1. DEFINITIONS.

In addition to capitalized terms defined elsewhere in this MASA, the following terms will have the meanings set forth below:

(a) Affiliate.  An entity that controls, is controlled by, or is under common control with the subject entity. Control for this purpose means direct or indirect ownership or control of more than 50% of the voting Interests of the entity. with respect to any specific Person, any other Person that directly, or indirectly through one or more intermediaries, controls or is controlled by, or is under common control with, the specified Person.

(b) Agreement. This Master Services Agreement, including its attachments, exhibits, and SOWs, and including any future SOWs executed between the Parties in accordance herewith.

(c) Assigned Vendor. The Company supply chain vendors identified by Company in a Third Party Risk Management contracted service Proposal.

(d) Business Day. Any day which is neither a Saturday or Sunday nor a legal holiday on which commercial banks are authorized or required to be closed in California.

(e) Confidential Information. Any non-public data, information, and other materials regarding a party’s products, services, or business (and, if the party is bound to protect the confidentiality of a third party’s information, of the third party) where the information is marked or otherwise communicated as being “proprietary” or “confidential” or the like, or where the information should, by its nature, be reasonably understood to be confidential or proprietary. For clarification, Confidential Information includes “Personal Data,” Personally Identifiable Information, Personal Information, or similar terms as defined under applicable data protection laws. The party disclosing Confidential Information is referred to as the “Discloser” and the party receiving Confidential Information is referred to as the “Recipient.”

(f) Customer Data. Electronic data and information that is submitted to our Service by you or your Affiliates.

(g) Deliverables. Will mean the technology solutions, reports, work papers, plans, designs, assessments, programming, software, or other designated work product specified in the applicable SOW.

(h) Documentation. All specifications, user manuals, and other materials relating to the Service that we provide or make available to you or your Affiliates, as modified from time to time.

(i) Fees. Provider’s fees to be paid Provider by Company for Provider’s performance of the Services and/or provision of the Deliverables as specified in the applicable SOW.

(j) Framework. A supporting set of controls created by an accredited organization or governing body that form the basis of a cybersecurity governance, risk, and compliance program.

(k) Governance as a Service (GaaS). Governance as a Service subscription, or other related services including the enablement and administration of a GRC Platform, or other surveillance software for governance and risk management, and the ongoing maintenance of compliance documented proof and consultative oversight and guidance to your contracted programs and Frameworks, includes meetings, policy updates, regulatory and statutory cyber legislation updates and security program coaching as specified in a SOW.

(l) GRC Desk. The Omnistruct governance, risk, and compliance help desk analyst support team using email or telephone contact details identified in your Proposal.

(m) Implementation Service. Professional Service purchased from us and required for the set-up of your GaaS compliance administration and monitoring.

(n) Order. Each written or online order specifies the Service to be provided by us and the Fees applicable to those Services. By entering an Order, you and your Affiliates are agreeing to be bound by these terms. An Order may be included in a Proposal.

(o) Proposal. A document set forth in a SOW with detail of the Service that we are proposing to provide to you or your Affiliates through this Agreement.

(p) Reports. Analyses and recommendations we may provide from time to time that are designed to document proof of your governance and risk actions for compliance with the Framework standards specified in the Service.

(q) Service. The products (e.g., software, Software as a Service, subscriptions) and Services (e.g., investigative, consultative, implementation, design, scripting, writing, programming, installation) that we provide to your Company, whether Professional Service, those that are ordered by you under an Order or those that you receive under a free trial, including any associated offline components.

(r) Third Party Risk Management as a Service (TPRMaaS). Third Party Risk Management as a Service subscription, or other related Services including the enablement and administration of a GRC Platform or other surveillance software with supply chain modules, includes ongoing maintenance and oversight of assigned supply chain vendor cyber risk information security questionnaire oversight for Company supply chain vendors to specific programs or Frameworks of Company as specified in a SOW.

(s) User. In the case of a person accepting the Agreement on their own behalf, that person. In the case of a person accepting the Agreement on behalf of a legal entity, an individual (1) that the legal entity has authorized to use the Service, (2) for whom it has purchased a service, and (3) who has been has supplied a Username and password, either by the entity or by us at the entity’s request. Users may include, for example, your employees, consultants, contractors, and agents.

(t) You or Your. In the case of a person accepting the Agreement on their own behalf, the person. In the case of a person accepting Deliverables on behalf of a legal entity, that legal entity and any Affiliates of that entity that itself has entered an Order.

2. COMPANY RESPONSIBILITY

(a) The MASA governs your access to and use of our Service and all content, services, tools, technologies, and products that may be available through our portals, website, or off-line. This includes electronic signature Service, online uploads, displays, deliveries, acknowledgments, and storage Service for documents and electronic contracts (collectively, “E-Service”). We will also perform the professional Service described in any duly executed Proposal.

(b) You are engaging us to provide Service as described in the relevant Proposals (each, a “Proposal”). Neither of us will have any obligations with respect to a draft Proposal unless and until it has been fully executed (Electronic Signature or Written Signature and first month’s payment.) If a Proposal conflicts with the MASA, the Proposal will govern, but solely for the Service it describes. The only exception is if the Proposal explicitly states that it is intended to modify the conflicting MASA terms. In many cases, Service to an Affiliate may be required. These will be added to any Proposal via a change order.

