SERVICE AGREEMENT – CORE SECURITY
The terms contained in this Service Attachment apply to all Service Orders for the provision of CORE Security Services by Accellis (sometimes referred to as “we,” “us” or “our”) to a Client (sometimes referred to as “you” or “your”). All Service Orders are also subject to the terms of the Master Services Agreement (“MSA”) between Accellis Technology Group Inc. and the Client. Capitalized terms used and not otherwise defined herein shall have the same meanings as outlined in the MSA.
1. Service Description
1.1. Services Included
Accellis provides CORE Security Services according to the following definitions. A CORE Service Agreement does not necessarily include all of the types of services described below as the services to be delivered for each instance are identified in the applicable Client Service Order. Support is provided only for the users, office locations, and devices identified or described in (“covered” by) the applicable Service Order. Third-Party Products and Services are deemed to be provided according to the terms and conditions made available by the third-party vendor or service provider.
- Identity Protection/Multi-Factor Authentication: Accellis CORE Security multifactor authentication (CORE MFA) provides an additional form of identification than username and password. The solution is compatible with many more cloud and on-premise applications than other solutions while supporting a wider assortment of authentication mechanisms making it easier to implement and use.
- DNS Protection: DNS Protection with Category Filtering provides an extra layer of defense to protect your network from threats that may get past your employees, computer antivirus, or the firewall. This cloud-based system can prevent ransomware, malware, and phishing attacks by prohibiting access to the infected server producing it. For regulated industries, built-in filtering can restrict access to forbidden websites and provide comprehensive reports.
- Vulnerability Management: Our industry-leading vulnerability management system continuously scans your assets to provide visibility into where your business might be vulnerable to the latest Internet threats. The Accellis SecOps team provides monthly risk reports and can remediate critical vulnerabilities before they turn into breaches.
- Managed Breach Detection: Based on a proprietary Breach Detection System, our SecOps team detects malicious activities within your network environment that are invisible to most security tools. By leveraging machine learning and human expertise, we can detect threats as they appear and offer a direct and speedy response.
- Email Protection: Using Total Email Protection from Barracuda (BTEP), Accellis provides industry-leading email threat protection with an AI engine that detects threats that traditional email gateways cannot. Cloud to cloud backup protects your Office 365 email, contacts, and calendars from accidental deletion and malicious actors.
- Phishing Education: Using our training templates, we can schedule out phishing campaigns to test your users’ ability to spot a malicious email or provide video training on the most common Internet threats.
- Virtual Chief Information Security Officer (“vCISO”); Our vCISO services offer leadership, planning, and budgeting for information security. In conjunction with our SecOps team, we can provide training, manage projects, and other security-related activities.(1)
- Dark Web Scanning: When you subscribe to CORE Security, we provide your company with a continuous scan of the web for compromised passwords or leaked employee information using your corporate email addresses. We alert you when necessary so that we can take immediate action to protect your accounts. The service also includes monitoring for C-Level personal email accounts.
- Additional Services:
- Written Information Security Program
- Risk Assessments
- Penetration testing
- Incident Response Planning
- End-user Cyber Training
- Questionnaires/assessments requested by vendors and/or customers
- Desktop exercises
- Assistance in the event of Cyber-Attacks (as defined in Section 17.5 of the MSA), including the removal of computer viruses, malware or malicious programs from computer systems.(2)
- File Restores: restoration of specific files or data from an approved backup solution.
- Post Breach Digital Forensics
- vCISO hours outside those listed in the Service Order and included within this Agreement
- Services provided by Accellis strictly as an independent contractor. No officer, employee or similar relationship is intended or implied.
- Provided the Client is a MITS Full Client and engages in all aspects of the CORE Security Program, Accellis will provide up to a $10,000 credit for billable time required to remediate a security event. Third party services are not covered by this credit. Billable time over this credit will be invoiced at standard Accellis cyber-engineering rates at the time of the event.
1.2 Services Excluded
Services not specifically described in this Service Agreement and the applicable Service Order are excluded from this Agreement. The types of services that are excluded include, but are not limited to, the types of services described in this Section 1.1 under ‘Additional Services’. These types of services may be available as a separately billed project, or as part of our Managed IT Services plan.
