ADDITIONAL TERMS AND CONDITIONS FOR
SECURE MANAGED SERVICES (SMS)
Effective June 1, 2022
These Additional Terms and Conditions for Secure Managed Services (“SMS T&C”) shall apply to those specific SMS (as defined below) under any SMS Purchase Document (as defined below) with Networking Technologies (“Company”), located at 1540 East Lake Road, Ste. 100, Erie, PA 16511, and the party named in such SMS Purchase Document, along with its Affiliates (collectively, “Customer”), and shall supplement and be in addition to those certain Terms and Conditions posted on Company’s website at https://www.net-cloud.com/general-terms-conditions from time to time as of the date(s) specified in the SMS Purchase Document (the “Effective Date”).
NOTICE: Company and Customer agree and acknowledge that, upon the contracting and execution of a SMS Purchase Document for SMS by and with Company as set forth in said SMS Purchase Document and herein, Customer and Customer’s Equipment, Systems, Services, and/or SMS Purchase Document shall be subject to these SMS T&C in addition to and as a supplement to the Terms and Conditions as aforesaid. All capitalized terms used in this SMS T&C and not otherwise defined herein shall have the meanings given to them in the Terms and Conditions posted on Company’s website at https://www.net-cloud.com/general-terms-conditions from time to time.
By approving and executing a SMS Purchase Document, Customer hereby agrees to and shall be bound by these SMS T&C, in addition to and as supplementing the Terms and Conditions, and shall remain in effect for so long as each such SMS Purchase Document and/or other agreement is in effect by and between Company and Customer.
1. DEFINITIONS: In addition to the terms defined in the Terms and Conditions and elsewhere in the Agreement, the terms set forth in this Section 1 shall have the following meanings in these SMS T&C:
(a) “Agreement” means these SMS T&C, the Terms and Conditions, the SMS Purchase Document, all other Purchase Documents, and all such other documents, schedules, exhibits and attachments that the parties’ authorized representatives mutually agree to in writing from time to time.
(b) “Block Time Hours Arrangements” means those payment arrangements and payment terms as outlined and described in Section 11 below, as also described and set forth in the SMS Purchase Document by and between Company and Customer.
(c) “SMS” and “Services” means those Secure Managed Services as set forth and identified in Section 3 below in these SMS T&C, as well as outlined in Customer’s SMS Purchase Document(s), including, without limitation, Company’s implementation and management of Secure Managed Services as set forth and identified in Section 3 below in these SMS T&C.
(d) “SMS Purchase Document(s)” means any and all quotes, proposals, purchase orders, change orders and/or any related contracts, agreements or documents that are approved and executed by Customer and Company for the provision or performance of, and/or the implementation of, SMS and related Services in conjunction with these SMS T&C.
2. GENERAL STATEMENT OF PURPOSE.
(a) The parties’ intent in entering into this relationship is for Company to provide SMS managed services to Customer as further described in the Agreement and the SMS Purchase Document herein. Customer desires to obtain the Services described herein and in the Agreement, and Company is highly qualified and experienced in the provision of such Services.
(b) If any Services, functions or responsibilities not specifically described in the Agreement and/or the SMS Purchase Document are reasonably required for the proper performance and provision of the Services hereunder or are an inherent part of or necessary sub-task included within the Services, then such Services, functions or responsibilities will be deemed to be implied by and included within the scope of these Services, as applicable.
3. DESCRIPTION OF SECURE MANAGED SERVICES (SMS). In conjunction with the SMS Purchase Document and subject to the terms, conditions and requirements of these SMS T&C and the Terms and Conditions, Company will provide the following as SMS to Customer under and pursuant to the Agreement:
(a) Helpdesk Service: Company’s Network Operations Center (“NOC”) team monitors and responds quickly to Customer’s IT-related issues and requests. Company shall have a Company team member on-call 24/7 to aid Customer whenever Company expertise is needed. This service is covered and performed as part of a Block Time Hours Arrangement.
