NORVET MSP – MANAGED SERVICES TERMS OF SERVICE (OPERATIONAL)

Version: 1.0 (Operational)

Effective Date: 7/13/2023

IMPORTANT: THIS IS A LEGALLY BINDING AGREEMENT. BY (A) SIGNING A STATEMENT OF WORK (“SOW”),

(B) CLICKING “ACCEPT,” (C) ISSUING A PURCHASE ORDER THAT REFERENCES THESE TERMS, OR

(D) RECEIVING OR USING ANY SERVICES FROM NORVET MSP, CLIENT AGREES TO THESE TERMS.

1. PARTIES; DEFINITIONS

1.1 Parties. These Managed Services Terms of Service (“Terms”) are between:

(a) Norvet MSP (“Norvet,” “Service Provider,” “we,” “us,” “our”), and

(b) the customer entity receiving Services (“Client,” “you,” “your”).

1.2 Key Definitions.

(a) “Services” means managed IT services, cybersecurity services, professional services, and any related deliverables

provided by Norvet under an SOW, proposal, quote, service order, ticket, or otherwise.

(b) “Change Order” means a written, signed change order or amendment executed by an Authorized Signatory of

both Parties that modifies scope, pricing, service levels, timelines, assumptions, or responsibilities.

(c) “Third-Party Provider” means any provider not under Norvet’s control, including (without limitation) ISPs,

cloud/SaaS providers (e.g., Microsoft 365/Azure), hardware manufacturers, registrars, upstream security vendors,

and any incumbent/outgoing MSP or consultant.

(d) “Client Data” means data, content, and information that Client (or its users) provide to Norvet, or that Norvet

processes solely on Client’s behalf in performing Services.

(e) “Required Security Controls” means the minimum controls Norvet identifies as necessary to deliver Services in a

reasonably secure manner, which may include (without limitation) Multi-Factor Authentication (“MFA”), patching,

endpoint protection, log retention, backup configuration, security awareness training, least-privilege access,

conditional access policies, and removal of unsupported systems.

(f) “Client Negligence” includes (without limitation) Client’s refusal, delay, failure, disabling, or circumvention of

Required Security Controls; failure to follow Norvet’s written security protocols; failure to maintain unique credentials;

failure to supervise users; ignoring security training; insecure password practices; granting excessive privileges;

and failure to timely notify Norvet of suspicious activity.

2. ORDER OF PRECEDENCE; ALIGNMENT WITH OTHER AGREEMENTS

2.1 Order of Precedence. If there is any conflict, the following order controls (highest to lowest):

(1) a mutually executed Change Order (most recent first),

(2) the applicable SOW (most recent first),

(3) these Terms, and

(4) any ancillary policies expressly incorporated by reference (e.g., Acceptable Use Policy, Privacy Policy).

2.2 Existing Master Services Agreement (MSA). If Client and Norvet have a separately signed MSA, then:

(a) these Terms are incorporated by reference and apply to the extent not inconsistent with the signed MSA/SOW; and

(b) the signed MSA/SOW governs where inconsistent.

2.3 No “Battle of the Forms.” Any Client purchase order, vendor onboarding portal terms, or similar document is rejected

and has no force unless expressly accepted in a written Change Order signed by Norvet.

3. SCOPE; SERVICE BOUNDARIES; NO RELIANCE

3.1 Scope Only as Written. Norvet provides only the Services explicitly described in an SOW/Change Order. Anything not

expressly included is out of scope and billable at Norvet’s then-current rates, or may be declined.

3.2 No Reliance on Marketing Statements. Websites, pitch decks, proposals, and verbal statements are informational only

and do not create warranties, SLAs, or binding commitments unless expressly included in an SOW/Change Order.

3.3 Not a Legal/Compliance Guarantee. Norvet does not provide legal advice and does not guarantee compliance with any

law/regulation (HIPAA, GLBA, PCI-DSS, FERPA, GDPR, state privacy laws, etc.) unless a specific compliance scope is

set forth in an SOW and priced accordingly.

4. AUTHORIZED CONTACTS; NO UNAUTHORIZED CONTACT OR INSTRUCTIONS

4.1 Authorized Contacts List. Client must designate, in writing, an up-to-date list of “Authorized Contacts” who may:

(a) request changes to systems/configurations,

(b) approve security exceptions,

(c) approve purchases, onboarding/offboarding, access requests, and financial commitments, and

(d) receive incident communications and make decisions during an incident.

