Service Level Agreement

This Service Level Agreement describes the terms and conditions, and outlines Beryllium InfoSec, Inc.’s (“Service Provider”) responsibilities and support provided to Customers using the Cuick Trac enclave.

‍

Technical Support

Under this agreement, monitoring by Service Provider’s personnel of the Cuick Trac environment will occur on a 5-days a week (Monday – Friday) basis with service hours of 8:00am-6:00pm CST. Remediation services will be provided only during business hours unless otherwise specifically stated in the SOW. Service Provider will respond to problems, errors, or interruptions in the provision of the Services in the timeframe(s) described below. Severity levels will be determined by Service Provider at its reasonable discretion and in accordance with industry best practices. All remediation services will initially be performed remotely; Service Provider will provide on site service only if remote remediation is ineffective and, under all circumstances, only if covered under the Service plan selected by Customer.​

All time frames are calculated as of the time that Service Provider is notified of the applicable issue / problem by Customer through Service Provider’s designated support portal, help desk, or by telephone. Notifications received in any manner other than described here in may result in a delay in the provision of remediation efforts. Help desk support provided outside of Service Provider’s normal service hours will be billed to Customer at the hourly rate of $130/hour (2-hour minimum applies), and support provided between 11:00pm-6:00am CST will be billed to Customer at the hourly rate of $500/ hour. For support to locations in significantly different time zones, 2+ days notice for anticipated priority support is recommended. Support requiring on-site visits will be billed to Customer at the flat rate of $2000/day, plus expenses (based upon the approved United States Federal Government Per Diem rate for that fiscal year).

‍

Service Level Defaults

In the event of a Service Level Default, the corresponding Service Level Credit will be creditable to Customer; provided, however, that in no event will the total amount of Service Level Credits creditable to Customer for a single month exceed the “At Risk Amount” for that month.

If Service Provider believes that a Service Level Default should be excused, then Service Provider will so state in the applicable Service Level Report.  In the applicable Service Level Report, Service Provider will also indicate the following:

1.     Which Service Levels are affected by the exemptions and the calculation of the actual performance values of the affected Service Levels, both with and without taking into account the effect of the excuses concerned; and  

2.     All of the circumstances that give rise to the claimed exemption, in sufficient detail to permit Customer to evaluate whether Service Provider’s claim of exemption is valid.

At Risk Amount. In no event will the total amount of Service Level Credits in a single month exceed, in total, 75 percent of the aggregate amount of all Cuick Trac Enclave Charges for the applicable month (the “At Risk Amount” for the applicable month) within the first year of the agreement. The At Risk Amount will reduce to 50 percent after the first year.

‍

Service Level Credits

For purposes of calculating the Service Level Credit, Customer will allocate a certain number of points (“Service Level Credits”) to each of the Service Levels; provided, however, that the aggregate Credits allocated among all Service Levels will not exceed 100.

Service Level Credits will be calculated monthly. Customer will be entitled to a Service Level Credit for each Service Level Default that occurs during such month. Any Service Level Credits will begin to accrue for Service Level Defaults 3 months after the Service Commencement Date for the applicable Service Level.

For Service Level Defaults, each Service Level Credit is equal to the product of: (1) the Service Level Credits applicable to the affected Service Level, divided by 100, multiplied by; (2) the “At Risk Amount”. Below is a sample calculation.  

If Service Provider has failed to meet a Service Level during the prior month; to which Customer has allocated 30 Service Level Credits; and Service Provider’s total Cuick Trac Enclave Charges to Customer for such month for the Services are $10,000, the applicable Service Level Credit would be computed as follows:

(Service Level Credits /100) X “At Risk Amount” =

(30 / 100) X (Cuick Trac Enclave Charges X 75%) =

(30 / 100) X ($10,000 *75%) = $2,250

Service Level Credits will be calculated and paid monthly and adjusted in the invoice for the applicable month.

Internet Service Connection

The Cuick Trac secure virtual enclave requires an active ISP connection for access. Based upon individual needs, it is strongly recommended that Customer obtain a primary and secondary ISP with automatic fail-over to prevent loss of connectivity. Customer understands and agrees that Service Provider has no control over ISP services and shall not be held liable for any loss or work stoppages caused by ISP outages and Service Provider shall be held harmless in the event of any such losses.

Expectations & Assumptions

The following is asserted to facilitate this engagement.

1.     All Parties will mutually cooperate and comply with requests for information about the operation of information systems concerning the safe guarding of CUI and furnish answers quickly and truthfully in the interest of those requests.

