SECURITY SERVICES AGREEMENT

The provision of Security Services by CommandLink, LLC ("CommandLink") to Customer is subject to the terms and conditions set forth in the following Security Services Agreement ("Security Services Agreement"). Security or SECaaS Services include CommandLink MDR, NDR and/or XDR Services (as defined below). This Security Services Agreement does not apply to any other Services offered or provided by CommandLink Parties. This Security Services Agreement is attached to and incorporated into the Master Service Agreement ("MSA") between CommandLink, LLC and Customer. Customer agrees to abide by and be subject to the terms and conditions set forth in this Security Services Agreement as well as the MSA and any Order Form, including provisions related to the Effective Date, renewal of the Service Term and payment of Termination Fees upon early termination of the Service Term. Any capitalized terms not defined herein shall have the meaning set forth in the MSA or the Order Form.

1. Definitions.

a.    "Security Breach" means any threat or unauthorized access to, or breach or unauthorized acquisition of, Customer Data (including Customer's personal data) or Customer's computer networks.

b.    "SOCaaS" or "Security Operations Center as a Service" is CommandLink's scalable, adaptive, dedicated group (POD) of SOC cyber analysts supporting Customer security operations that employs human intelligence alongside artificial intelligence and machine learning for threat analytics and proactive threat hunting.

c.    "Third-Party Security and Monitoring Products" means any non-CommandLink software, tools, or other services or products provided by third parties to Customer that monitor, detect, analyze and/or report potential security threats and breaches and unauthorized access or acquisition of Customer's network or Customer Data.

2. Scope of Security Services. CommandLink employs its CommandLink Platform, which uses a multi-faceted approach of frameworks, rules and other security tools, for Security Services to help identify and mitigate Security Breaches. CommandLink Parties provide the applicable MDR, NDR, and/or XDR Services to Customer as described below and set forth in this Security Service Agreement:

a. "MDR" or "Managed Detection and Response" provides SOCaaS monitoring of alerts from Customer's Third-Party Security and Monitoring Products, with XDR analysis capabilities, for real-time detection, analysis and reporting of Security Breaches to Customer, including SOC and NOC coordinated cybersecurity threat mitigation and Security Recommendations (as defined below).

b. CommandLink "XDR" or "Extended Detection and Response" employs CommandLink software downloaded by Customer on Customer devices through the CommandLink Platform to enable CommandLink SOCaaS to monitor across Customer endpoints and servers to detect, analyze and report Security Breaches to Customer.

c. "NDR" or "Network Detection and Response" provides SOCaaS monitoring of data and logs produced by CommandLink's managed firewall for real-time detection, analysis and reporting to Customer of abnormal network traffic that may indicate a Security Breach, including SOC and NOC coordinated cybersecurity threat mitigation and Security Recommendations.

3.     Command|Link Secure. To the extent set forth in the Order Form, NDR Services and XDR Services may include use of Command|Link Secure software.

4.     Monitoring of Logs; Reporting; Communication. As part of the Security Services, CommandLink shall use commercially reasonable efforts to monitor the applicable logs, data or alerts in real time on a 24/7/365 basis and to report Security Breaches to Customer. Communication to Customer for reporting or otherwise will occur primarily through access to the CommandLink Platform, in addition to email and phone communication, including with dedicated SOC cyber analysts and/or Customer Success Managers (CSM). Such means, method and form of reporting, notices, access and/or contact by CommandLink shall be determined in CommandLink's sole discretion. Customer shall be solely responsible for ensuring that CommandLink has accurate and updated contact information required or requested for the performance of the Security Services.

5.     Response to Security Breach; Security Recommendations. CommandLink shall use commercially reasonable efforts to assist Customer with Customer's response to a Security Breach by providing Customer with access to all logs and data in CommandLink's possession related to the Security Breach. CommandLink may provide automated and/or customized recommendations to Customer in response to Security Breaches or otherwise to improve Customer's network or data security ("Security Recommendations"). These Security Recommendations are not mandatory directions or requirements and may be implemented by Customer in its discretion; provided, that Customer shall act on all Security Recommendations in a timely manner and failure to implement any Security Recommendation may impact Service quality. The Security Recommendations are based solely on the specific facts and circumstances of Customer, the information provided by Customer, the Customer's networks known to CommandLink and commercially reasonable industry standards at the time of the Security Recommendations. At Customer's direction, CommandLink may make configuration changes to Customer's firewall, network or computer systems ("Configuration Changes"). Except as set forth herein, CommandLink shall not provide nor be responsible for further investigation of Security Breaches, including any forensic evaluation or analysis, or for incident response services.

