MASTER SERVICES AGREEMENT

Updated August 15, 2022

Version 1.0

This Master Services Agreement (this “Agreement”) is made and entered into effective when signed by both parties (the “Effective Date”), by and between Omnistruct, Inc. (“Omnistruct”), a California Corporation, and (“Customer”) (each a “Party”, collectively “Parties”).

RECITALS

A. Omnistruct makes available a hosted service platform and related equipment designed to assist companies with cybersecurity and electronic security compliance program maintenance.
B. Customer and Omnistruct desire to have Omnistruct provide Customer with the ability to access and use the Omnistruct services, subject to and in accordance with the terms and conditions of this Agreement.

NOW, THEREFORE, for good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

1. DEFINITIONS

1.1 “Authorized User” means employees, consultants, contractors, and agents of Customer who have been authorized in accordance with the terms of this Agreement to access and use the Services on behalf of Customer.

1.2 “Subscription” means any software, hardware equipment, or software as a service, provided by Omnistruct and its affiliates and necessary to deliver Services under the terms of a SOW for use in connection with the Services during the term of this Agreement.

1.3 “Services” means Omnistruct’s and Omnistruct affiliate Services made available to Customer under the terms of the attached SOW and Appendices, including installation of subscription, integration with Customer systems, and operation of Omnistruct-hosted services, maintenance of cybersecurity governing metrics, as well as any modifications, extensions, customizations, or other derivative works of the Services provided by Omnistruct to Customer.

1.4 “Statement of Work” or “SOW” means a document signed by both parties that references this Agreement and describes the Services or Subscriptions to be procured by Customer from Omnistruct and specific pricing terms and conditions applicable to such Services and/or Subscriptions.

2. SERVICES

2.1 Subscription Services. Subject to Customer’s compliance with the terms of this Agreement, Omnistruct and its affiliates shall make the Services available to Customer in accordance with an applicable SOW, solely for use by Authorized Users for Customer’s internal business operations. Omnistruct may update the functionality, user interface, or documentation relating to the Services from time to time in accordance with this Agreement. Customer will not permit access to or use of the Services by anyone other than Authorized Users. The customer is responsible for all activities conducted under its Authorized User logins and for its Authorized Users’ compliance with this Agreement.

2.2 Restrictions. Customer agrees that Omnistruct or its licensors exclusively own all rights, titles, and interests in and to the Services, including all intellectual property rights therein. Any rights relating to the Services that are not expressly granted to Customer under this Agreement are reserved by Omnistruct. Customer shall not (and shall not permit any third party to): (a) copy, modify, translate, create derivative works of the Services, Subscriptions or Software; (b) reverse engineer, disassemble, or decompile the Services; or (c) use the Services in a manner that is contrary to applicable law or that violates a third party’s privacy or intellectual property rights. Unless expressly stated to the contrary in a the SOW, the Services are not “works made for hire,” and Omnistruct will forever own all right, title, and interest in copyrights, trade secrets, patents, all other intellectual property and other rights relating to the Subscriptions, the Services, and any information developed by Omnistruct in the course of its performing the Services.

2.3 Deployment and Access. Customer will make available to Omnistruct – including a third-party managed service provider if Omnistruct so chooses – all premises, systems, computers, servers, computer programs, data, and other documentation required by Omnistruct to implement and complete the Services.

2.4 Customer Venue. Customer is responsible for procuring and maintaining a venue and proper electronic and network connections that connect the Customer network to the Services and that satisfy all minimum standards for the implementation and maintenance of the Subscriptions and Services. Customer will use reasonable efforts to maintain and protect the software Subscriptions, and assumes all risk of loss, damage, theft or information disclosure while in Customer’s administrative stewardship and possession.

3. FEES

3.1 Fees and Payments. In consideration for Omnistruct providing the Subscriptions and Services, Customer will pay Omnistruct all set-up fees and subscription fees specified in the attached SOW (“Fees”). Unless otherwise specified in the SOW, Omnistruct will invoice Customer monthly in advance for the Fees due and payable for that period, and Customer will pay each such invoice within thirty (30) days following receipt of the invoice. All amounts not paid when due under this Agreement will accrue interest daily at a rate of 1.5% per month or the highest rate permissible by law, whichever is lower, until the unpaid balance is paid in full. Customer will reimburse Omnistruct for all fees, costs, and expenses (including attorneys’ fees and court costs) incurred to collect amounts properly invoiced but not timely paid. Amounts billed by Omnistruct become final unless disputed within ten (10) days after Customer’s receipt of the invoice. In the event of an early termination of this Agreement prior to the conclusion of the Term (other than the Customer’s termination for Cause as outlined in Section 7.2 below), Customer will pay all Fees specified in the SOW, and fees will be due upon receipt of final invoice.