(c) Subject to your (1) purchasing the right to access and use the Service from us, and (2) your use of the Service in compliance with the MASA and the applicable Proposal, we grant you a limited, non-sublicensable, non-exclusive, non-transferable license to access and use the Service by up to the number of Users described in the Proposal. This grant is (1) for your internal use only, (2) for the use(s) described in the Proposal, and (3) is subject to the MASA and any Documentation that we provide to you relating to the Service. Holistically, we refer to this as a ‘Subscription,” and your Subscription is not for resale or further distribution unless we otherwise agree in writing. Except as otherwise provided in a Proposal, or as may be expressly permitted by applicable law, you will not, nor will you permit or authorize anyone else to: (1) modify, make derivative works of, disassemble, reverse compile or reverse engineer any part of the Service; (2) copy, reproduce, distribute, republish, download, distribute, disclose, encumber, time-share, license, sell, display, or transmit any part of the Service in any form or by any means; (3) frame or use framing techniques to enclose any trademark, logo, or other portion of the Service; (4) use or access the Service to build a similar or competitive, product, or service; (5) intentionally hold us, or our employees and directors, up to public scorn, ridicule or defamation; (6) take any action that materially interrupts or interferes with, or that might reasonably have been expected to materially interrupt or interfere with, the Service, our business operations or our other customers; (7) run any form of auto-responder or “spam” on the Service or use the Service to otherwise send “spam” to any third-party; (8) use the Service in any unlawful way, for any unlawful purpose or to violate any law, code of conduct or other guideline that may be applicable to the Service; (9) circumvent or disable any security features or measures in the Service; or (10) publicly post any material that we provide and that is both copyrighted and specifically related to Cybersecurity Policies. Any rights not expressly granted in the MASA are reserved by us.

(d) You will not access, store, distribute, or transmit any Viruses or other material that adversely affects our systems. This includes anything that (1) is unlawful, harmful, threatening, defamatory, obscene, infringing, harassing, or racially or ethnically offensive; (2) facilitates illegal activity; (3) causes damage or injury to any person or property; or (4) is in violation of the MASA. The term “Virus” refers to any thing or device (including any software, worms, or the like) that may prevent, impair, or otherwise adversely affect (1) the operation of computer software, hardware or networks, any telecommunications service, equipment, or networks, or any other service or device, (2) access to or the operation of any program or data, including its reliability, or (3) the user experience.

(e) You will ensure that your network and systems comply with the specifications we provide from time to time. You will give us any information we may need to provide the Service. You will obtain, maintain, and support all Internet access, computer hardware, and other equipment and Service required for you to access and use the Service. You will set access controls for your authorized Users. You will use commercially reasonable efforts to prevent unauthorized access to or use of the Service. You will give us prompt notice (but no later than 48 hours) of any unauthorized use of your account or any other known breach of security. You authorize us to send you marketing materials or other documentation periodically.

(f) We reserve the right, without liability to you, to disable or suspend your access to the Service if (1) there is any breach or anticipated breach by you of the MASA; (2) you or your Users’ use of the Service disrupts or poses a security risk to the Service or any other customer, may harm our systems (or any provider of any third-party Service) or may subject us or any third-party to liability; (3) you or your authorized Users are using the Service for fraudulent or illegal activities; or (4) our continuing to provide any Service to you is prohibited by applicable law; or (5) past due invoices 5 calendar days beyond the due date.

(g) Company understands and acknowledges that the obligation of Provider to perform in accordance with this Agreement are dependent upon, among other things, the accuracy of the assumptions and representations made by Company, the timeliness of Company management decisions, and the performance of Company personnel in meeting their obligations in accordance with this Agreement and the SOW.

(h) As appropriate and reasonably necessary for Provider’s performance of the Services and providing the Deliverables, Company will supply, without charge to Provider, on-site Provider personnel with suitable office and storage space and use of other normal office equipment such as computers, telephones and copers, including supplies.

(i) For Services and Deliverables in which Provider requires access to Company’s computer systems, including operating systems, applications, servers, network, and network equipment, circuits, physical access to data centers and wiring closets, digital access to computer systems, or other information technology components (“IT Environment”), Company will provide Provider with proper access to its IT Environment, including the use of appropriately configured workstations and printers as necessary. Company will be responsible for all costs and expenses for any associated third-party consents, approvals, and authorizations necessary to allow Provider to access, operate, and use Company IT Environment.

(j) In the event Provider deploys computers (physical and virtual) and other appliances, devices, and equipment to Company’s location for the performance of Services and Deliverables, Company will provide Provider with proper access to its location to retrieve Provider’s computers and other appliances, devices, and equipment. If Company does not return the computers, and other appliances, devices, and equipment upon completion of Provider’s Services and Deliverables under this Agreement and applicable Proposal and SOW, Provider will invoice Company fair market value (“FMV”) of unreturned or unretrievable Provider assets.