4.2 Instruction Reliance; No Duty to Recognize Unauthorized Persons. Norvet may rely on requests and approvals that

appear to come from an Authorized Contact and are transmitted via approved channels. Client is solely responsible

for the accuracy of Authorized Contacts and promptly revoking access for terminated/changed personnel.

4.3 No Unapproved Outbound Contact to Client Stakeholders.

(a) Norvet and its subcontractors will not contact Client’s customers/patients/donors/vendors for marketing or solicitations.

(b) Operational communications to Client end users (e.g., ticket follow-up, onboarding instructions, security training notices)

may occur as necessary to deliver Services, but Norvet will not negotiate scope/pricing or accept change requests from

non-Authorized Contacts.

4.4 Impersonation / Social Engineering Warning. Client acknowledges attackers may impersonate Norvet personnel.

Norvet will not request user passwords by email/text. Client must verify unusual requests through known channels.

Norvet is not liable for losses arising from Client’s failure to verify identity or follow written verification procedures.

5. SHARED RESPONSIBILITY; CLIENT NEGLIGENCE = CLIENT ASSUMES 100% RISK

5.1 Shared Responsibility Model. Client acknowledges that cybersecurity and IT operations are a shared responsibility.

Norvet’s Services reduce risk; they do not eliminate it.

5.2 Required Security Controls are a Material Condition. Client agrees that Required Security Controls are mandatory

conditions of secure service delivery. Client must timely implement and maintain them as directed by Norvet.

5.3 Refusal/Delay/Disablement = Client Assumes 100% Risk (Allocation of Risk).

IF CLIENT (OR ANY CLIENT USER) REFUSES, DELAYS, DISABLES, OR CIRCUMVENTS ANY REQUIRED SECURITY CONTROL

(INCLUDING MFA, PATCHING, SECURITY TRAINING, ENDPOINT PROTECTION, LEAST-PRIVILEGE, OR BACKUP POLICIES),

CLIENT EXPRESSLY:

(a) ASSUMES 100% OF THE RESULTING RISK,

(b) ACCEPTS FULL RESPONSIBILITY FOR ANY RESULTING BREACH, DATA LOSS, BUSINESS INTERRUPTION, FRAUD, OR

SYSTEM COMPROMISE, AND

(c) MUST INDEMNIFY, DEFEND, AND HOLD HARMLESS NORVET (INCLUDING ITS OWNERS, OFFICERS, EMPLOYEES,

AGENTS, AND SUBCONTRACTORS) FROM ANY AND ALL CLAIMS, DAMAGES, FINES, PENALTIES, FEES, COSTS,

AND EXPENSES (INCLUDING ATTORNEYS’ FEES) ARISING OUT OF OR RELATING TO SUCH REFUSAL/DELAY/DISABLEMENT.

5.4 Security Exceptions Must Be Written. Any deviation from Required Security Controls requires:

(a) a written exception request by an Authorized Contact,

(b) written risk acceptance by Client’s Authorized Signatory, and

(c) Norvet’s written approval (which may be withheld in Norvet’s sole discretion).

Oral approvals are void.

5.5 Client Cooperation. Client must provide timely access, approvals, credentials, and cooperation. Delays caused by Client

toll timelines, SLA targets, and incident response effectiveness. Norvet has no liability for delays caused by Client or

Third-Party Providers.

6. CYBERSECURITY “NO GUARANTEE” CLAUSE (NIST-ALIGNED RISK STATEMENT)

6.1 No System is Immune. CLIENT ACKNOWLEDGES AND AGREES THAT NO INFORMATION SYSTEM, NETWORK,

CLOUD SERVICE, OR SECURITY CONTROL IS IMMUNE FROM ATTACK OR COMPROMISE, INCLUDING SOPHISTICATED

ATTACKS (E.G., ZERO-DAY EXPLOITS, SUPPLY-CHAIN COMPROMISE, ADVANCED PERSISTENT THREATS, OR

CREDENTIAL-THEFT CAMPAIGNS). SECURITY IS RISK MANAGEMENT, NOT RISK ELIMINATION.

