Managed IT and Cybersecurity Services Attachment

This Managed IT and Cybersecurity Attachment (“Attachment”) describes the managed IT and cybersecurity services to be provided by the Provider to the Customer (each a “Party” and collectively the “Parties”) pursuant to the terms of the Statement of Work (“SOW”) executed by the Parties and in accordance with the general terms and conditions set forth in the Master Services Agreement (“MSA”). This Attachment, together with the SOW and the MSA, form the agreement between the Parties. All capitalized terms used herein and not otherwise defined have the meanings assigned in the MSA.

1. MANAGED SERVICES. The Services to be performed for Customer by Provider are set forth in the SOW. This Attachment is incorporated into and made part of the SOW.
2. MONITORING AND SUPPORT SERVICES
   1. Remote Coverage. In connection with the Services that are within the scope of this Attachment, Provider will provide to Customer (1) management of those Services identified in the SOW by individuals trained in the Services selected, and (2) support during “Normal Business Hours” (as defined in the SOW).
   2. Onsite Support. Customer’s request, but subject to Provider’s acceptance of such request, Provider or qualified third-parties contracted by Provider, will also deliver Services onsite at Customer’s Facility(s) during Normal Business Hours, subject to the limitations stated in the SOW. Onsite and remote support and services requested by Customer that are not covered under the SOW will be billed at the Standard Rates.
   3. Maintenance Windows. Routine IT infrastructure and application upgrades will occur during maintenance windows, and some applications, systems, or devices may be unavailable or non-responsive during such times (or as defined in the SOW). Provider shall not be liable for failure to provide Services during maintenance windows nor during any temporary exclusions requested by Provider to implement changes in applications, environments, conversions, or system software.
   4. Dispatch Services. In connection with the Services that are within the scope of this Attachment, Provider from time to time may determine at its sole discretion the need to place Provider staff or qualified third-parties at the Customer location to support or replace Equipment. When possible, resolution of issues will be performed remotely. Dispatch Services are performed during Normal Business Hours, unless approved by Provider, and require the cooperation of Customer for proper access to physical location and required Customer staff.
   5. Network Monitoring Services. Network Monitoring Services, if applicable, are described in the SOW.
3. INCIDENT MANAGEMENT SERVICES
   1. Incident. “Incident” means an unplanned interruption to or reduction of quality of an IT or cybersecurity service. Provider or Customer will document all Incidents by creating a “Service Ticket” and will post updates in Provider’s Incident Tracking System reporting the status of the Incident. Provider will work to address the Incident as soon as the Incident Service Ticket is created.
   2. Service Desk. Urgent issues should always be communicated to Provider by telephone. Customer individuals that contact the Service Desk must be authorized. The Service Desk will not communicate with the Customer via indirect channels for Incident notification and will not reply to support requests from non-authorized individuals. An email notice will be sent to the caller and all contacts subscribing to receive alerts that fit the event’s conditions after the issue has been opened.
      1. Customer may communicate Incidents to the Service Desk using the following methods (where applicable and within the scope of the SOW):
         1. Telephone
         2. Opening a ticket on the Customer Portal
         3. Email
         4. Chat
   3. Prioritization & Classification. Incidents must be properly classified and prioritized by Provider. The following are examples of classification and priority:
      1. Classification – Determined by choosing the correct service offering, category, and subcategory as it pertains to the Incident.
      2. Prioritization – Assigning impact and severity calculates the appropriate priority.
   4. Determining Classification and Prioritization. The Incident is examined, and the appropriate classification, severity, and impact are selected based on the information entered during its creation. Priority is determined by the sum of the impact and severity assignments, which reflect the level of risk to the Customer’s Assets and/or Environment.
      1. 
      2. Impact. “Impact” refers to the business impact of the system impacted. The initial impact is pre-defined from the alerting tool based on the type of alarm received or Customer request. There are three categories of impact:
         1. High: Incident affecting an entire Facility(s)
         2. Medium: Incident affecting multiple users
         3. Low: Incident affecting one or few users
      3. Severity. “Severity” is the extent to which the Incident’s resolution can bear delay. The initial severity is pre-defined from the alerting tool based on the type of alarm received or Customer request. Severity levels are defined as follows:
         1. High: Full-service outage of a critical system, requires urgent response.
         2. Medium: Customer’s ability to function is partially impacted, requires the A_IT. CareDesk™ to respond as soon as possible.