(k) Both Parties understand that under the terms of this Agreement Provider is responsible for providing ideas, recommendations, and certain Deliverables (as identified in the Proposal and any applicable SOW) to Company, and Company will be responsible for how Company subsequently uses those ideas recommendations, and Deliverables. Each Party shall be liable only for the damages that might arise from the performance of its own responsibilities created herein.

(l) You and your Company understand that you have primary responsibility for active cyber incident declaration, incident recovery, business continuity, privacy, Third Party Risk, cyber insurance exclusions and subjectivities, accredited certification, Chief Information Security Officer accountability, statutory and regulatory requirements, and protection of privileged and confidential work product by an attorney in your respective jurisdictions in the consideration of potential subpoena for all Deliverables.

(m) You and your Company understand that no royalty free licensed software products will be included in the delivery of services.

(n) You and your Company are responsible for the delays caused by failure of your staff to attend or reschedule scheduled meetings.

(o) You and your Company are responsible for failures caused by systems, personnel or environmental neglect, using or insufficient information provided to Omnistruct necessary to complete the Deliverables.

(p) You and your Company understand that Omnistruct and its affiliates will not be responsible for direct, or indirect, network or application performance during scans in electronic testing.

(q) You and your Company understand that all work, remediation actions, projects, and budgets resulting from Omnistruct findings and recommendations are the responsibility of the Company.

(r) You and your Company understand that any changes to the scope of work or scheduled work plan will impact proposed scope, schedule, and resource and will require a change order.

3. OUR SERVICE STACK

We will provide you and your Users with a Subscription to our Assessment Service, GaaS or TPRMaaS as set forth in the Proposal for this Agreement. The coordination, number and timing of meetings, and the quantity of Deliverables, will be outlined in the Proposal for this Agreement. All key elements of proof will be stewarded on the GRC Platform provided by Company or Omnistruct as outlined in the Proposal for this Agreement. These may include any mix of:
Illustrations of cyber governance compliance and cyber maturity through a series of oversight, risk register, compliance desk, capabilities, and proofs-of-documentation.

(a) Illustrations of cyber governance compliance and cyber maturity through a series of oversight, risk register, compliance desk, capabilities, and proofs-of-documentation.

(b) Email and telephone governance support Service, on an 8x5x5 basis excluding observed banking holidays, through our GRC Help Desk for your security program, cyber governance, cyber risk, and reasonable cyber compliance questions. The GRC Desk will identify via a ticketing system, policy and risk register recommendations or actions to you and track all work in the GRC Platform.

(c) GRC Desk verification of security controls, recommendations, gaps, and attestation. These reports will be stored and tracked on the GRC Platform as evidence and proof of cyber governance and cyber risk management according to your contracted programs and frameworks.

(d) On request, GRC Desk modifications and updates to information security policies, compliance recommendations, and program attestations using the GRC Platform through an information security policy addendum or base document rebuild, as we deem reasonable. As frameworks and regulatory requirements change, we will reasonably track and modify framework versions, update written information security policies, and provide updates on regulations in scheduled GRC review meetings

(e) Supplemental documented guideline templates with a package of user and business policies. This may include Business Continuity Plan, Disaster Recovery Plan, Framework documentation generated by Omnistruct or available in the public domain, Cyber Incident Response Plans, Ransomware Playbook, Tabletop Exercise Plan, critical control procedures, and customization of policies to prepare for assessments, executive governance and GRC meetings for security program upkeep.

(f) End-client Customer of Company attestation support and compliance defense for contracted Frameworks. This will be for the specified number of “end-client Customer of Company” requests as specified in the Proposal and will be handled and tracked by the GRC Desk ticketing system. Key elements of this proof will be managed in the GRC Platform.

(g) Meetings, tabletop exercises, and presentation of tasks for critical-incidents, patches, awareness, threat intelligence, and change control actions during the GaaS Service period. Our operations staff may prepare and provide information security reports and GRC actions in tracked support requests for the prior period.

(h) Executive meetings for security reviews, compliance metric benchmarking and tracking, high level progress reports of Risk in available risk registers, identification of security roadblocks, review of impactful policy changes, summarization of the Technical GRC compliance review meetings, and cyber risk objectives in available risk register to be performed in the next period. Our GRC Desk may provide a summary of high-level metrics to be used by your internal IT staff, integrator, legal team, or managed service provider for incident escalations, incident types, resolutions, and additional findings from the GRC.

(i) Any separately scoped and contracted Assessment Service (e.g., vulnerability tests, penetration tests, regulatory and statutory impact assessments, readiness assessments, certification mock assessments, Omnistruct third-party sub-contractor or affiliate assessments).

(j) On reasonable request, we may also provide virtual Executive level support to your executive staff regarding budgets, staffing, vendors, and other strategic planning initiatives that would be consistent with the duties of a virtual Chief Information Security Officer, Compliance Officer, or Business Information Security Officer.

(k) Any contracted Governance, risk, and compliance coaching assistance (e.g., GRC Coaching) professional service separately scoped engagement.

(l) Any contracted project management, coordination, program management, change management, or fractional Chief Information Officer for your governance, risk, and compliance separately scoped engagement with Omnistruct.