3.2 Taxes. The Fees do not include any local, state, federal or foreign taxes, levies or duties of any nature, including value-added, sales, use or withholding taxes (collectively, “Taxes”). Customer is responsible for paying all Taxes, excluding only taxes based on Omnistruct’s net income. If Omnistruct has the legal obligation to pay or collect Taxes for which Customer is responsible under this Section, the appropriate amount shall be invoiced to and paid by Customer unless Customer provides Omnistruct with a valid tax exemption certificate authorized by the appropriate taxing authority.

4. CONFIDENTIALITY

4.1 Definition. “Confidential Information” means: (i) information that is labeled as proprietary or confidential or, if disclosed orally, is identified as proprietary or confidential at the time of its disclosure and is summarized in writing and sent to the recipient within thirty (30) days of such disclosure; and (ii) any information that, due to its nature or the circumstances of disclosure, would reasonably be deemed confidential. The terms and conditions of this Agreement will be deemed the Confidential Information of both Parties.

4.2 Use and Nondisclosure. Both during and after the Term of this Agreement, neither Party will use the other Party’s Confidential Information for any purpose other than for the performance and enforcement of this Agreement, nor disclose such Confidential Information to any party other than those of its employees and contractors who need to know such Confidential Information for performance and enforcement of this Agreement and who are bound by a written agreement that contains use and nondisclosure restrictions at least as protective as those set forth in this Agreement. Each Party will use the same efforts to protect the confidentiality of the other Party’s Confidential Information that it ordinarily uses to protect the confidentiality of its own confidential information of like importance, but in no event less than reasonable efforts. The foregoing obligations and restrictions will not apply to any information that: (i) is or becomes generally known to the public through no fault of or breach of this Agreement by the receiving Party; (ii) is rightfully known by the receiving Party prior to the disclosure of such information from the disclosing Party; (iii) is independently developed by the receiving Party without use of the disclosing Party’s Confidential Information; or (iv) the receiving Party rightfully obtains from a third party who had the right to disclose such information without breach of any confidentiality obligation to the disclosing Party. Additionally, data collected by Omnistruct regarding the performance of the Services and/or aggregated data regarding usage of the Services by multiple customers, which do not identify Customer or any Authorized Users shall not be deemed Confidential Information hereunder, and Omnistruct shall have the right to reproduce, distribute and otherwise use such aggregated anonymous data in connection with its business.

4.3 Permitted Disclosure. The foregoing provisions of this Section 4 will not restrict either Party from disclosing the other Party’s Confidential Information or the terms and conditions of this Agreement: (i) pursuant to the order or requirement of a court, administrative agency, or other governmental body; provided that the Party required to make such a disclosure gives reasonable notice to the other Party to enable it to contest such order or requirement; or (ii) on a confidential basis to its legal or professional financial advisors or to present or future providers of venture capital and/or potential private investors in or acquirers of such Party.

4.4 Notification. Each Party agrees to notify the other Party without undue delay and within the time frame required under applicable law if it knows or reasonably suspects that a data breach in the disclosing Party’s networks or systems has occurred, where such breach or suspected breach would likely affect the Services. Such notice will include all available details required under law for each Party to comply with its own notification obligations to regulatory authorities or individuals affected by the data breach. Unless otherwise specified in the SOW, Omnistruct is not obligated to notify Customer for a data breach or suspected data breach in the Customer’s own networks or systems.

5. WARRANTY

5.1 Subscriptions. Omnistruct warrants to Customer that the Subscriptions will for the Term of this Agreement, be free from material defects and operate in substantial conformance with Omnistruct’s published specifications. If any Subscription fails to conform to Omnistruct’s warranty, Omnistruct will promptly repair or replace such nonconforming Subscription at its expense. The foregoing warranty shall not apply, and Omnistruct will have no obligation, with respect to Subscription that is: (i) reverse engineered, abused, misused, or neglected by Customer or a third party; (ii) not used or maintained in a normal and proper manner, in accordance with the commercially reasonable practices; (iii) tampered with, modified, altered, or repaired without the prior written approval of Omnistruct; or (iv) subjected to inadequate utility service, failure of electrical or other energy supplies, incorrect physical environment, or other inadequate facilities or utilities, Exceptions (i) through (iv) of the above warranty shall be determined solely by Omnistruct.