(b) Security Awareness Training: Security awareness training is a form of education that Company provides to equip Customer’s team with the information Customer needs to protect Customer and Customer’s assets from potential loss or harm. Customer’s team will receive bi-weekly phishing campaigns to teach Customer’s team how to become Customer’s own human firewall, and Customer’s team will also receive a monthly security awareness training module for the most up to date knowledge on recently known attack areas. Customer will receive reporting metrics in displaying behavioral improvement as the security training program progresses.
(c) Incident Response: Company will work with Customer to create an incident response policy and plan for both parties to follow in the event of a cybersecurity incident. Any Services that Company performs to prevent expansion of an event, mitigate its effects, and resolve the incident are covered as part of Block Time Hours Arrangement
(d) Log Monitoring: Company will monitor Customer’s system logs to assist in identifying system events and issues. Company monitors performance regarding memory, network bandwidth and CPU consumption to assist in performance management, as well as auditing for security policies.
(e) System Administration: Company will manage the IT infrastructure by monitoring the system health, allocating system resources, providing user access, managing user accounts, monitoring system security and performing many other system administration functions.
(f) Baseline Audit Classification: Company will perform a NIST Cybersecurity Framework alignment audit, which includes inventorying systems, applications and processes. This service includes a Dark Web Assessment which consists of finding the data collected about Customer (such as email addresses and account credentials) that can be used to attack or attach to Customer’s internal systems. This service provides Customer with a proactive security approach rather than a reactive approach to Customer’s vulnerabilities. Company also provides security measures, in the Dark Web Assessment, to eliminate attacks from leaked user credentials, domains and email addresses. The amount, timing and/or occurrence of this service is subject to the level of service selected as follows:
(i) SMS Essentials Level: Annual Audit and Dark Web Assessment; or
(ii) SMS Advanced Level: Bi-annual Audit and Dark Web Assessment.
(g) SIEM & SOC Services: SIEM is a threat detection and response platform used to collect, analyze, and correlate data from network devices with threat intelligence feeds to provide alerts, retention of logs and compliance reporting. Based on the level of service selected, SMS Advanced includes a co-managed Security Operations Center (“SOC”) that monitors the data 24×7.
(h) Disaster Recovery: Company will provide a documented Disaster Recovery Plan for Customer’s IT environment. The Disaster Recovery Plan will be reviewed and updated by Company annually as needed.
(i) Vulnerability Assessments: Company provides Vulnerability Assessments to identify, quantify, and prioritize vulnerabilities in Customer’s environment. By reviewing security weaknesses in an information system and assigning severity levels focusing on critical areas open to attack by a threat actor, Company can better prepare for attacks on Customer and Customer’s organization. The Vulnerability Assessment provides internal and external scans for holes in the network firewalls and identifies vulnerabilities to be patched. The Vulnerability Assessment does not just stop with the initial assessment, but with continued vulnerability scanning to ensure new threats are addressed in a timely manner. The amount, timing and/or occurrence is subject to the level of service selected as follows:
(i) SMS Essentials Level: Annual Vulnerability Assessment; or
(ii) SMS Advanced Level: Bi-annual Vulnerability Assessment.
(j) Patch Management: Company will provide automated Microsoft patch management bi-weekly for servers and weekly for workstations based on Customer specific schedule. Workstations must be on during designated patch windows. Third-party software patch management is available for 7-zip, Adobe, Google Chrome, Mozilla, Apple iTunes and Safari, Java, Opera, Zoom, and WinZip, to name a few. Any other labor services required to troubleshoot, repair, or maintain servers and workstations are covered as part of Block Time Hours Arrangement.
(k) Firewall Management: This service offering encompasses firewall health and Unified Threat Management (“UTM”) if applicable, monitoring, reporting, configuration archiving and implementation of manufacturer firmware updates obtained through Customer’s independent security appliance support contracts, applied as necessary to address security and performance needs. Any other labor services required to implement features, troubleshoot, repair, or maintain firewalls are covered as part of Block Time Hours Arrangement.
(l) Policies: In the first quarter of the SMS engagement, Company will work with Customer to create Customer policies, which are written statements, rules or assertions that specify the correct or expected behavior for Customer to follow. Some examples of these policies are Acceptable Use, Data Backup, Authentication & MFA, and Security Incident Response. All policies will adhere to security best practices focusing on the NIST Cybersecurity Framework, and may be reviewed based on the level of service selected as follows:
(i) SMS Essentials Level: 6 written policies; or
(ii) SMS Advanced Level: 10 written policies, reviewed bi-annually to address any changes.