4. NON-SOLICITATION

The Parties agree that, unless otherwise agreed to by the Parties in writing, during the term of each SOW and for a period of two years thereafter, neither Party shall directly solicit, hire, or otherwise retain as an employee or independent contractor, an employee or independent contractor of the other Party who was involved in the performance of any SOW.

(a) Company acknowledges and agrees that from time-to-time Provider may use personnel that are not Provider employees (“Sub-Contractors”) and are independent sub-contractors to Provider to perform some of the Services and Deliverables. Provider agrees such independent contractors will work under Provider’s direct supervision and will follow all laws and conditions of this Agreement

(b) Both Parties agrees that non-solicitation violations will cause irreparable harm and that the harmed Party will have the right to legal action and reimbursement of all legal expenses from the violating Party.

5. USER CONTENT

You and your Users are responsible for maintaining the security of your accounts. You are also responsible for all activities, damage, misconduct, or breaches that occurs under your account. To obtain access to the Service, you will provide each User with a unique user ID. When registering Users, each User will provide accurate information and will promptly update all registration information to keep it accurate, current, and complete. Only the User associated with a particular User ID will use that ID to access or use the Service. From time to time, you may deactivate and reallocate logons or User IDs for the Service to different individual Users, as reasonable and necessary. You will manage your User IDs (and any associated passwords and access privileges) to or for the use of the Service, in accordance with the MASA and subject to our approval. You will strictly maintain the confidentiality of all User IDs and passwords. You are solely responsible for all transactions, activities, and other consequences resulting from the use or disclosure of your logons, User IDs, and passwords. You will promptly report to us any breach of confidentiality concerning your User IDs, passwords, or the Service, or any other problem with the Service. You will not allow the Service to be accessed or used by anyone other than you and your authorized Users. We may refuse use or access to a Service by anyone other than you and your authorized Users.

(a) All content that you or your Users upload to the E-Service is defined collectively here as “Content.” You will be liable for the accuracy, quality, integrity, and legality of your Content and of the means by which your Users access and use that Content. You grant us a worldwide, irrevocable, fully paid, non-exclusive right and license to reproduce, distribute, and display Content as necessary to provide the Service. You warrant that you own all Content or that you have permission from the rightful owner to use your Content. You also warrant that you have all rights necessary for us to use the Content in connection with the Service. You and your licensors retain title, all ownership rights, and all Intellectual Property (as defined in Section 6), in and to Content and reserve all rights not expressly granted to us here. However, we may process aggregated, anonymized data that cannot identify any person and that is derived from or created through the use of the Service by you or your Users. Email and telephone governance support Service, on an 8x5x5 basis excluding observed banking holidays, through our GRC Help Desk for your security program, cyber governance, cyber risk, and reasonable cyber compliance questions. The GRC Desk will identify via a ticketing system, policy and risk register recommendations or actions to you and track all work in the GRC Platform.

(b) You will not knowingly upload Content that (1) is unlawful or promotes unlawful activities; (2) defames, harasses, abuses, threatens or incites violence towards any individual or group; (3) is pornographic, discriminatory or otherwise victimizes or intimidates an individual or group on the basis of religion, gender, sexual orientation, race, ethnicity, age or disability; (4) is spam, machine-generated or randomly-generated, constitutes unauthorized or unsolicited advertising, chain letters, or any other form of unauthorized solicitation, or any form of lottery or gambling; (5) contains or installs any viruses, worms, malware, Trojan horses, or other content that is designed or intended to disrupt, damage, or limit the functioning of any software, hardware, or telecommunications equipment, or to damage or obtain unauthorized access to any data or other information of a third party; (6) infringes on anyone’s proprietary rights; (7) impersonates any person or entity, including any of our employees or representatives; (8) contains payment card data; or (9) violates laws or the privacy of any third party, our employees or our representatives.

(c) We will not screen, review, edit, censor, or otherwise filter or control Content. However, we may (but are not obliged to) review all Content or review any areas of our site where your Users transmit or post communications. We retain the right (but disclaim any obligation) to reject, not post, not use, remove, amend, deny access to or delete Content, without notice, that breaches the MASA. We retain the right to co-operate with any law enforcement authorities, or in response to court and other official requests, directing that we disclose the identity of anyone posting Content.

(d) We use third parties to host, provide Service, and store Content. The protection of Content will be in accordance with each third-party’s safeguards. You will properly configure and use the Service. You will take appropriate steps to maintain security, protection, and backup of your Content. We are not responsible for any unauthorized access to, alteration of, or deletion, destruction, damage, loss, or failure to store Content or other information that you and your Users submit or use in connection with the Service.

6. OWNERSHIP

Omnistruct retains all rights, titles, and interests in all Intellectual Property and proprietary rights with respect to the Service and any other materials that we provide or make available to you. “Intellectual Property” means all intellectual property or proprietary rights in any jurisdiction. Except for the rights expressly granted to you by the MASA, all Service and other materials that may be provided or made available, all modifications, compilations, and derivative works thereof, and all Intellectual Property and proprietary rights pertaining thereto, are and will remain our property and that of our respective licensors, as applicable. Notwithstanding this, you may submit comments, questions, ideas or other information to us related to the Service (“Feedback”). We may freely use, copy, disclose, license, distribute, and exploit any Feedback in any manner and without any obligation, royalty, or restriction (and to the extent, any rights of ownership in any such materials, works, or rights might, for any reason, otherwise vest in you, you assign them to us).