2.     All Parties’ points of contact for communication will be assigned for the duration of the SOW, unless changed via prior written or e-mail notification to all Parties.

3.     Service Provider will provide all Services and Service Deliverables, and perform all obligations set forth in the SOW.

4.     Customer will obtain and maintain internet connectivity through an internet service Service Provider (ISP) of their choosing. It is strongly recommended that primary and back-up connections be established to avoid unexpected ISP outages.

5.     No changes to the SOW shall be made without the written consent of all Parties. All changes must be submitted with the Cuick Trac CUI Access List, provided to Customer during on-boarding.

6.     Service Provider is not providing Customer with any legal advice or legal counsel. Customer is encouraged to seek legal advice from their own counsel.

Software that is not on the Cuick Trac approved white-list, but may be in use in the Customer’s networks, will be analyzed for security concerns and explicitly approved on a case-by-case basis. Service Provider cannot and will not provision software that creates unmitigated vulnerability within the environment.

Customer understands and agrees that software that is not part of the Cuick Trac whitelist may pose additional risk to Customer’s environment, and Customer fully accepts the additional risk. The Service Provider is not liable for software implemented at Customer’s request.

‍

Anti-Virus; Anti-Malware

Cuick Trac provides anti-virus and anti-malware; however, viruses and/or malware that exist on the Customer’s system at the time that the Cuick Trac secure virtual enclave is implemented may not be capable of being removed without additional services, for which a cost may be incurred which will be charged to the Customer.

Customer understands and agrees that no security solution is one hundred percent effective, and any security paradigm may be circumvented and/or rendered ineffective by certain malware that were previously unknown to the manufacturers of the software solution, and/or which are purposely or intentionally downloaded or installed onto Systems.

Customer is strongly advised to refrain from downloading files that are sent by unknown users, and/or users or files whose origination cannot be verified. Service Provider does not warrant or guarantee that all viruses and malware will be capable of being removed, or that any data corrupted or encrypted by Viruses or malware will be recoverable.

To improve security awareness, Customer agrees that Service Provider may transfer information about the results of processed files, information used for URL reputation determination, security risk tracking, and statistics for protection against spam and malware. Any information obtained in this manner does not and will not contain any personal or confidential information.

In the event of Federal or State investigation of breach or malware infection, Service Provider is required to surrender copies of logs, user environment configuration files, and data to law enforcement upon receipt of a legally enforced order. Service Provider will make every attempt to preserve information in its original state prior to forensic investigation but cannot make any guarantees or warranties to this preservation.

‍

Patch Management

Service Provider shall keep all managed and/ or hosted equipment and software current with critical patches and updates (“Patches”) as such Patches are released by the manufacturers of the applicable hardware or software. Patches and updates are developed by third party vendors and, on rare occasions, may cause system instability. Service Provider reserves the right, but not the obligation, to refrain from installing a Patch if Service Provider is aware of technical problems caused by a Patch, or believes that a Patch may render the System, or any portion of the System, unstable or present an information security vulnerability or may otherwise create a NIST 800-171 compliance violation.

‍

Consulting Advisory Services

The advice and suggestions provided by the Service Provider’s security experts, technical support or operations personnel will be for Customer’s informational and/or educational purposes only. The Service Provider’s personnel will not hold an actual director or officer position with Customer and will neither hold nor maintain any fiduciary relationship or any position as employee or agent of Customer. Under no circumstances shall Customer list or place Service Provider’s personnel on Customer’s corporate records or accounts. At all times, the Service Provider’s personnel will be an independent contractor of Customer.

‍

Diagnostic / Auditing Services

Given a 24 hour notice for Customer, any diagnostic or auditing services performed by Service Provider may require Service Provider to install a small amount of code (“Diagnostic Code”) on one or more of the devices attached to the Customer’s network enclave. The Diagnostic Code is deleted in its entirety after the testing process concludes. No personal data or CUI will be reviewed or copied by Service Provider at any time during the testing process. No files will be erased, modified, opened, reviewed, or copied at any time during the testing process. The Diagnostic Code will not install or create any disabling device, or any backdoor or hidden entryway into the Customer’s network enclave system. The results of the diagnostic testing will be kept confidential by Service Provider.

The testing process is for diagnostic purposes only. The process is not intended, and will not be used, to correct any problem or error in the System. Service Provider does not warrant or represent that the testing process will result in any particular outcome, or that any issue, hardware, or software configuration will be correctly detected or identified.