         3. Low: No impact on the Customer’s ability to function; is more informational in nature and a response is not critical.
      4. Priorities for Tools-Identified Service Ticket. For auto-generated Incident Service Tickets, Provider’s monitoring tools apply the classification and priority criteria, as outlined in this section 3.4, based on the general situation. The actual condition may require Provider to review and subsequently reclassify based on correlating information uncovered through the Incident response process
      5. Service Escalation. Incidents are escalated in accordance with an established set of guidelines which can be provided to Customer upon request.
4. REVIEWS
   1. Provider and Customer may review and assess Customer’s Environment on an ongoing basis, and, if Provider and Customer agree that adjustments to the Scope of Work and/or the Service Level Objectives are needed, the Parties will execute an appropriate Change Order.
5. CUSTOMER OBLIGATIONS
   1. Customer Equipment. All Customer Devices must be maintained under manufacturer’s warranty or maintenance contracts and must be in working order. Software or firmware updates must be made to Customer Devices as specified by the manufacturer, and base operating systems and code must be maintained as necessary for Customer Devices to remain eligible for manufacturers’ warranties and support. Provider shall not be responsible for repairing any Customer Devices that are not maintained under manufacturer’s warranty or maintenance contracts or that are otherwise out of order, and further,
      1. Provider is not liable to Customer for any of the following caused by such Devices:
         1. Any delay or failure of performance in connection with the provision of Services,
         2. Breach of any Provider’s warranty, or
         3. Any security breach or data loss.
      2. Further, Provider may designate certain Devices as obsolete or defective (“Obsolete Device”) and thereafter, Provider shall have the right to take one or more of the following steps:
         1. Require a replacement of or upgrade to the Obsolete Device, or
         2. Decline to support or provide Services relating to the Obsolete Device, or
         3. Propose a Change Order to add Services necessary to support the Obsolete Device.
   2. Customer Software. Customer Software Licenses.
      1. Rights to Software. Unless otherwise specifically stated in the SOW, Customer represents and warrants that Customer has title to or a license or other right to use or modify the Customer Software and has all necessary rights to permit Provider to use, access or modify any Customer Software that Customer has requested Provider to use, access or modify as part of the Services. Customer agrees to maintain records of all Customer Software licenses and to provide an inventory from time to time at Provider’s request.
      2. Third-Party Licenses. Customer is solely responsible for all third-party licensing, software, and support contracts unless the Parties otherwise agree in writing. This includes but is not limited to all required Microsoft licensing for servers and workstations that are covered under one or more Provider Services. Provider is not liable for any act or omissions of third-party providers.
      3. Installation Keys. Customer shall obtain and supply all necessary software media with installation keys (if any) upon request.
   3. Unsupported Software.
      1. Provider shall not be responsible or liable to Customer for any consequences from the use of (a) existing Customer Software (in place prior to the date of this Agreement), (b) Customer Software selected during the Term of this Agreement independently (not based on a recommendation of Provider) and (c) Customer Software that is no longer under manufacturer product support or no longer supported by the software publisher, or which in Provider’s judgment is at the end of its life, outdated, obsolete, and/or vulnerable to errors, bugs, attacks, or other problems and failures (collectively, “Unsupported Customer Software”).
      2. CUSTOMER AGREES TO HOLD PROVIDER HARMLESS FROM ANY LOSS, INJURY OR DAMAGE TO ANY HARDWARE, SOFTWARE, AND/OR COMPUTER DATA CAUSED BY ANY USE OF UNSUPPORTED SOFTWARE.
      3. Provider will assist the Customer with respect to Unsupported Customer Software to the extent Provider has the technical expertise and capacity within the Scope of Work to provide assistance as reasonably practicable, in Provider’s judgment; but in general, Customer is expected to purchase and rely on support available from the software publisher. Notwithstanding the foregoing, Provider will not in any case assist with respect to Customer Software described in clause 3.1(c)above.
      4. Notwithstanding Section.3.1(a), Provider may (a) require an upgrade to Unsupported Customer Software or (b) may decline to support or provide Services relating to such Software or (c) may propose an amendment to the applicable SOW to add Services necessary to support such Software.