7. DISCLAIMER OF LIABILITY

(a) Omnistruct disclaims all liability relating to Content, including any error, virus, defamation, libel, obscenity, or inaccuracy contained in Content, however it may arise. This includes liability for unauthorized use of Content or for use that infringes a copyright, trademark right, or other intellectual property right. You are solely responsible for all damages that result from submissions or use of Content and any related transactions or occurrences. We have no responsibility for unauthorized access to any of your User accounts, or for automatic forwarding of messages or viruses, however caused.

(b) The Service may integrate with or provide links to various other independent third-party products, or services (“Linked Sites”). We do not control or endorse Linked Sites. We are neither responsible for their content nor responsible for the accuracy or reliability of any information, data, opinions, advice, or statements contained within them. You will need to make your own independent judgment regarding your interaction with Linked Sites. We encourage you to be aware of when a user leaves the Service and to read the terms and privacy policy of each Linked Site. We may terminate any link or linking program at any time in our sole discretion. We disclaim all warranties, express and implied, as to the accuracy, validity, legality or otherwise of any materials, or information contained on Linked Sites.

(c) The Service may integrate with certain third-party websites and applications (“Third-Party Services”). Third-Party Services will be governed solely by the terms of the Third-Party Service, as agreed to between you and a Third-Party Service provider. We neither endorse or support nor are responsible for any Third-Party Services. You may enable integration between the Service and Third-Party Services. By doing so, you (1) instruct us to share Customer Data (including any Personal Data) with the Third-Party Service provider to facilitate the integration; and (2) grant us permission to allow the Third-Party Service provider to access Customer Data and information about your use of the Third-Party Service. You are responsible for providing all instructions to a Third-Party Service provider about the use and protection of Customer Data. We and your Third-Party Service providers will not be deemed processors or sub-processors of Personal Data with respect to each other.

8. FEES

(a) In consideration for performing the Service, you will pay us the fees in each applicable Proposal and in accordance with that Proposal, plus all fees for any applicable add-on Service (such as payments and Onboarding and Professional Services), as you may elect to use from time to time (“Fees”). All additional licenses and add-on Services (as defined in the Proposal) added during the Proposal term will be added for the remainder of the Proposal term on an annualized pro-rata basis. “Fees” are exclusive of any taxes, levies, and duties assessable by any jurisdiction, excluding only taxes based on our net income, assets, payroll, property, and employment (collectively, “Taxes”). If anything that we provide to you is subject to a Tax, you will pay that Tax. You will include payment of Taxes in your payment of Fees and expenses to us. All payments will be in U.S. dollars. Any unused portions of volume-based purchases (e.g. API Service) will expire at the end of the Contract End Date as defined in a Proposal. No amounts will roll over into subsequent contract years. Unless required by law, all amounts due and payable by you to us must be paid in full without any deduction, set-off, counterclaim, or withholding of any kind.

(b) You will pay us by check, wire transfer, ACH, or credit card. If you pay us with a credit card, then (1) you authorize us to automatically charge your designated credit card account for Fees and Taxes, in advance or as otherwise agreed in writing, and (2) a non-refundable 2.75% Convenience Fee will be added to each payment. Your authorization will remain in effect until you cancel it by providing us with notice. If credit card account on file is closed, if the account information is changed, or if, for any reason, a charge is rejected, you will immediately update your credit card account or supply a new payment account, as appropriate. If you are unable to update your credit card account with appropriate information, then we will send an invoice to you detailing the amount due. You will pay the amount due in full within seven days after the date of the invoice. You will notify us of any changes to your account information or termination of your authorization at least 30 days before the next billing date. If payment dates fall on a weekend or holiday, you understand that the payments may be executed on the next business day.

(c) We may, without liability, disable the password, account, or access to all or part of the Service if any Fees and Taxes are not paid within 45 days of when they first become due and payable. We will not be obligated to provide any Service until all Fees and Taxes are paid in full.

9. NO LEGAL ADVICE; ELECTRONIC COMMUNICATION

(a) We are not a law firm, and the Service does not provide any legal advice. Part of the Service may involve the making of contracts or other legal, regulatory, or statutory discussions or relations, and although we attempt to make sure our information is accurate and useful, we recommend that you consult with a lawyer if legal advice is required.

(b) You will receive various electronic communications from us during your use of the Service. For contractual purposes, you (1) consent to receive communications from us in electronic form; and (2) agree that all communication that we provide to you electronically satisfy any legal requirement that a communication would satisfy if it were to be a written, hard copy. This will not affect your non-waivable rights.

(c) You understand that the public Internet is inherently insecure and that any devices connected directly or indirectly to it are potentially reachable by sophisticated hackers and their tools. You also understand that, given the number of individuals, contractors, and third parties who interact with your internal systems, it is inevitable that, eventually, there will be some type of compromise. The Service is designed to prepare you for when a compromise occurs by establishing a security program with a central portal for artifacts, policies, documents, and actions to help prepare you to defend yourself under the NIST CSF open standards and guidelines. No Service Level Agreements are offered absent an upgrade to our Business or Enterprise Class Service.