6.2 No Guarantee of Prevention/Detection. Norvet does not warrant or guarantee that:

(a) any threat will be prevented,

(b) any threat will be detected,

(c) any attack will be stopped, contained, or eradicated within any particular time,

(d) any data will be recoverable, or

(e) any incident will not cause operational interruption or loss.

6.3 Not Insurance. Norvet’s fees are not insurance premiums. Client is strongly advised to maintain appropriate cyber

insurance and business interruption coverage. Any insurance procurement is Client’s responsibility unless included in an SOW.

7. THIRD-PARTY PROVIDERS; CLIENT VENDOR RESPONSIBILITY; NO LIABILITY FOR THIRD-PARTY FAILURES

7.1 Third-Party Dependencies. Many Services depend on Third-Party Providers. Outages, limitations, policy changes,

security incidents, deprecations, licensing changes, rate changes, and failures by Third-Party Providers are outside

Norvet’s control.

7.2 No Liability for Third-Party Failures. Norvet has no liability for service interruptions, data loss, security incidents,

or delays caused by Third-Party Providers, including cloud/SaaS downtime, ISP outages, vendor support delays, or

hardware replacement lead times.

7.3 Client Must Maintain Third-Party Rights. Client is responsible for:

(a) maintaining licenses, subscriptions, and vendor accounts in good standing,

(b) paying third-party bills,

(c) providing Norvet any authorizations required to liaise with Third-Party Providers, and

(d) ensuring Norvet has administrative access as needed to deliver Services.

8. THE “SUBCONTRACTOR WALL” (NO SIDE DEALS; TRANSITION COOPERATION; NO DATA HOSTAGE)

8.1 Use of Subcontractors. Norvet may use subcontractors/vendors to perform some Services. Subcontractors are

independent contractors, not Norvet employees.

8.2 No Authority to Bind Norvet (Unauthorized Promises). No subcontractor, employee, technician, or agent has authority

to:

(a) change scope, pricing, discounts, SLAs, deliverables, or security requirements,

(b) accept or approve “free work,” “side work,” “special pricing,” or any deviation,

(c) make any warranty, guarantee, or commitment on Norvet’s behalf,

UNLESS memorialized in a Change Order signed by Norvet’s Authorized Signatory. Client agrees it will not rely on

any such unauthorized statements.

8.3 Subcontractor Non-Interference; No “Side Deals.” Client shall not solicit, negotiate, or enter into any side agreement

with Norvet subcontractors regarding Services covered by these Terms without Norvet’s written consent. Any such

attempt is a material breach.

8.4 Mandatory Cooperation During Transitions (Onboarding/Offboarding).

(a) Client must ensure that all Client vendors, incumbent/outgoing MSPs, consultants, and administrators cooperate fully

with transition activities, including providing timely access, documentation, configurations, credentials, MFA enrollment

status, backup access, domain/DNS access, and administrative transfer.

(b) Client must ensure such parties do not withhold Client Data, credentials, administrative access, or support as leverage

or “hostage” due to any payment dispute—whether that dispute is with Client, with Norvet, or between vendors.

(c) If any third party refuses to cooperate, Client remains responsible for any resulting delays, increased costs, and risks.

Norvet may implement contingency measures (including credential resets, rebuilding access, reconfiguring systems,

or re-onboarding) as out-of-scope, billable work.

8.5 Norvet Subcontractors: No Withholding for Payment Disputes. Norvet will contractually prohibit its subcontractors

from withholding Client Data, credentials, transition support, or deliverables as leverage due to a payment dispute with

Norvet. Client agrees, however, that Norvet’s total liability remains limited by Section 14 (Limitation of Liability).

9. FEES; TAXES; PAYMENT; COLLECTION

9.1 Fees and Billing. Fees are set forth in the SOW or invoice. Unless stated otherwise:

(a) invoices are due upon receipt or Net 15 (Norvet’s choice as stated on the invoice),

(b) all fees are non-refundable unless expressly stated.

9.2 Late Fees; Interest; Collection Costs. Overdue amounts accrue interest at the maximum rate permitted by law.

Client must reimburse Norvet for all costs of collection, including attorneys’ fees, court costs, and collection agency fees.

9.3 No Setoff. Client may not withhold payment, set off amounts, or delay payment due to a dispute, ticket backlog,

or third-party issue. Disputed amounts must be paid when due and addressed via the dispute process.