‍

Data Replication

Service Provider does not guarantee or support data replication services outside of the Cuick Trac environment as it will be outside of the Cuick Trac baseline responsibility.

‍

Data Destruction

Upon Service Provider deprovisioning a Customer from the Cuick Trac secure virtual enclave, all Customer, data will be destroyed. It is the responsibility of Customer to retrieve any and all of their data from the Cuick Trac secure virtual enclave before the final date of service. After the last day of the Cuick Trac service, all of Customer’s previously dedicated Cuick Trac storage will be securely wiped in accordance with DOD sanitization requirements for reuse of hard-drives. Retrieval of Customer data from their previously allocated storage is not possible and the Service Provider shall be held harmless and indemnified by Customer against, any claims, costs, fees, or expenses incurred by Customer that arise or result from data destruction after the end of this Agreement.

‍

Unsupported Configuration Elements or Services

If Customer requests a configuration element (hardware or software) or hosting service in a manner that is not customary for Service Provider, or that is in “end of life” or “end of support” status, Service Provider may designate the element or service as “unsupported,” “non-standard,” “best efforts,” “reasonable endeavor,” “one-off,” “EOL,” “end of support,” or with like term in the service description (an “Unsupported Service”). Service Provider makes no representation or warranty whatsoever regarding any Unsupported Service, and Customer agrees that Service Provider will not be liable to Customer for any loss or damage arising from the provision of an Unsupported Service. Deployment and service level guarantees shall not apply to any Unsupported Service. Service Provider reserves the right of refusal to implement such configurations in the interest of preserving Customer security.

‍

IP Addresses

Any IP addresses provided to Customer by Service Provider during the term of the Agreement are managed by Service Provider and Service Provider will retain these IP addresses after termination of the agreement, meaning that they may not be transferred or utilized by Customer after termination of the Agreement.

‍

Hosting Services

Customer agrees that it is responsible for the actions and behaviors of its users of the Cuick Trac secure virtual enclave. In addition, Customer agrees that neither it, nor any of its employees or designated representatives, will use the Services in a manner that violates the laws, regulations, ordinances, or other such requirements of any jurisdiction. Customer warrants and represents that all hosted applications will be properly licensed, and that all such licenses shall be maintained by Customer throughout the entire term of the SOW and SLA. In addition, Customer agrees that neither it, nor any of its employees or designated representatives, will: transmit any unsolicited commercial or bulk email, will not engage in any activity known or considered to be "spamming" and carry out any "denial of service" attacks on any other website or Internet service; infringe on any copyright, trademark, patent, trade secret, or other proprietary rights of any third party; collect, attempt to collect, publicize, or otherwise disclose personally identifiable information of any person or entity without their express consent (which may be through the person or entity's registration and/or subscription to Customer’s services, in which case Customer must provide a privacy policy which discloses any and all uses of information that Customer collects) or as otherwise required by law; or, undertake any action which is harmful or potentially harmful to Service Provider or its infrastructure.

Customer is solely responsible for ensuring that its login information is utilized only by Customer and Customer’s authorized users and agents. Customer’s responsibility includes ensuring the secrecy and strength of user identifications and passwords. Service Provider shall have no liability resulting from the unauthorized use of Customer’s login information. If login information is lost, stolen, or used by unauthorized parties or if Customer believes that any hosted applications or hosted data has been accessed by unauthorized parties, it is Customer’s responsibility to notify Service Provider immediately to request the login information be reset or unauthorized access otherwise be prevented. Service Provider will use commercially reasonable efforts to implement such requests as soon as practicable after receipt of notice.

‍

SPLA Licensing

As part of the Services, Service Provider will acquire certain licenses from Microsoft under a services Service Provider license agreement (“SPLA”). The SPLA incorporates the terms and conditions of another Microsoft document, called the Service Service Provider Use Rights (or “SPUR”). Service Provider’s licensing of Microsoft software, and Customer’s use of such software, must always comply with the terms of the SPLA and SPUR. If Microsoft modifies the terms of the SPLA or the SPUR, Service Provider may be required, and will be permitted without prior notice to Customer to modify the Services to comply with the modified terms of the SPLA or SPUR, as applicable.

‍

NIST 800-171 Policy and Procedural Guidance

As part of the Services, Service Provider will provide Customer with Policy and Procedure shell documents which must be completed by Customer to meet requirements under NIST 800-171. Service Provider uses best practice and makes all efforts to support the administrative requirements of NIST 800-171.

‍

‍

Service Level Descriptions

This shows the descriptions of the required Service Levels.

1) Incident Response Time