(d) You understand that there is no such thing as 100% secure and the Service is designed to help you prepare the evidence and proof needed to reflect your cyber governance efforts to reasonably protect the sensitive data you steward.

(e) We are not an insurance broker, and the Service we provide does not include legal support, cyber insurance coverage or cyber breach guarantees that your cyber insurance carrier’s coverage, or the application warrant you filed out for your cyber insurance, will be sufficient to avoid decline insurance coverage or eliminate all cyber risk, sanctions, or legal action when a breach occurs.

(f) You understand that in the event of a breach that you may have an obligation to contact your attorney and your cyber insurance carrier prior to contacting Omnistruct, or any other 3rd-party, for breach response resources, guidance, or legal advice.

(g) You understand that in the event of breach discovery in the delivery of our assessment services that Omnistruct and its affiliates are unlikely to be contracted on panel for your cyber insurance policy and that requesting our direct hands-on keyboard assistance during a breach prior to contacting insurance will impact your cyber insurance coverage negatively or result in insurance coverage being denied by your carrier.

10. DISCLAIMER OF WARRANTIES AND LIMITATION OF LIABILITY

(a) YOUR USE OF THE SERVICE AND ANY DOCUMENTATION IS AT YOUR SOLE RISK. THE SERVICE AND DOCUMENTATION ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS. WE AND OUR SUPPLIERS AND LICENSORS EXPRESSLY DISCLAIM ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. WE DO NOT GUARANTEE THE ACCURACY, COMPLETENESS, OR USEFULNESS OF THE SERVICE OR DOCUMENTATION. ANY MATERIAL THAT YOU OR YOUR USERS ACCESS OR OBTAIN THROUGH THE SERVICE IS DONE AT YOUR OWN DISCRETION AND RISK. YOU WILL BE SOLELY RESPONSIBLE FOR ANY DAMAGE TO YOUR COMPUTERS OR LOSS OF DATA THAT RESULTS FROM THE DOWNLOAD OF ANY MATERIAL THROUGH THE SERVICE. WE DO NOT REPRESENT, WARRANT, OR COVENANT THAT THE SERVICE AND DOCUMENTATION WILL BE AVAILABLE WITHOUT INTERRUPTION OR TOTALLY ERROR-FREE, OR THAT ANY DEFECTS WILL BE CORRECTED. SOME STATES MAY PROHIBIT A DISCLAIMER OF WARRANTIES AND YOU MAY HAVE OTHER RIGHTS THAT VARY FROM STATE TO STATE.

(b) WE AND OUR SUPPLIERS AND LICENSORS WILL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES INCLUDING, BUT NOT LIMITED TO, LOSS OF USE, REVENUES, PROFIRS OR SAVINGS, OR LOSS OF OR DAMAGE TO COMPANY DATA FROM ANY CAUSE, EVEN IF PROVIDER HAS BEEN ADVISED OF THE POSSIBILITY OF THOSE DAMAGES, THAT RESULT FROM USE OF THE SERVICE OR DOCUMENTATION. UNDER NO CIRCUMSTANCES WILL OUR TOTAL AND CUMULATIVE LIABILITY (INCLUDING THAT OF OUR SUPPLIERS AND LICENSORS) FOR DIRECT DAMAGES THAT ARISE OUT OF OR IN CONNECTION WITH THE SERVICE OR OTHERWISE (INCLUDING WARRANTY CLAIMS), REGARDLESS OF THE FORUM AND REGARDLESS OF WHETHER BASED ON CONTRACT, TORT, OR OTHERWISE, EXCEED THE AMOUNTS, IF ANY, THAT YOU HAVE PAID TO US IN THE 12 MONTHS IMMEDIATELY PRECEDING THE DATE OF THE CLAIM. THIS SECTION IS FUNDAMENTAL, AND ITS SPECIFIC REQUIREMENTS WILL BE CONSIDERED THE BASIS OF THE BARGAIN BETWEEN US. WE WOULD NOT BE ABLE TO PROVIDE THE SERVICE OR PERFORM OUR OBLIGATIONS WITHOUT YOUR AGREEMENT TO THESE TERMS.

(c) IN NO EVENT WILL PROVIDER BE LIABLE FOR INDIRECT OR CONSEQUENTIL, EXEMPLARY, PUNITIVE, OR SPECIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOSS OF USE, REVENUES, PROFIRS OR SAVINGS, OR LOSS OF OR DAMAGE TO COMPANY DATA FROM ANY CAUSE, EVEN IF PROVIDER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

11. INDEMNITY

Each Party will defend and indemnify the other Party and its officers, directors, employees, and agents, licensors and suppliers and hold them harmless from any and all claims, losses, deficiencies, damages, liabilities, costs, and expenses (including but not limited to reasonable attorneys’ fees and all related costs and expenses) from any claim, judgment, or adjudication by a third party against a Party related to or arising from or in connection with: (i) a claim that the Services, Deliverables, or Products infringe the rights of any third party; (ii) either party’s breach of any warranty or representation established in this Agreement; (iii) either party’s failure to employ reasonable information security guidelines such as those outlined by NIST; or (iv) either party’s direct actions or inactions are found to originate a data security incident experienced by the other party during the term of this Agreement.