5.2 Services. Omnistruct warrants to Customer that the Services will provide the functionality specified in the SOW. If the Services fail to conform to the foregoing warranty, as Customer’s sole remedy for such failure, Omnistruct promptly will modify the Services to correct the non-conformity. Except as expressly provided in this Agreement, Customer’s sole remedy for a breach of the limited warranty provided in this Section or any accompanying SOW will be for Omnistruct to use commercially reasonable efforts to bring the Services into substantial conformity with applicable specifications or, if Omnistruct is unable to do so, then for Customer to obtain a refund equal to the value of the nonconforming portion of the Services upon removal of all software required for Subscription(s). Customer will have no remedy for a breach of this section if: (i) Omnistruct is unable to reproduce the problem; (ii) Omnistruct is not provided with a description of the parameters, procedures, or conditions that describe and generate the problem in sufficient detail to permit isolating the code that causes the problem; (iii) Omnistruct is not provided access to all data files, software, and system access required to reproduce and analyze the problem; or (iv) Customer refuses or fails to follow any corrective actions recommended by Omnistruct. Unless expressly stated in the attached SOW, Omnistruct offers no warranties, intended or implied, for: cybersecurity oversight, governance, compliance, insurance or legal regulatory compliance risks, exposures, or fiduciary impacts related to a cybersecurity breach.

5.3 Disclaimers. EXCEPT AS EXPRESSLY PROVIDED IN THIS SECTION 5, OMNISTRUCT DISCLAIMS ALL REPRESENTATIONS OR WARRANTIES OF ANY KIND WHATSOEVER, EXPRESS OR IMPLIED, IN CONNECTION WITH THIS AGREEMENT AND THE SERVICES, SOFTWARE, AND SUBSCRIPTIONS INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, AND ANY WARRANTIES ARISING FROM COURSE OF DEALING OR USAGE OF TRADE. OMNISTRUCT DISCLAIMS ANY WARRANTY THAT THE SERVICES WILL BE ERROR FREE OR UNINTERRUPTED OR THAT ALL ERRORS WILL BE CORRECTED. IN NO EVENT WILL OMNISTRUCT’S TOTAL LIABILITY TO CUSTOMER OR TO ANY THIRD PARTY IN CONNECTION WITH THIS AGREEMENT OR ACCESS TO OR USE OF THE SERVICES, FROM ALL CAUSES OF ACTION AND UNDER ALL THEORIES OF LIABILITY, EXCEED THE TOTAL AMOUNTS PAID BY CUSTOMER TO OMNISTRUCT UNDER THIS AGREEMENT IN THE TWELVE MONTHS PRECEDING THE CLAIM.

6. INDEMNIFICATION AND LIABILITY

6.1 Indemnification by Omnistruct. Omnistruct will defend any action or suit brought against Customer by a third party to the extent that it is based upon a claim that the Services, as provided by Omnistruct to Customer pursuant to this Agreement: (i) infringe any U.S. patent or U.S. copyright; or (ii) Omnistruct’s direct actions or inactions are found to originate a data-security incident experienced by the Customer. Omnistruct will defend and indemnify and hold Customer harmless from and against any direct damages, costs and expenses (including reasonable attorneys’ fees) awarded against Customer or payable in settlement with respect to such claim, provided that Customer: (i) promptly notifies Omnistruct in writing of the claim; (ii) grants Omnistruct sole control of the defense and settlement of the claim; and (iii) provides Omnistruct, at Omnistruct’s expense, with all assistance, information and authority reasonably required for the defense and settlement of the claim. THE FOREGOING STATES OMNISTRUCT’S SOLE LIABILITY AND CUSTOMER’S EXCLUSIVE REMEDY FOR ANY CLAIMS OF INFRINGEMENT OR MISAPPROPRIATION OF ANY THIRDPARTY INTELLECTUAL PROPERTY RIGHTS OR DATASECURITY INCIDENTS.

6.2 Indemnification by Customer. The Customer will defend and indemnify Omnistruct and its officers, directors, employees, agents, licensors, and suppliers and hold them harmless from any and all claims, losses, deficiencies, damages, liabilities, costs, and expenses (including but not limited to reasonable attorneys’ fees) from any claim, judgment, or adjudication against Omnistruct related to or arising from or in connection with: (i) a claim that Omnistruct’s use of any materials provided by Customer, as permitted under this Agreement, infringes the rights of any third party; (ii) any license, sale, or distribution of any Customer product or service; or (iii) the Customer’s breach of any warranty or representation established in this Agreement.