6.     Security Services SLA. CommandLink Parties' performance of the Security Services shall be subject to the Security Services SLA set forth in Addendum 1 to this Security Services Agreement, which is made part of and incorporated into this Security Services Agreement by reference. The Security Services SLA performance goals shall apply beginning on the later of (a) thirty (30) days after the Start Date of such Services; and (b) completion of all required onboarding and deployment by Customer.

7.     Customer Responsibilities. In addition to other requirements set forth in the MSA, this Security Services Agreement and Order Form, Customer agrees and acknowledges that it shall be responsible for: (a) all CPE; (b) compatibility of Customer CPE and/or Customer environment with the Security Services; (c) download of any software required in connection with the Security Services, including, without limitation, selection and download of applicable software for XDR; (d) deployment of agents as required to all endpoints in the Customer environment; (e) Third-Party Security and Monitoring Products; (f) securing any third-party consents and access required for performance of the Security Services in Customer's environment; (g) completion of all required onboarding and Customer deployment for Service enablement; (h) provision of accurate and updated information to CommandLink Parties, including, without limitation, Customer contact and access information for reporting and communication and notification of Customer planned activities or outages; (i) using the CommandLink Platform for support, notification, communication, information, access and otherwise as directed by CommandLink for its delivery of the Security Services; (j) participation as reasonably requested by CommandLink for any review, investigation, testing or analyses of Security Breaches; (j) timely action on any Security Recommendations; (k) direction regarding Configuration Changes; and (l) incident response.

8.     Disclaimers; No Guarantee/Warranty. IN ADDITION TO THE LIMITATIONS AND DISCLAIMERS SET FORTH IN THE MSA AND EXCEPT AS OTHERWISE SET FORTH IN THIS SECURITY SERVICES AGREEMENT: (A) CUSTOMER'S SOLE AND EXCLUSIVE REMEDY FOR NON-PERFORMANCE OF THE SECURITY SERVICES, INCLUDING INTERRUPTIONS, OUTAGES OR OTHER DOWNTIME OF SECURITY SERVICES, OR FAILURE OF THE SECURITY SERVICES TO COMPLY WITH THIS SECURITY SERVICES AGREEMENT OR TO MEET THE SECURITY SERVICE LEVELS SPECIFIED IN THE SECURITY SERVICES SLA SHALL BE SET FORTH IN ADDENDUM 1; (B) SUBJECT TO ADDENDUM 1, COMMANDLINK PARTIES DO NOT GUARANTEE AND EXPRESSLY DISCLAIM ANY WARRANTY THAT THE SECURITY SERVICES, INCLUDING THE COMMANDLINK SECURE SOFTWARE, WILL DETECT, PREVENT, MITIGATE, MANAGE, OR REPORT ANY OR ALL SECURITY BREACHES, INCIDENTS, INTRUSIONS, WEAKNESSES OR THREATS; (C) COMMANDLINK SHALL BE ENTITLED TO AND SHALL RELY ON THE LOGS, DATA AND OTHER INFORMATION PROVIDED TO IT BY THIRD-PARTY SECURITY AND MONITORING PRODUCTS AND SHALL NOT BE LIABLE FOR ANY SECURITY BREACHES, INCIDENTS, INTRUSIONS, WEAKNESSES OR THREATS THAT ARE NOT IDENTIFIED BY THIRD-PARTY SECURITY AND MONITORING PRODUCTS; (D) COMMANDLINK SHALL NOT BE LIABLE FOR ANY SECURITY BREACHES, INCIDENTS, INTRUSIONS, WEAKNESSES OR THREATS OCCURRING DURING INTERRUPTIONS, OUTAGES OR OTHER DOWNTIME; (E) COMMANDLINK PROVIDES NO WARRANTIES OR GUARANTEES REGARDING SECURITY RECOMMENDATIONS, INCLUDING THAT IMPLEMENTATION OF ANY SECURITY RECOMMENDATIONS WILL RESULT IN DETECTION, PREVENTION OR MITIGATION OF SECURITY BREACHES, INCIDENTS, INTRUSIONS, WEAKNESSES OR THREATS; AND (F) COMMANDLINK PROVIDES NO WARRANTIES OR GUARANTEES REGARDING CONFIGURATION CHANGES TO CUSTOMER'S FIREWALL, NETWORK, OR COMPUTER SYSTEMS MADE BY COMMANDLINK, COMMANDLINK PARTIES OR ANY OTHER THIRD PARTY AT CUSTOMER'S DIRECTION, WHETHER IN RESPONSE TO A SECURITY RECOMMENDATION OR OTHER REASON.