   4. Provider Assets.
      1. Use and Ownership. Customer agrees that Provider Assets provided to Customer will be used by the Customer in accordance with the terms of the MSA and the SOW. Customer agrees that any Equipment, Device, or Software utilized in the execution of any Service that is not purchased by the Customer in its own name belongs to Provider.
      2. Personal Property. All Provider Equipment is personal property for all purposes. Customer will not allow any Provider Equipment to become a fixture at Customer’s Facilities.
      3. Return of Assets. Upon termination of the SOW, Customer will cease use of any Provider Assets within the scope of the SOW and will return the same to Provider within fifteen (15) days. If Customer fails to return any Provider Asset within that time frame, or if Customer fails to return any Provider Asset in the condition in which it was originally delivered (reasonable use and Provider’s acts and omissions excepted), Provider will be entitled to charge Customer for the reasonable replacement cost of the Asset, as determined at Provider’s sole discretion.
      4. Ownership of Provider Equipment. Provider is and will remain the sole owner of any Provider Equipment, which is provided on a rental, subscription, or temporary basis only. Customer shall not remove any sign, label, or other marking identifying Provider as the owner of the Provider Equipment. Customer does not and will not have any lien or other similar right over or in relation to the Provider Equipment, by operation of law or otherwise.
      5. No Warranties. Provider makes no independent representations or warranties with respect to Provider Equipment. Any third-party warranties are Customer’s exclusive remedies with respect to Provider Equipment. In the event of malfunction, defect or failure with respect to Provider Equipment, Provider will make itself available, at Customer’s request and at Provider’s then current hourly rates, to assist Customer in making claims under the manufacturer’s or developer’s warranties of such Equipment.
      6. Insurance and Protection. Customer agrees to maintain all Provider Equipment in a safe and secure location to avoid loss or damage to such Equipment. Customer shall take reasonable care of the Provider Equipment and shall not damage, tamper with, move, or remove, attempt to repair, or attempt to install any software on any Provider Equipment, except as instructed by Provider. Customer is financially responsible, up to the full replacement value of all Equipment, for all damage to or loss of the Provider Equipment used at Customer’s Facilities, other than loss or damage caused by Provider. In addition, during the term of the SOW, Customer shall obtain and maintain insurance with a reputable insurer for the full replacement value of the Provider Equipment. Such policy or policies of insurance must cover the Equipment against loss or damage (including, without limitation, accidental loss or damage) and must name Provider as an insured beneficiary with respect to the Equipment. Upon demand, Customer shall produce evidence that such insurance is in full force and effect. If Customer fails to maintain insurance coverage as required by this Section4.6, Provider will have the right to remove the uninsured or underinsured Provider Equipment.
      7. Environment. Customer is responsible for providing the necessary power, network connection and appropriate environments to support the Provider Equipment.
      8. Removal of Equipment. On termination of the SOW, Customer shall allow Provider reasonable access to Customer’s Facilities to remove the Equipment, and Customer shall compensate Provider at Provider’s Standard Rates for the labor required for removal. Alternatively, upon Provider’s request and at Customer’s cost for shipping, Customer shall return the Provider Equipment via the carrier of Provider’s choice, insured as instructed by Provider.
      9. Provider-Supplied Software. This Agreement does not transfer any right, title, or interest in the Provider- supplied Software to Customer except as may be required for Provider to provide the Services to Customer. Customer’s use of the Provider-supplied Software is subject to all applicable terms of any end-user license agreement pertaining to the Software, a copy of which will be made available to Customer upon request. Customer shall not, and shall not permit any third party, to do any of the following with respect to Provider-supplied Software, distribute or allow others to distribute copies of the Software or any part thereof to any third party,
         1. Tamper with, remove, reproduce, modify, customize, or copy the Software or any part thereof,
         2. Provide, rent, sell, lease or otherwise transfer the Software or any copy or part thereof or use it for the benefit of a third party, or
         3. Reverse assemble, reverse compile or reverse engineer the Software or any part thereof, or otherwise attempt to discover any Software source code or underlying proprietary information.
   5. Independent Backup. Except in cases in which the Services described in a SOW include maintenance of backup systems, Customer must have a backup solution in place, with backup copies stored off-site. It is the Customer’s responsibility to verify that backups are made regularly, as well as the integrity of the backups. Provider shall not be held liable in the event of data loss, backup software failure, backup data breach, backup selection, backup hardware failure, backup media failure, or backup system failure.