(m) Managed Backup Operations: Company monitors Customer’s backups daily to ensure successful, reliable backups are in place. If a backup fails, Company’s team will research the issue and provide resolution.
(n) MFA & Two-Factor Authentication: Company will implement Multi-Factor Authentication (“MFA”) and/or Two-Factor Authentication as a security enhancement that allows Customer to present two pieces of evidence (such as a Customer employee’s credentials) when logging into a Customer account. On top of MFA, the use of VPN two-factor authentication prevents remote access into Customer’s organization without authorization which enhances protection of critical assets. Company will audit Customer’s environment to determine which applications allow MFA to be turned on and implement MFA where available.
(o) Cloud Security Monitoring: Company utilizes a Cloud Security Monitoring service to monitor, detect, and respond to atypical user behavior that targets accounts for applications in Microsoft Cloud, i.e., Microsoft 365, SharePoint and OneDrive.
(p) Endpoint Detection and Response: Company will provide a managed Endpoint Detection and Response (“EDR”) to monitor Customer’s systems in real-time by monitoring processes before, during, and after execution, to prevent new threats from slipping in. The EDR uses artificial intelligence (“AI”) to detect and prevent both current and emerging threats, with continual updates to the platform, and helps prevent ransomware by providing the capability to roll back devices to their pre-infection state.
(q) Quarterly Business Report: Quarterly Business Reports (“QBR”) will be emailed to Customer on a quarterly basis to report on Customer’s overall IT health. The QBR will include a list of upcoming renewals, ticket statistics, managed backup daily results, managed assets, patch compliance, and system threat health.
4. ADDITIONAL DUTIES OF CUSTOMER; CYBER SECURITY INSURANCE.
(a) In addition to the obligations, covenants and duties set forth in the Agreement, Customer hereby agrees and covenants to (and shall): (i) provide Company with a Customer contact person who will be a primary source of information pertaining to the SMS and the Agreement; (ii) keep Company informed of all problems, plans, and technical information in sufficient detail and sufficient time to enable Company to properly perform the functions and requirements of SMS as addressed herein; (iii) establish priorities related to tasks associated with the Agreement in conjunction with Company; (iv) provide Company all reasonable access to areas and facilities which house Equipment, Systems and/or software related to the applicable Services; (v) maintain proper software licensing and be prepared to provide manufacturer support on all software used that is related to the Services provided as part of the Agreement; (vi) maintain current hardware support and/or be prepared to provide hardware replacement in the event of a deficiency of the hardware to provide reliable Services as part of the Agreement; (vii) not hold Company liable or responsible for identified issues related to Customer’s hardware and software where or when Customer does not make necessary replacement of related hardware or maintain current software support as required; (viii) provide a space, with table top surface and chair where Company employees and specialists may conduct business when required; and (ix) provide and fund an electrical connection, network connectivity, and a secure location for use by Company’s Networking Technologies Security Appliance (“NTSA”) to reside for the entire term and duration of the Agreement.
(b) As a requirement for the provision of SMS by Company to and for Customer, Customer covenants and agrees to (and shall) provide either: (i) written evidence to Company and copies of Customer’s cyber security insurance policies and coverage with such insurance policies having at least the minimum coverages and limits as may be required by Company within customary cyber security industry standards (the “Minimum Coverage”), which Customer acknowledges and agrees may be adjusted and modified from time to time by Company, at Company’s reasonable discretion; or (ii) approval of and payment for separate cyber security insurance policies and coverages with at least such Minimum Coverage and as may be procured by Company for the benefit of Customer in conjunction with Company’s arrangements and relationships with third-party insurance providers, agents and/or brokers (including, but not limited to, FifthWall Solutions, as an example only). The parties agree and acknowledge that, with respect to Section 4(b)(ii) herein, Company is not an insurance agent or broker, and is only facilitating Customer’s procurement and purchase of cyber security insurance and coverage from and with a licensed insurance provider. Company is not licensed, nor is it required to be licensed, by or with the Pennsylvania Department of Insurance, and Company is not an agent or broker of any insurance products.