9.4 Security for Payment. Norvet may require a retainer, prepaid block, credit card on file, ACH authorization, or other

security for payment as a condition of continued Services.

10. PAYMENT LEVERAGE: IMMEDIATE SUSPENSION AT 15 DAYS PAST DUE (INCLUDING SECURITY MONITORING)

10.1 Suspension Trigger. If any invoice is 15 days past due (unless a signed SOW/MSA states a different timeline),

Norvet may immediately suspend any or all Services, including (without limitation):

(a) cybersecurity monitoring,

(b) incident response readiness,

(c) patching and endpoint management,

(d) backup monitoring,

(e) help desk and admin support,

(f) access to tools, portals, or managed agents,

WITHOUT LIABILITY AND WITHOUT ANY OBLIGATION TO PROVIDE CONTINUED PROTECTION DURING SUSPENSION.

10.2 Zero Liability During Suspension. CLIENT EXPRESSLY AGREES THAT NORVET SHALL HAVE ZERO LIABILITY FOR ANY

SECURITY INCIDENTS, BUSINESS INTERRUPTION, DATA LOSS, FRAUD, OR DAMAGES OF ANY KIND ARISING DURING OR

RELATED TO A SUSPENSION CAUSED BY CLIENT’S NON-PAYMENT, TO THE MAXIMUM EXTENT PERMITTED BY LAW.

10.3 Continued Accrual of Fees. Fees continue to accrue during any suspension. Norvet may require payment in full,

plus reinstatement fees, before restoring Services.

10.4 No Obligation to Preserve SLAs During Suspension. Any SLA targets are paused during suspension and ramp-up after

reinstatement.

11. CLIENT DATA; ACCESS; BACKUPS; DELETION

11.1 Client Data Ownership. Client owns Client Data. Norvet does not acquire ownership of Client Data.

11.2 Limited License to Process. Client grants Norvet a limited license to access/process Client Data solely to deliver

Services, provide support, and meet contractual obligations.

11.3 Backups are Not a Guarantee. Unless backups are expressly included in an SOW:

(a) Norvet does not guarantee backup existence, completeness, or restorability.

(b) Any restore is best-effort and may be billable.

(c) Client is responsible for confirming business requirements (RPO/RTO) and funding solutions that meet them.

11.4 Data Retention Upon Termination. Unless otherwise stated in an SOW:

(a) Norvet may delete Client Data from Norvet-controlled systems after termination and completion of any transition

assistance period, subject to legal retention requirements and tool/vendor constraints.

(b) Norvet is not liable for Client Data that Client failed to export, migrate, or request during the transition window.

12. CONFIDENTIALITY

12.1 Each Party may receive the other’s Confidential Information. Each Party will use reasonable care to protect it and use

it only for purposes of performing under these Terms.

12.2 Exceptions include information that is public, independently developed, or rightfully received from a third party.

13. WARRANTIES; DISCLAIMER

13.1 Limited Warranty. Norvet will perform Services in a professional and workmanlike manner consistent with industry

standards.

13.2 DISCLAIMER. EXCEPT AS EXPRESSLY STATED IN AN SOW, THE SERVICES ARE PROVIDED “AS IS” AND “AS AVAILABLE.”

NORVET DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,

NON-INFRINGEMENT, AND ANY WARRANTY ARISING FROM COURSE OF DEALING OR USAGE OF TRADE.

14. LIMITATION OF LIABILITY (MASSIVE DISCLAIMER + HARD CAP)

14.1 CONSEQUENTIAL DAMAGES WAIVER. TO THE MAXIMUM EXTENT PERMITTED BY LAW, IN NO EVENT SHALL NORVET BE

LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE, OR CONSEQUENTIAL DAMAGES, OR FOR

LOST PROFITS, LOST REVENUE, LOST BUSINESS, BUSINESS INTERRUPTION, LOSS OF DATA, LOSS OF GOODWILL,

DIMINUTION IN VALUE, OR COST OF SUBSTITUTE SERVICES, EVEN IF ADVISED OF THE POSSIBILITY.