   6. Minor Onsite Tasks. Provider may occasionally ask Customer to perform simple onsite tasks (e.g., powering down and rebooting a computer), and Customer agrees to cooperate with all reasonable requests.
   7. Server Upgrades or Repair. Provider will authorize all necessary server upgrades or repairs. If Customer repairs or upgrades servers without Provider’s authorization, Provider may take one or more of the following steps:
      1. Exclude those servers from coverage hereunder, or
      2. Prepare a Change Order for the provision of Services necessary to bring the servers back into the Scope of Work.
   8. Changes to Customer’s Network. Customer will notify Provider of all proposed network changes, and Provider will prepare a Service Ticket allowing the Provider a reasonable opportunity to comment, follow-up on and approve proposed changes prior to implementation. If the proposed change requires Provider to do research, to provide design services and/or to test the network changes, Provider will propose a Change Order and will bill for its Services at its then current hourly rates. Provider is not obligated to support any network changes implemented contrary to the requirements of this Section.
   9. Customer’s Environment. Customer’s additional obligations with respect to the Customer Environment are stipulated in the MSA and/or Statement of Work.
6. EXCLUSIONS
   1. In addition to the exclusions stated in Section 5 of this Attachment and in the MSA, Provider is not responsible for failures to provide Services that are caused by the existence of any of the following conditions during any period of time in which such conditions exist:
      1. Alterations and Modifications: Service and repair made necessary by the alteration or modification of any Devices, Equipment or Software other than as authorized by Provider, including alterations, software installations or modifications made by Customer’s employees or anyone other than Provider.
      2. Problems Resulting from Any Third-Party Provider Malfunction: Any defect, interruption, reduction of service quality, uptime, security or malfunction in any Customer Devices, cabling, Equipment, Customer Software, firmware, provided by a third-party, inclusive of SaaS and cloud platform providers.
      3. Customer Resource Problems: Any failure to follow instructions, or problems or delays caused by Customer personnel or vendors that are not under Provider’s management or control.
      4. Force Majeure: Problems resulting from a Force Majeure Events.
      5. Customer Acts or Omissions: Problems preventing Provider from performing its obligations as a result of Customer’s actions, inactions, or information provided that were contrary to Provider’s recommendations or Customer’s failure to fulfill its responsibilities hereunder or under the MSA.
      6. Internet Connectivity Loss or Loss of Power: The loss of Internet connectivity provided by a third-party or loss power at Customer’s Facilities for any reason.
      7. Service Ticket Management: The time interval between the initial occurrence of an Incident or other issue affecting functionality and the time Customer reports the Incident to Provider through the Provider Incident Tracking System.
7. SERVICES OUTSIDE OF SCOPE
   1. Unless otherwise explicitly included within the Scope of Work as stated in the SOW, the following services are outside of the Scope of Work:
      1. Software Maintenance, including but not limited to monitoring the schedule for updates, correcting defects, or other similar maintenance tasks.
      2. Training of Customer Personnel.
      3. Software and Web Development, including but not limited to modifying software code, writing custom code, programming, website construction or modifications, etc.
      4. Device Repair and Maintenance, including but not limited to printers, UPS devices, scanners, or any other Device (as defined in the MSA).
      5. Third-Party Disputes, including but not limited to managing or being involved in claims, issues, or disputes with any third-party, unless the claim, issue or dispute involves the Services.
      6. Replacement Software or Equipment, including but not limited to implementing new or replacement Software or Equipment.
      7. Deployment of New Technologies or Services. Including but not limited to adding equipment or services required due to Customer growth, new technologies available to Customer, or any growth of Customer Environment.
      8. Facility Relocation / Satellite Facility. Facility relocation/satellite facility design or setup.
      9. Audits and Third-Party Questionnaires, including but not limited to assistance with cybersecurity liability insurance applications, third-party risk management questionnaires requested by clients, vendors, or regulators, or participation in external audits.
      10. Cybersecurity Incident Triage, Management, and Response. Including but not limited to emergency incident response or digital forensics services for any suspected or detected cybersecurity incidents which cannot be systematically remediated using technologies deployed in the Customer environment and managed by Provider.