5. CHARGES AND PAYMENT FOR SMS:
(a) In addition to the pricing and payment terms set forth in the SMS Purchase Document and the Terms and Conditions, Customer agrees and acknowledges that the SMS will include pricing based on the identification of, type of and number/quantity of Customer devices that Company will service during the term of the Agreement for such SMS. In addition to any one-time payment for cyber security insurance as may be required under the SMS Purchase Document (as described in these SMS T&C), fees and charges will include those Non-Recurring Charges and Monthly Recurring Charges as described in the SMS Purchase Document and herein.
(b) NRC (Non-Recurring Charges). Customer will pay those certain Non-Recurring Charges which may include all charges associated with bringing current Systems to a standard level of operational functionality conducive to support relative to the overall SMS. The NRC shall be a one-time charge and fee assessed at the commencement of the Agreement.
(c) MRC (Monthly Recurring Charges). Customer will pay Monthly Recurring Charges which may include the charges associated with Company providing the applicable Secure Managed Services on a monthly basis, as described in the Agreement. Monthly recurring charges associated with SMS are calculated from the number of Customer elements including endpoints, devices, users, locations, and associated companies and/or affiliates. Endpoints are calculated from the number of workstation and server primary IP addresses. Devices are determined from the number of workstations, servers, firewalls, hosts, and network devices. On a quarterly basis, Company will adjust the Monthly Recurring Charges based on Customer’s endpoints, devices, users, locations, and associated companies and/or affiliates.
(d) Early Termination Fee. If for any reason Customer decides to cancel and terminate the Agreement prior to the expiration date and end of the applicable term of the Agreement, then, in addition to the requirements set forth in Section 7 of these SMS T&C, Customer will pay Company an early termination fee of one-half (½) of the amount of all remaining payments due and owing by Customer to Company under the Agreement.
6. APPLICABLE SALES AND USE TAXES: All amounts due and payable hereunder will be exclusive of applicable charges, fees, levies, imposts, duties, tariffs or other assessments imposed by or payable to any federal, state, local or foreign tax or governmental authority, including without limitation sales, use, goods, services, value added, transfer, customs, personal property, stamp duty, excise, withholding and other obligations of the same or similar nature (individually and collectively, “Taxes”) based or measured thereon. Customer will be responsible for the payment of all such Taxes, excluding Taxes based on Company’s income. Customer will indemnify and hold Company harmless from any current or future obligation, including due a change in legislation, to pay to any governmental entity any employer statutory Taxes, withholding Taxes, social security Taxes or any other Taxes in connection with Company’s performance under the Agreement, and from any and all damages, losses, liabilities and expenses (including reasonable attorneys’ fees and costs of litigation) arising out of or resulting therefrom.
7. ADDITIONAL REQUIREMENTS UPON TERMINATION. In addition to the requirements set forth in the Terms and Conditions, as well as set forth in Section 5 of these SMS T&C, in the event of any termination, nonrenewal or expiration of the Agreement: (a) Customer will pay and compensate Company for all SMS satisfactorily performed prior to such date and any deliverables provided prior to such date that satisfies any and all applicable specifications; (b) upon Customer’s written request, Company will cooperate with Customer in completing all work in progress and other such matters which may require Company’s reasonable assistance at Company’s then-current regular hourly fees and rates; and (c) for a period of at least thirty (30) days following termination, nonrenewal or expiration of the Agreement, Customer will cooperate with Company in transitioning the SMS hereunder, including, but not limited to, permitting and enabling Company’s agents and personnel to remove all software and similar components associated with the SMS from Customer’s Equipment, Systems, and premises, which will be done as reasonably requested to transition and prevent disruption to the operations of both parties.