- Data Backup services (Cloud or Local)
- Email recovery services
- Client or 3rd Party assessments of Accellis
- Other Security related projects
- Security Questionnaire completion
- Performance or testing of disaster recovery events & systems
- Planning & documentation for disaster recovery
- Workstation recovery/hardware replacement as the result of malware or virus
- Complete or large-scale restoration of files from backup
Private Network Security Support
Accellis recommends that the Client carefully consider what Devices are authorized to connect to the Client’s office network. The client acknowledges that external systems are not managed by Accellis and may facilitate the infection of Client’s systems by viruses or other damaging code or access to Client’s systems by unauthorized persons.
2.1. Implementation Fee
A one-time setup fee (payment terms for which will be outlined in the applicable Order) is charged in connection with the implementation of CORE Security Services. This includes:
- Deployment of applicable hardware or software agents
- In-house or MSP support for system deployment
- End-user training where applicable
- Configuring of monitoring & alerts
- Three weeks of adjustments to installation and configurations
- Training and support for monthly reporting and cloud-based threat dashboards
2.2. Service Fees
For the ongoing CORE Security Services to be provided by Accellis, Client shall pay the Monthly Service Fees specified in the Order. Monthly Services Fees are payable one month in advance.
Pricing is determined by the product vendor, number of supported users, office locations, devices and/or other Usage Parameters outlined in the Order. Devices include, but are not limited to: servers, workstations (desktop & laptop computers), mobile devices (smartphones & tablets) storage devices (SAN & NAS systems), network equipment (routers, Internet connections, firewalls, switches, wireless access points, etc.), and network devices (printers, cameras, scanners, phones, etc.). If there is an increase in the number of users, office locations or Devices to be covered within the scope of a Service Agreement, or if Client’s use of the Services in any other way exceeds the Usage Parameters set forth in the applicable Order or Vendor Agreement, then Accellis shall be entitled to make a pro-rata adjustment to the Monthly Service Fees based on the per-unit charges then applicable under the terms of the Order. Client shall pay all Monthly Service Fees owed to Accellis as they become due following any such adjustment.
2.3. Client Delay
If Accellis is unable to commence delivery of the Services on the start date outlined in the applicable Order or otherwise agreed upon by the parties because of any failure on your part, including but not limited to the failure to provide access to your resources in a timely manner, you nonetheless will begin to incur Monthly Service Fees, which you shall pay beginning on the agreed-upon start date.
2.4. Adjustments to Fees for Third-Party Products and Services
Third-Party Products and Services (such as email protection, DNS Protection, etc.) are provided by Accellis in connection with the CORE Security Services and the prices of such Third-Party Products and Services and Accellis shall have the right to pass through to the Client any increases in the prices of such Third-Party Products and Services as set forth in Section 10.2 of the MSA.
3. Service Terms
3.1. Client Requirements
Client agrees to:
- Provide remote access to all supported devices, as needed, to allow technical issues to be resolved. Client acknowledges that some aspects of the Services may require unattended remote access.
- Provide Accellis SecOps with the latest Incident Response Plan for call trees and escalations.
- Notify Accellis via SecOps@accellis.com seventy-two (72) hours or more prior to any significant system or network changes.
- Designate a primary point of contact or contacts to interact with the Security Team
3.2. Service Level Objectives
Accellis will use commercially reasonable efforts to maintain satisfactory uptime and availability for all supported security products and services as defined within this Agreement and the applicable Service Order. As cyber threats are a constantly evolving target, response time guarantees for cyber threats are not possible.
3.4. Delays Not Attributable to Accellis
The client acknowledges that system availability and the time required to resolve problems may be affected by reasons beyond Accellis’ control, including application or product performance and availability. Accellis shall not have any liability for system unavailability or delays resulting from causes beyond its control.
4. Term & Termination
A Service Contract for the provision of CORE Security Services shall have such term as is specified in the applicable Order (the “Initial Term”). If a term is not specified in the Order, then the Initial Term of a Service Contract for CORE Security Services shall be twenty-four (24) months. The Initial Term shall commence on the date on which Accellis begins providing Services, unless such date is a day other than the first day of a calendar month, in which case: (a) the Initial Term shall commence on the first day of the first full calendar month following the date on which Accellis began providing the Services and shall automatically renew for subsequent twelve (12) month periods unless either party notifies the other party in writing at least ninety (90) days prior to the next-scheduled renewal date of its intention not to renew and (b) the Client shall pay to Accellis in addition to the Monthly Service Fee for the first month of the Initial Term a pro rata Monthly Service Fee on account of the partial month during which Services were provided prior to the commencement of the Initial Term. The Initial Term’s commencement date shall be set forth in Accellis’ first invoice for Monthly Service Fees.
