligence for Apple Devices

Vendor Terms: https://www.jamf.com/trust-center/terms-of-service/

Provider's Role:

  • Implementation and configuration of threat detection policies
  • Setup of phishing and malicious content protection
  • Monitoring of threat intelligence alerts and indicators
  • Investigation of detected threats and suspicious activity
  • Regular review and tuning of detection sensitivity

Provider is NOT Responsible For:

  • Platform availability, uptime, or detection engine performance
  • Phishing attacks or threats that evade detection
  • User actions that bypass security warnings
  • Accuracy or completeness of threat intelligence feeds
  • Vendor security breaches or service interruptions

4. GOVERNANCE, RISK, AND COMPLIANCE (GRC) PLATFORMS

Representative Vendors: Secureframe, Inc.; Drata, Inc.; Vanta, Inc.

Category: Compliance Automation Platform

Supported Frameworks: SOC 2, ISO 27001, ISO 42001, HIPAA, PCI-DSS, GDPR, CMMC, and others

Vendor Terms:

Provider's Role (Applies to all GRC platforms):

  • Platform selection based on Client's compliance requirements
  • Initial implementation and integration with Client's technology stack
  • Configuration of compliance frameworks and control mappings
  • Connection of evidence sources (cloud providers, HR systems, etc.)
  • Training Client personnel on platform usage
  • Ongoing monitoring of compliance posture and control gaps
  • Preparation of evidence packages for audits
  • Coordination with Client's auditors (information requests only)

Provider is NOT Responsible For:

  • Determining which compliance frameworks apply to Client's business
  • Guaranteeing achievement or maintenance of any compliance certification
  • Guaranteeing audit passage or favorable audit outcomes
  • Legal interpretation of regulatory requirements
  • Approving policies and procedures (Provider may create, Client must review/approve)
  • Ensuring completeness or accuracy of automated evidence collection
  • Platform availability, uptime, or data integrity
  • Vendor security breaches or compliance failures
  • Changes to vendor pricing, features, or supported frameworks

CRITICAL COMPLIANCE DISCLAIMER: Provider configures GRC platforms and provides technical implementation services only. Provider DOES NOT provide legal, regulatory, or compliance advice. Client must engage qualified legal counsel and compliance professionals, determine applicable compliance requirements independently, review and approve all policies, procedures, and controls, validate all compliance evidence before submitting to auditors, and maintain ultimate responsibility for achieving and maintaining compliance.

Client acknowledges that GRC platforms are tools that facilitate compliance efforts but do not guarantee compliance outcomes. Many factors outside the platform's scope affect compliance, including organizational culture, employee training, policy enforcement, and management commitment.

5. CONTENT FILTERING AND DATA LOSS PREVENTION

Representative Vendor: Dope Security, Inc.

Category: Content Filtering and Data Loss Prevention for SaaS applications

Vendor Terms: https://dope.security/legal/sla

Provider's Role:

  • Implementation and integration with Client's SaaS applications
  • Configuration of content filtering policies and DLP rules
  • Setup of monitoring for sensitive data exposure
  • Alert configuration for policy violations
  • Monthly review of DLP incidents and policy effectiveness
  • Recommendations for policy refinement based on usage patterns

Provider is NOT Responsible For:

  • Platform availability, uptime, or performance
  • Data leakage that evades detection capabilities
  • Sensitive data exposure in applications not integrated with the platform
  • Accuracy of content classification or threat detection
  • False positives or false negatives in DLP policy enforcement
  • User frustration or productivity impacts from DLP policies
  • Vendor security breaches or unauthorized access to monitored data
  • Changes to vendor pricing, features, or terms of service

6. MOBILE DEVICE MANAGEMENT (MDM)

Representative Vendors: Jamf Software, LLC (Jamf Pro); NinjaOne, LLC

Category: Mobile Device Management, Endpoint Management, and IT Operations

Vendor Terms:

Provider's Role:

  • Initial MDM platform setup and configuration
  • Device enrollment and provisioning workflows
  • Configuration of security policies, restrictions, and compliance rules
  • Application deployment and management
  • Operating system update management and patching
  • Device inventory and compliance monitoring
  • Remote device management actions (lock, wipe, locate)
  • Integration with identity providers and security tools

Provider is NOT Responsible For:

  • Platform availability, uptime, or performance
  • Device compliance failures due to user actions or device modifications
  • Data loss on managed devices resulting from user error or device failure
  • Hardware failures or physical damage to managed devices
  • Limitations in vendor-supported device types or operating system versions
  • User satisfaction with enforced security policies
  • Vendor security breaches or service interruptions
  • Changes to vendor pricing, features, or supported platforms

7. HELP DESK AND IT SUPPORT SERVICES

Representative Vendor: Fixify, Inc.