12. TERM AND TERMINATION

(d) Unless otherwise terminated under this Section, the MASA will be in effect (“Term”) starting on the date that you specify in the contract or the date you first use the Service, whichever occurs first, and continuing for the period in the applicable Proposal (“Term”). You may request to make changes to your annual payments (i.e., reduction of plan, removal of add-ons, etc.) at least 90 days before the end of the then-current Term. Your Subscription will automatically renew on an annual basis unless you provide us with written notice of intent to not renew at least 30 days prior to the end of the then-current Term. We will send an automated renewal notice at least forty-five days prior to the end of your existing term to the responsible primary point of contact or invoicing contact provided by you. Price changes based on cost increases from our suppliers or Consumer Price Index may be given 30 calendar days prior to the change.

(e) If either Party materially breaches the MASA or any Proposal (“Defaulting Party”) and does not cure the breach within 30 calendar days after it has received notice of the breach, the non-defaulting party may terminate Service immediately thereafter on notice to the Defaulting Party. Termination will be without prejudice to any other rights and remedies that the non-defaulting party may have at law or in equity.

(f) Either party may terminate Service if the other becomes Insolvent. For this purpose, “Insolvent” or “Insolvency” means a party makes an assignment for the benefit of creditors, has a receiver, trustee, custodian (or similar party) appointed or designated to administer its affairs or otherwise take control of its assets or business operations, becomes a debtor in a voluntary proceeding under any chapter of the U.S. Bankruptcy Code or any other law or statutory scheme relating to insolvency, reorganization or liquidation, or an involuntary petition in bankruptcy, or other insolvency proceeding, is filed against the party and is not dismissed within 90 calendar days after it is filed.

(g) Either party may terminate Service effective immediately on notice to the other party if the other ceases to do business or otherwise ends its business operations without a successor.

(h) On termination, you will pay all outstanding Fees, Taxes, charges, and expenses owed under the MASA or the applicable Proposal as if termination had not occurred. For the avoidance of doubt, any pre-paid Fees and Taxes are non-refundable.

13. CONFIDENTIALITY

(a) “Confidential Information” means any non-public data, information, and other materials regarding a party’s products, services, or business (and, if the party is bound to protect the confidentiality of a third party’s information, of the third party) where the information is marked or otherwise communicated as being “proprietary” or “confidential” or the like, or where the information should, by its nature, be reasonably understood to be confidential or proprietary. For clarification, Confidential Information includes “Personal Data,” Personally Identifiable Information, Personal Information, or similar terms as defined under applicable data protection laws. The party disclosing Confidential Information is referred to as the “Discloser” and the party receiving Confidential Information is referred to as the “Recipient.”

(b) Confidential Information will not include information that (1) is already or becomes known to the Recipient before disclosure by the Discloser or independently of the Recipient’s knowledge of the Confidential Information and is not subject to an obligation of confidentiality; (2) is independently developed by the Recipient without use of or reference to the Discloser’s Confidential Information; (3) is rightfully obtained by the Recipient without breach of the MASA or from a third party without restriction as to disclosure, or is approved for release by written authorization of the Discloser; or (4 ) was lawfully and demonstrably in the possession of the Recipient without use of or reference to the Discloser’s Confidential Information.

(c) A Recipient will not use or disclose the Confidential Information of the Discloser for any purpose other than as necessary and appropriate to perform its obligations under the MASA. The Recipient will cause its officers, directors, employees, agents, affiliates, and subcontractors (collectively “Representatives”) who receive Confidential Information to comply with the MASA and will bear full responsibility for any failure to comply with the MASA. A Recipient will not transfer or disclose any Confidential Information to any third party without the Discloser’s prior written consent and without the third party having a contractual obligation (consistent with this Section) to protect and keep the Confidential Information confidential. A Recipient will treat all Confidential Information of the Discloser in the same manner as it treats its own similar proprietary information, but in no case less than with reasonable care.

(d) If a Recipient is requested or required to disclose any of a Discloser’s Confidential Information under a subpoena, court order, statute, law, rule, regulation or other similar requirement (“Legal Requirement”), the Recipient will, if lawfully permitted to do so, provide prompt notice of the Legal Requirement to the Discloser so that the Discloser may seek an appropriate protective order or other appropriate remedy. If the Discloser is unsuccessful and the Recipient is legally compelled to disclose the Confidential Information, or if the Discloser waives compliance with the MASA in writing, the Recipient may disclose, without liability, any Confidential Information solely to the extent necessary to comply with the Legal Requirement.

(e) Insofar as User Data constitutes Personal Data (or any related term) under applicable data protection laws, Recipient will, taking into account the nature of the processing, assist Discloser by (1) implementing appropriate technical and organizational measures, (2) ensuring its compliance with legal obligations, and (3) make available to the Recipient all information necessary to demonstrate lawful compliance.

(f) Ownership of Confidential Information (including all Intellectual Property rights) in any materials owned by a party will remain exclusively with that party. Except as expressly stated to the contrary, nothing in the MASA will imply that any right or license in respect of Intellectual Property is being granted to the other party.