6.3 Exclusions. Notwithstanding the terms of Section 6.1, Omnistruct will have no liability for any infringement or misappropriation claim of any kind to the extent that it results from: (i) the combination, operation or use of the Services with Customer equipment, devices, software or data not supplied by Omnistruct, if a claim would not have occurred but for such combination, operation, or use; or (ii) Customer’s use of the Services other than in accordance with this Agreement.

6.4 Limitation. IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER PARTY OR TO ANY THIRD PARTY FOR ANY SPECIAL, INCIDENTAL, PUNITIVE, EXEMPLARY OR CONSEQUENTIAL DAMAGES, LOSS OF USE, PROFITS, GOODWILL, REVENUE OR DATA, OR THE COST OF PROCURING SUBSTITUTE GOOD OR SERVICES ARISING OUT OF OR RELATING TO THIS AGREEMENT OR THE PROVISION OF SERVICES, SOFTWARE, OR SUBSCRIPTIONS HEREUNDER.

7. TERM AND TERMINATION

7.1 Term. Unless modified in the applicable SOW, this Agreement will commence on the Effective Date and will continue twelve (12) months, unless terminated earlier as provided in this Agreement. This Agreement will automatically renew for subsequent twelve (12)-month terms unless either Party notifies the other in writing of its intent not to renew at least thirty (30) days prior to the end of the then-current term. The initial term and any renewal terms are collectively the “Term”.

7.2 Termination for Cause. Either Party may terminate this Agreement upon written notice if the other Party breaches any material term of this Agreement and fails to cure such breach within thirty (30) days following written notice thereof from the non-breaching Party. (“Cause”). In the event Customer terminates this Agreement for Cause, Customer shall only owe Omnistruct the Fees previously invoiced to Customer and shall not owe Omnistruct any Fees for future subscription Services between the date of termination for Cause and the end of the Term of this Agreement.

7.3 Effect of Termination. Upon any expiration or termination of this Agreement: (i) Customer’s and its Authorized Users’ right to access and use the Services will immediately terminate; and (ii) each Party will return and make no further use of any Confidential Information of the other Party. The rights and obligations of the Parties under Sections 3, 4, 6, 7.3 and 8 will survive any expiration or termination of this Agreement.

8. GENERAL

8.1 Assignment. Neither Party may assign or transfer this Agreement, in whole or in part, without the other Party’s written consent except in the event of a Change of Control. Any attempted assignment or transfer without such consent will be void. “Change of Control” means, with respect to a Party: (i) acquisition of the majority of voting stock of such Party or all or substantially all of its assets; or (ii) the merger of such Party with another entity. Subject to the foregoing, this Agreement will inure to the benefit of the successors and permitted assigns of the Parties.

8.2 Miscellaneous. This Agreement shall be governed by and construed in all respects in accordance with the laws of the state of California. All actions will be subject to the exclusive jurisdiction of the federal and state courts of the state of California. Any notice given to a Party under the Agreement shall be in writing and delivered personally or sent by overnight delivery service or commercial courier. A waiver of any right hereunder shall in no way waive any other rights. In the event any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions of this Agreement will remain in full force and effect. No waiver, alteration, modification or amendment of this Agreement shall be effective unless in writing and signed by both Parties. This Agreement, including SOWs, constitutes the entire agreement regarding the subject matter hereof and supersedes all prior agreements, understandings and communications, oral and written, between the Parties regarding the subject matter hereof. This Agreement may be executed in counterparts, each of which shall be deemed to be an original, and all shall together constitute one instrument.

8.3 Customer Representations. Customer represents and warrants that: (i) the person signing this Agreement is duly authorized to act on behalf of Customer; (ii) Customer’s execution of this Agreement will not violate any provision or law of its governing, organizational documents, or result in the breach of any agreement to which it is a party; (iii) Customer is the end-user of the Subscriptions and Services, and (iv) Customer’s use of the Products and Services will not violate any law in any jurisdiction.

9. OMNISTRUCT RESPONSIBILITIES

9.1 Subscription Service. Omnistruct and its affiliates will provide service(s) as defined in “SOW” using a commercially reasonable effort.

9.2 Onboarding Assistance. Omnistruct and its affiliates will provide up to two (2ea) hours remote onboarding support using a commercially reasonable effort.

9.3 Web Portal Access. Omnistruct and its affiliates will provide secured one (1ea) web-based Governance and regulatory compliance web application portal for up to four (4ea) named users for Customer and their IT provider to track compliance, actions, suggested controls, and other governance and regulatory compliance functions throughout the term of the agreement.