Category: Help Desk Support, IT Support Services, and End-User Technical Assistance

Vendor Terms: Provided upon request

Provider's Role:

  • Coordination and oversight of help desk service delivery
  • Configuration of ticketing workflows and escalation procedures
  • Integration with Client's communication channels (Slack, email, etc.)
  • Quality assurance and service level monitoring
  • Escalation path management for complex issues
  • Regular service review and optimization recommendations

Provider is NOT Responsible For:

  • Vendor platform availability or service interruptions
  • Resolution times or first-call resolution rates (vendor-dependent)
  • End-user satisfaction with support interactions
  • Issues requiring hardware replacement or on-site intervention
  • Problems with Client-Managed Applications outside Provider's scope
  • User training beyond basic issue resolution
  • Changes to vendor pricing, staffing levels, or service offerings

8. CLIENT-MANAGED APPLICATIONS

Definition: Any software, service, system, or technology that Client procures, licenses, pays for, and manages independently without Provider involvement in vendor relationship or ongoing management.

Examples May Include:

  • Productivity suites (Microsoft 365, Google Workspace)
  • Industry-specific applications
  • Custom developed software
  • Legacy systems
  • Applications procured before engaging Provider
  • Any service where Client maintains direct vendor relationship and billing

Provider's Role:

  • May provide advisory services if explicitly included in SOW
  • May provide integration support to connect with Managed Third-Party Services
  • NO ongoing management, monitoring, or administration unless explicitly contracted

Provider is NOT Responsible For:

  • Availability, performance, or functionality
  • Security of Client-Managed Applications
  • Data loss or breaches involving Client-Managed Applications
  • Licensing compliance or renewal management
  • Vendor relationship or support coordination
  • Configuration or optimization
  • Integration failures between Client-Managed Applications and Managed Services
  • Any issues, incidents, or failures of any kind

Client Obligations:

Client must:

  • Disclose all Client-Managed Applications to Provider within 14 days
  • Notify Provider of additions, changes, or removals within 14 days
  • Maintain adequate security controls on Client-Managed Applications
  • Not expect Provider to support or troubleshoot Client-Managed Applications
  • Accept that Provider may decline to integrate with inadequately secured Client-Managed Applications

GENERAL PROVISIONS APPLICABLE TO ALL SERVICES

Vendor Selection Discretion

Pursuant to Section 2.8.3 of this Agreement, the vendors listed in this Schedule B are representative examples only. Provider maintains sole discretion to select, add, remove, or substitute vendors to deliver the functional outcomes specified in each Statement of Work. Any vendor utilized—whether listed in this Schedule or not—is subject to the terms, limitations, and disclaimers set forth in Section 2.8 of this Agreement and this Schedule B.

Vendor Terms Updates

Vendors may update their terms of service, privacy policies, or acceptable use policies at any time. Provider will make commercially reasonable efforts to notify Client of material changes when informed by vendors, but Client remains responsible for:

  • Monitoring vendor communications and terms updates independently
  • Reviewing updated terms and determining if continued use is acceptable
  • Notifying Provider of any vendor terms that conflict with Client's requirements

Client may terminate any specific Managed Third-Party Service upon sixty (60) days written notice if Client does not accept updated vendor terms.

Service Substitution

If a vendor discontinues service, materially degrades service quality, increases pricing excessively, or Provider determines a vendor is no longer suitable, Provider may substitute services. Provider will:

  • Provide ninety (90) days notice of proposed substitution where practicable
  • Offer reasonably equivalent replacement service
  • Assist with migration to substitute service at no additional charge for up to 30 days

Client may:

  • Accept the substitute service
  • Decline and terminate the affected service without penalty
  • Establish direct relationship with original or substitute vendor

Evidence of Terms Acceptance

By executing a Statement of Work that includes any Managed Third-Party Service, Client certifies that:

  • Client or Client's Authorized Representative has reviewed the applicable vendor terms
  • Client accepts and agrees to be bound by those vendor terms
  • Client authorizes Provider to procure licenses and configure services on Client's behalf
  • Client understands Provider's limited role and liability as described in this Schedule

Schedule Updates

This Schedule B may be updated by Provider from time to time to:

  • Add new third-party services offered by Provider
  • Remove services Provider no longer offers
  • Update vendor terms URLs or review dates
  • Clarify Provider's role or limitations

Material updates to this Schedule that affect Client's active services will be provided to Client with thirty (30) days written notice. Client's continued use of services after notice period constitutes acceptance of Schedule updates.