(g) On a Discloser’s written request, a Recipient will return to the Discloser all copies of Confidential Information already in its possession or within its control. However, a Recipient may keep copies of any records it is required to retain by law or regulation, or copies retained as part of the Recipient’s backup or record retention process, all of which will remain subject to these confidentiality terms. Alternatively, with Discloser’s prior written consent, the Recipient may destroy the Confidential Information if it is (1) destroyed in accordance with applicable law, rule or regulation, and (2) is rendered unreadable, undecipherable and otherwise incapable of reconstruction, in which case an officer of the Recipient will certify in writing to the Discloser that it has been so destroyed. The obligations regarding Confidential Information, in this Section will continue in force and effect for a period of five years after termination or expiration of the MASA. Notwithstanding the foregoing, Confidential Information that is a trade secret of the Discloser will be subject to the MASA for as long as it remains a trade secret.

(h) Both parties acknowledge that a breach of this Section may result in irreparable and continuing damage to a Discloser for which monetary damages may be insufficient. A Discloser may seek, in addition to its other rights and remedies under the MASA or at law, injunctive or other equitable relief from a court of competent jurisdiction. This Section will survive the expiration or termination of the MASA.

14. FORCE MAJEURE

“Except for Company’s payment obligation to Provider, neither Party will be liable to the other for any delay or inability to perform its obligations under this Agreement if such delay or inability arises from an act, event, or cause beyond its reasonable control. In the event of such a delay or inability to perform, the time for performance will be extended for a period of time at least equal in length of the delay; provide, however, that if any such delay or inability lasts for more than 60 days, either Party may terminate this Agreement by written notice to the other.

15. MISCELLANEOUS

(a) All executed Proposals are incorporated into and made a part of the MASA, which is the entire agreement between us concerning its subject matter. The MASA may only be modified by a written amendment signed by an authorized executive of each party. Any prior agreements or representations, either written or oral, relating to the subject matter of the MASA are of no force or effect.

(b) Except to the extent applicable law provides otherwise, the MASA and your access to and use of the Service will be governed by the laws of the State of California, U.S.A., excluding its conflict of law provisions. Except for claims for injunctive or equitable relief or claims regarding Intellectual Property rights (which may be brought in any competent court without the posting of a bond), any dispute between us will be finally settled under the Comprehensive Arbitration Rules of the Judicial Arbitration and Mediation Service, Inc. (“JAMS”) by three arbitrators appointed in accordance with the Jams’ rules. The arbitration will take place in Sacramento, California, in the English language, and the arbitral decision may be enforced in any court. The prevailing party in any action or proceeding will be entitled to costs and attorneys’ fees.

(c) If any part of the MASA is held invalid or unenforceable by a court of competent jurisdiction, that part will be construed to reflect the parties’ original intent, with the remaining provisions remaining in full force and effect. A waiver by either party of any term or condition in the MASA, or any breach thereof, in any one instance, will not waive the term or condition or any subsequent breach.

(d) You may not assign or transfer any of your rights or obligations under the MASA without our express, written consent. We have the right to assign this contract and its revenue as required for our business operations. The MASA will be binding on and will inure to the benefit of the parties’ successors and permitted assigns.

(e) No waiver by either of us of a breach or default, or failure to exercise any right allowed under the MASA, is a waiver of any preceding or subsequent breach or default or a waiver or forfeiture of any similar or future rights.

(f) Our relationship is and will continue to be that of independent contractors. The employees of neither party will be entitled to receive employee benefits from the other party or have any authority to act or purport to act on the other’s behalf.

(g) All notices will be in writing and sent as set forth below, or to such other addresses as may be designated by a party in writing. Notices will be deemed received when (1) delivered personally; or (2) one day after deposit with a commercial express courier specifying next day delivery, with written verification of receipt.

IF TO COMPANY, YOU, YOUR: IF TO US:
To the address you provided when signing up for the Service. Omnistruct, Inc.
Attn: Legal Dept.
2740 Fulton Ave. Suite 111-02,
Sacramento, CA 95821
With a copy to: [email protected]

(h) Any provision of the MASA or a Proposal which, by its nature, would survive termination will survive termination.

(i) Neither Party will be liable for any failure to perform, or delay in performing, an obligation where the failure or delay arises from a cause beyond our reasonable control (“Force Majeure Event”). If a Force Majeure Event occurs, the parties will meet and discuss how to resolve the issue. Either party may terminate the Service and the applicable Proposal by giving the other notice if the defaulting party fails to perform its obligations for three continuous months due to a Force Majeure Event. This subsection does not apply to Section 13, any obligation to pay money, or any other obligation that is unaffected by the Force Majeure Event.

(j) We have negotiated the MASA, and each party’s legal counsel has had the opportunity to review it. Any rule of construction or interpretation requiring resolution of any ambiguities against the drafting party will not apply in the construction or interpretation of the MASA.

(k) The Service we provide is not exclusive, and we may provide it to others.

(l) The headings and titles of the Sections of the MASA are not part but are for convenience only. They are not intended to define, limit, or construe the contents of these provisions. As used in the MASA, the term “including” means by way of example and not limitation.