9.4 Assignability of Service & Service Transferability. In the event service maintenance delivery by Omnistruct or its affiliates changes, whether through service grandfathering subscription-service retirement, subscription service provider changes, mergers, or acquisitions, Omnistruct will notify Customer of applicable changes to ensure service continuity from Omnistruct and its affiliates to Customer continue.

9.5 Response & Resolution Priority Types. Omnistruct Ticket Response and Resolution will be 8a-5p (Pacific Time) Monday-Friday (excluding Omnistruct observed holidays). All incident response work will occur during business hours. Problem Resolution Targets times, operational continuity of Customer business, and Customer data integrity are NOT guaranteed.

9.6 Compliance Desk Tickets. Support requests, or inquiries regarding the subscription service will be made by Customer primary or secondary point of contact and must be sent electronically to [email protected]. Response to all inquiries will have a one-next-business day (1-NBD) turn around and will be actionable using a commercially reasonable effort.

9.7 Confidentiality. All information reviewed and handled by Omnistruct and its affiliates in the delivery of our Services will be Confidential.

10. CUSTOMER RESPONSIBILITIES

10.1 Points of Contact. Customer will provide a Primary and Secondary Technical point of contact to Omnistruct and its affiliates for all ticket authorization, onboarding, account reporting, and recommendations. Customer will provide a Primary and Secondary Billing point of contact to Omnistruct for all invoices, credits, and disputes. Customer Primary and Secondary points of contact will be responsible for all Ticket creation, Ticket Escalations, and Urgent Incident Declarations that may require evidence retention. Customer understands that all Points of Contact will be authorized to order work, open tickets, declare Urgent Incidents, Set Priorities, and declare disasters.

10.2 Out of Scope, Incidental Overages, Urgent, & Holiday Work. Customer will be billed and be responsible for all work ordered outside the scope of Contracted Services. Incidental work, assessments, projects, and integrations by Omnistruct or its affiliates are not covered under this contract will be billed at the rates identified in your SOW or as otherwise agreed mutually by both Parties.

10.3 Suitability of Existing Environment. Customer will be responsible for meeting the Minimum Standards Required for service in order for services to be installed and service guaranteed. Standards include, but are not limited to:

10.3.1 The environment must have a currently licensed, unified threat management or next-generation firewall for all ingress and egress public-internet traffic at their internet with active maintenance and service subscriptions to advanced next-generation features,

10.3.2 The environment must have fully licensed, supported, and genuine software for all assets that transfer or retain sensitive data,

10.3.3 The Customer must allow log extractions from internal contracted assets to external logging site,

10.3.4 Internet bandwidth access performance to our platform and applicable collector(s) must have sufficient bandwidth per site at all times and Customer must provide at least two external public IP addresses for virtual private network connectivity or secure communications of any on premise host assets provide by Omnistruct and its affiliates,

10.3.5 Customer must have stable and functioning internal and external DNS at all sites without bifurcation of network segments and must identify any multihoming, failover, IPv6, or redundant services in use for appropriate network identification.

11. NO SECURITY GUARANTEES

11.1 Security / Rights Management Guidelines. No representations or guarantees are offered by Omnistruct and its affiliates to Customer network, sensitive data, or any variation of privacy data security or retention. Customer understands that Omnistruct does not develop, license, manufacture, or control the infrastructure assets or acquired licenses or code of Customer or its 3rd party providers and therefore can NOT guarantee that Customer information security or data will be 100% safe, protected, or compromise-proof. Customer understands that Omnistruct is a compliance as a service provider focused on “hands off” Customer technology services . Customer also understands that any applications required for Customer business will increase the risk of a security vulnerability, exploit, and compromise and will NOT hold Omnistruct responsible for security incidents. Omnistruct will NOT monitor the physical or human element aspect of Customer or Customer user(s) security. Customer understands that security is about minimizing risk and that no environment is 100% secure. Customer also understands that Omnistruct offers no guarantees to Customer that their physical building, office, environment, infrastructure, systems, or network will be 100% secure as part of this service.

11.2 Limited Service Guarantees. Omnistruct guarantees all accredited work will conform to applicable Omnistruct accreditation requirements for which Omnistruct has achieved accreditation or the work will be redelivered at no cost to Customer. Omnistruct offers no guarantees of any kind in the delivery of all other Services. Omnistruct is unable to guarantee compliance or adherence to any regulatory requirements, accreditation requirements, attestation requirements or adherence to any US or International laws in the delivery of our Services. Omnistruct is not a law firm and that any recommendations by Omnistruct and its affiliates regarding governance or risk consultation provided by Omnistruct should be reviewed by a licensed attorney.