8. COMPLIANCE WITH LAWS. Notwithstanding the content or generality of any provision of the Agreement, nothing herein will be construed to require either party to commit or to refrain from committing any act if the requirement could not be lawfully imposed under applicable law of the jurisdiction whose commerce would be affected. However, in this regard, both parties agree to cooperate with each other and to comply with any and all applicable federal, state or local laws, regulations or rules associated with SMS and the Agreement, including, but not limited to (and only to the extent applicable hereunder), the requirements of (a) the Health Insurance Portability and Accountability Act of 1996, as amended, and its associated regulations promulgated thereunder (“HIPAA”); (b) Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801 through 6810 (“GLB Act”), and the Federal Trade Commission’s implementing regulation, Regulation P, 16 C.F.R. Part 313 (“Regulation P”), in particular, as both relate to the disclosure and protection of Non-Public Personal Information for consumers and customers; and (c) the Sarbanes-Oxley Act of 2002, as amended, and its associated regulations promulgated thereunder (the “Sarbanes-Oxley Act”). The parties acknowledge and agree to take all reasonable measures to safeguard the confidentiality of all Confidential Information (as define in the Terms and Conditions) and to prevent its inadvertent or unauthorized disclosure or release.
9. NO WARRANTY/HOLD HARMLESS. In addition to the limitations of liability and hold harmless provisions, as well as the warranty disclaimers and limitations, all as set forth in the Terms and Conditions, and without limiting anything herein or therein, Company shall not be liable for, and Customer shall hold harmless Company for, any damages resulting from the use or inability to use its Services, reliance on its Services or on information obtained therefrom, interruptions of service, breach, compromise, unauthorized access to any records, files, data, systems, or other assets, valuables and resources; errors, defects, viruses, malware, delays in operation or transmissions or any other failure of performance or business function. Further, except in the event of willful misconduct by Company, Company shall not be liable for any damages resulting from: (a) the loss of any of Customer’s data or third party data, breach of security or loss of privacy of data on Customer’s systems or third party systems that may occur on systems installed, serviced, and/or managed by Company, or any direct or indirect damages resulting therefrom; (b) the malfunction, performance or compromise of any system, network or other resource related to or associated with in any capacity or by any theory with Company Services, and any Customer or third party damages, claims, losses or expenses resulting therefrom; and/or (c) any personal injury (whether of a physical or psychological nature) or death of any person, whether associated with Customer or otherwise, that may in any capacity or by any theory be associated with Services provided by Company, and any Customer or third party damages, claims, losses or expenses resulting therefrom.
10. FORCE MAJEURE. Neither party to the Agreement shall have liability or responsibility to the other party for any delay, failure to perform, service interruption, outage, damage, malfunction, or any consequence thereof or damage resulting therefrom, due to any circumstance beyond the party’s reasonable control including, but not limited to, inclement weather, climate change, resource shortages, all acts of nature and acts of God, strikes, civil disturbances, riots, terrorist acts, epidemics, pandemics, government pronouncements, orders or “shelter-in-place” directives, unavailability of or delays in goods or services needed from third parties including but not limited to third party hardware, software, data center, collocation, and cloud service providers, interruption or outage of or delay in telecommunications including the public Internet, voice lines, data lines, or any telecommunications equipment or service, transportation, delivery, power outages, electrical or other utility services, failure of third party hardware, software or services, or any acts or omissions of any third parties.
11. BLOCK TIME HOURS ARRANGEMENTS. As further set forth in the SMS Purchase Document, some or all of the Services shall be administered and charged as part of a Block Time Hours Arrangement, which are pre-paid hours for the purpose of handling both on-site and off-site Services to address a Customer’s Information Technology (IT) support needs and requests.
(a) Agreement on Block Time Hours Arrangements & Payment Terms; Premium Hours.
(i) As set forth herein and in the SMS Purchase Document, Customer hereby agrees to and is agreeing to that certain annual estimated allotment of purchased block Service hours per year (“Annual Hours”) at an agreed upon total rate for the year, as detailed and set forth in the applicable SMS Purchase Document. The parties agree and acknowledge that the estimate of Annual Hours is and will be a commitment negotiated and agreed upon by the parties. The Annual Hours shall be paid in advance on a monthly basis (“Monthly Block”) by Customer to Company as set forth in the Agreement and, upon payment, said Monthly Block shall be deducted from the Annual Hours allotment. All time shall be recorded and charged in quarter hours.