14.2 HARD CAP ON DIRECT DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY LAW, NORVET’S TOTAL AGGREGATE

LIABILITY FOR ALL CLAIMS ARISING OUT OF OR RELATING TO THESE TERMS OR THE SERVICES SHALL NOT EXCEED

THE TOTAL FEES ACTUALLY PAID BY CLIENT TO NORVET FOR THE SERVICES GIVING RISE TO THE CLAIM DURING THE

TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT FIRST GIVING RISE TO THE CLAIM.

14.3 Allocation of Risk. The Parties agree these limitations reflect an agreed allocation of risk and that fees would be

materially higher without them.

14.4 Exclusions. Some jurisdictions limit exclusion of certain damages. Where prohibited, the exclusions apply to the fullest

extent permitted.

15. INDEMNIFICATION (CLIENT-FORWARD; NEGLIGENCE & SECURITY FAILURES)

15.1 Client Indemnity. Client shall indemnify, defend, and hold harmless Norvet and its affiliates, officers, directors,

employees, agents, and subcontractors from and against all claims, demands, suits, investigations, damages, losses,

liabilities, penalties, fines, costs, and expenses (including attorneys’ fees) arising out of or related to:

(a) Client Negligence,

(b) Client’s refusal/delay/disablement of Required Security Controls,

(c) Client’s violation of law, regulation, or third-party rights,

(d) Client content/data, or

(e) instructions/requests that appear to come from Client Authorized Contacts.

15.2 Indemnity Procedure. Norvet will promptly notify Client of a claim and reasonably cooperate at Client’s expense.

Norvet may select counsel if conflicts exist.

16. TERM; TERMINATION; SUSPENSION FOR RISK

16.1 Term. Term is as stated in the SOW. If no SOW term is stated, Services are month-to-month.

16.2 Termination for Cause. Norvet may terminate or suspend Services immediately upon:

(a) non-payment,

(b) Client breach (including security requirements),

(c) Client conduct that creates a security risk, legal risk, or operational risk,

(d) Client interference with Norvet tools/monitoring,

(e) threats, harassment, or abusive behavior toward Norvet personnel.

16.3 Effect of Termination. Upon termination:

(a) Client remains liable for all amounts owed,

(b) Norvet may disable access to tools and managed services,

(c) transition assistance (if any) is billable unless included in an SOW.

17. TRANSITION ASSISTANCE; COOPERATION; NO HOSTAGE

17.1 Transition Assistance. If requested, Norvet may provide offboarding/transition assistance at Norvet’s then-current rates

and subject to payment in advance.

17.2 Cooperation is Material. Client must cooperate in good faith to enable a smooth transition, including timely approvals,

access, and payment of outstanding balances prior to release of final deliverables, except where prohibited by law.

18. DISPUTES; GOVERNING LAW; EXCLUSIVE VENUE; JURY WAIVER

18.1 Governing Law. These Terms are governed by the laws of the State of Georgia, without regard to conflicts rules.

18.2 Exclusive Venue. The Parties agree that any dispute, claim, or controversy arising out of or relating to these Terms or

the Services shall be brought exclusively in the state or federal courts located in DeKalb County, Georgia, and each

Party irrevocably submits to personal jurisdiction and venue there.

18.3 Waiver of Jury Trial. EACH PARTY KNOWINGLY AND VOLUNTARILY WAIVES ANY RIGHT TO A JURY TRIAL.

18.4 Attorneys’ Fees. The prevailing Party in any dispute is entitled to recover reasonable attorneys’ fees and costs.

18.5 Limitation Period. Any claim must be filed within one (1) year after the cause of action accrues, or it is barred, to the

maximum extent permitted by law.

19. MISCELLANEOUS

19.1 Force Majeure. Norvet is not liable for failure/delay due to events beyond reasonable control (including third-party

outages, vendor failures, acts of God, war, strikes, supply-chain issues).

19.2 Assignment. Client may not assign these Terms without Norvet’s written consent. Norvet may assign in connection

with a merger, acquisition, or sale of assets.

19.3 Severability. If any provision is held unenforceable, the remainder remains in effect.

19.4 Entire Agreement; Modifications. These Terms plus the SOW/Change Orders constitute the entire agreement and

supersede all prior oral or written communications. No modification is valid unless in a signed Change Order.

19.5 No Third-Party Beneficiaries. No third party has any rights under these Terms.

19.6 Notices. Notices must be in writing and delivered by email and/or other method stated in the SOW.

END OF TERMS