4.2. Early Termination by Client for Failure to Meet Service Levels
If Client has satisfied all of its obligations under a Service Contract, then Client may terminate the Service Contract without cause upon giving at least ninety (90) days’ advance written notice of the intended termination date, which shall be the last day of a monthly billing cycle, provided that: (a) you pay us an early termination fee equal to fifty percent (50%) of the recurring Monthly Service Fees remaining to be paid from the effective termination date through the end of the Initial Term or then-current renewal term, based on the prices then in effect; and (b) no such notice of termination may be given prior to the expiration of the first ninety (90) days of the Initial Term of the Service Contract.
4.3. Early Termination by Accellis for Failure to Cooperate
Accellis may terminate a Service Contract if, during any period of twelve (12) months, there are at least three (3) occasions on which there is a failure by the Client to comply with a written request by Accellis for reasonable cooperation in connection with the provision of the Services. Without limiting the generality of that provision, the circumstances that may constitute a failure to furnish reasonable cooperation in the context of a Service Contract for CORE Security Services shall include without limitation: a failure to install recommended software updates, a failure to replace outdated hardware, a failure to follow recommended cyber-security practices and procedures and/or abusive behavior towards SecOps personnel.
4.4. Early Termination by Accellis Without Cause
Accellis may elect to terminate a Service Contract without cause upon giving at least ninety (90) days’ advance written notice of the intended termination date, which shall be the last day of a monthly billing cycle, in which case: (a) you will not be responsible for the payment of any further fees beyond the fees for Services provided to you through the date of termination; and (b) we will provide you with reasonable off-boarding and transition services at no charge.
4.5. Non-Payment and Suspension
Accellis reserves the right to suspend or terminate this Agreement and any account access to software or services as defined in the applicable Service Order if a Client’s account becomes 30 days delinquent (falls into arrears). Accellis reserves the right to impose a start-up fee if the Client’s Service is suspended and after that requests a restart of their Services. The client agrees and acknowledges that Accellis has no obligation to retain client data and that such client data may be irretrievably deleted if the client’s account is 30 days or more delinquent.
ACCELLIS DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. NO REPRESENTATION OR OTHER AFFIRMATION OF FACT, INCLUDING BUT NOT LIMITED TO STATEMENTS REGARDING CAPACITY, SUITABILITY FOR USE OR PERFORMANCE OF PRODUCTS, WHETHER MADE BY ACCELLIS EMPLOYEES OR OTHERWISE, WHICH IS NOT CONTAINED IN THIS AGREEMENT, WILL BE DEEMED TO BE A WARRANTY BY ACCELLIS FOR ANY PURPOSE OR GIVE RISE TO ANY LIABILITY OF ACCELLIS WHATSOEVER.
5.2. Limitation of Liability
IN NO EVENT SHALL EITHER PARTY’S AGGREGATE LIABILITY EXCEED THE AMOUNTS PAID TO ACCELLIS IN THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO SUCH CLAIM. IN NO EVENT SHALL EITHER PARTY BE LIABLE TO ANYONE FOR ANY INDIRECT, PUNITIVE, SPECIAL, EXEMPLARY, INCIDENTAL, CONSEQUENTIAL OR OTHER DAMAGES OF ANY TYPE OR KIND (INCLUDING LOSS OF DATA, REVENUE, PROFIT OR OTHER ECONOMIC ADVANTAGE) ARISING OUT OF, OR IN ANY WAY CONNECTED WITH THIS SERVICE, INCLUDING BUT NOT LIMITED TO THE USE OR INABILITY TO USE THE SERVICE, OR FOR ANY CONTENT OBTAINED FROM OR THROUGH THE SERVICE, ANY INTERRUPTION, INACCURACY, ERROR OR OMISSION, REGARDLESS OF CAUSE IN THE CONTENT, EVEN IF THE PARTY FOR WHICH DAMAGES ARE BEING SOUGHT, OR SUCH PARTY’S LICENSORS HAVE BEEN PREVIOUSLY ADVISED OF THE POSSIBILITY SUCH DAMAGES. IN NO EVENT WILL ACCELLIS HAVE ANY LIABILITY FOR THIRD PARTY PRODUCTS OR SERVICES, INCLUDING WITHOUT LIMITATION THOSE BUNDLED, INTEGRATED OR OTHERWISE ASSOCIATED WITH THIRD PARTY PRODUCTS OR SERVICES.