(ii) Any unused Monthly Block hours will be carried forward to the next consecutive month, and will be banked for future Services or shall be applied to separate Premium Hours Services (as further defined herein). However, during the term of the Agreement, if the Monthly Block allotment is exhausted for that month of designated Services, the parties agree that Company shall invoice, and Customer shall pay, the difference for such designated Services exceeding the Monthly Block, and the difference will be billed at an agreed-upon hourly rate as set forth in the SMS Purchase Document. It is agreed and acknowledged by Customer that the Monthly Block allotments are fixed budgetary amounts based on the Annual Hours paid in advance and are deemed “earned” by Company, and Customer may not deduct and/or trade from a separate month’s Monthly Block to make up any deficiency. Any deficiency in the Monthly Block shall be separately invoiced by Company to Customer at the agreed-upon hourly rate as aforesaid.
(iii) The parties agree and acknowledge that any Services requested by Customer for these Block Hour Time Arrangements and described as follows will be considered and treated as “Premium Hours,” and the same will be charged and assessed by Company to Customer at a rate of 1.5x multiple above Company’s standard rate for such Services and deducted against the Monthly Block for the applicable month when the Premium Hours are performed and incurred by Company. For purposes of this Agreement, “Premium Hours” mean hours worked between the hour of 8:00 PM Eastern Time and 7:00 AM Eastern Time, Monday through Friday, as well as any hours worked on weekends and any hours worked on the following holidays: New Year’s Day, Good Friday, Memorial Day, Independence Day (July 4th), Labor Day, Thanksgiving Day, the Day after Thanksgiving, Christmas Eve Day, and Christmas Day.
(b) Termination Overruns and Carryovers. Customer agrees and acknowledges that it is incumbent upon Customer to utilize the Annual Hours based on each Monthly Block as set forth in the Agreement, and Customer is and shall be “at-risk” for utilizing the Annual Hours for the Block Time Hours Arrangements as set forth in the Agreement. Upon early termination of the Block Hour Time Arrangements and/or the Agreement by Customer, no advance payment of the Monthly Block allotments for the Annual Hours shall be refunded or returned to Customer. If applicable, upon the end of a term of the Block Time Hours Arrangements in the Agreement for an applicable Annual Hours period, the parties shall have the following options and considerations:
(i) Terminate and end the Block Time Hours Arrangements in accordance with the Agreement, in which case any unused Monthly Block allotments shall remain with Company and not refunded to Customer (i.e., “use it or lose it”);
(ii) Execute and sign a new and/or similar arrangement to continue the Block Time Hours Arrangements in same format and methodology as set forth in the Agreement, subject to any agreed-upon adjustments to the Annual Hours and Monthly Block amounts and calculations; or
(iii) Convert and modify the current Agreement and adjust the Block Time Hours Arrangements to reflect a “pure” block hour arrangement between the parties whereby Customer purchases specific allotments of hours of Services from Company for an agreed-upon hourly rate (i.e., a block of 10 hours of Services at Company’s then current standard hourly rates, etc.).
(c) If Customer makes a request to Company, in writing, to not utilize the Block Time Hours Arrangements as set forth herein and/or set forth in the SMS Purchase Document, and if Company approves said request in writing, then the parties agree and acknowledge that the Services shall be billed to Customer on and at Company’s then-current standard hourly rates for all individual Services hereunder and Customer shall pay all invoices separately and promptly in accordance with the payment requirements set forth in the Terms and Conditions.
12. INTEGRATION WITH TERMS AND CONDITIONS AND PURCHASE DOCUMENTS. Customer acknowledges and agrees that the Terms and Conditions are incorporated herein by reference and made a part hereof as if fully set forth herein. In the event of a conflict between or among the provisions of these SMS T&C and the specific provisions set forth in the SMS Purchase Document for the Services hereunder, the provisions of such SMS Purchase Document will take precedence over these SMS T&C only if such provisions specifically reference the provisions of these SMS T&C that are inconsistent therewith and if such SMS Purchase Document is signed by the parties. In all other cases, the terms of these SMS T&C, along with terms of the Terms and Conditions, will prevail jointly for any and all SMS contracted and performed hereunder.
Your Technology Resource in Erie, PA | Buffalo, NY | Cleveland, OH regions