ADDENDUM 1

SECURITY SERVICES SERVICE LEVEL AGREEMENT (SLA) 

This SLA is attached to and incorporated into the Security Services Agreement between CommandLink, LLC and Customer. This SLA sets forth the performance goals for the Security Services beginning on the later of thirty (30) days after the Start Date of such Services or completion of required onboarding and deployment by Customer ("Security Service Levels"), and the parties' obligations with respect to the same. Customer agrees to abide by and be subject to the terms and conditions set forth in this SLA as well as the Security Services Agreement, Order Form and MSA. Based on the terms hereof, Customer may be eligible for specific reductions in future MRCs owed by Customer ("Service Credits"). Any capitalized terms not defined herein shall have the meaning set forth in the Security Services Agreement, MSA or the Order Form.

1.     Security Services Availability. For each cumulative one (1) hour period where CommandLink Security Services are not available, Customer shall be eligible to receive a Service Credit equal to 1/30^th of the affected Security Service's MRC, at a maximum of one such credit accrued per calendar day. No Service Credit shall be available for any Security Services unavailability lasting less than one (1) cumulative hour or any partial hour.

2.     Security Breach Prioritization. In its reasonable discretion, CommandLink shall assign priorities and respond to incidents according to those priorities using the following definitions:

a.     A "High Level Event" is an incident that requires immediate action, including active ransomware or an active threat actor in the Customer's network environment. 

b.     A "Medium Level Event" is an incident that requires prompt action, including a minor virus, suspicious IP, or many connections from a single source-IP. 

c.     A "Low Level Event" is an incident that requires non-urgent attention, including an information alert.

3.     Target Response Time.

a.     High Level Event. One (1) hour for first communication with Customer after incident detection.

b.     Medium Level Event. Four (4) hours for first communication with Customer after incident detection.

c.     Low Level Event. Twenty-four (24) hours for first communication with Customer after incident detection.

Should the response time exceed the applicable Target Response Time set forth above based on the CommandLink assigned incident priority, Customer will be eligible to receive a Service Credit equal to 1/30 of the affected Security Service's MRC for each full hour that exceeds the applicable Target Response Time in the applicable calendar month.
 

4.   Monthly Reporting Percentage. The "Monthly Reporting Percentage" Target for Security Service is at least ninety-six percent (96%). Monthly Reporting Percentage is calculated by CommandLink by dividing the number of detected incidents reported to Customer within a given calendar month by the number of detected incidents during the applicable month. Should the Monthly Reporting Percentage not meet the Monthly Reporting Percentage Target of at least ninety-six percent (96%), Customer will be eligible to receive a Service Credit equal to ten percent (10%) of the affected Security Service's MRC for the applicable calendar month.

5.   SLA Claim Process. Customer must request a Service Credit within fifteen (15) days of the incident allegedly giving rise to a Service Credit by emailing [email protected] (a "Service Credit Request"). A Service Credit Request must include the Customer's name, Location address, contact information, dates of incident, and background on the incident. CommandLink will review the Customer's claim and provide feedback or a response within fifteen (15) days of its receipt of the Service Credit Request. If Customer fails to provide a response to any CommandLink request for additional information regarding a claim for Service Credits within fifteen (15) days from Customer's receipt thereof, the claim will be denied. CommandLink will not accept late Service Credit Requests under any circumstance and any applicable Service Credits shall be null and void. A separate Service Credit Request must be submitted for each incident and each Location, unless the request is for the same Service and Location. Customer must also be current in all of its invoices to be eligible for Service Credits and may not withhold payments based on pending or disputed Service Credit Requests.

6.     Service Credit Terms. The maximum Service Credit to be issued to Customer for any given calendar month shall not exceed fifty percent (50%) of the MRC for the affected Service. Customer may not claim failure to meet multiple Security Service Levels (and associated Service Credits) where a single incident has resulted in failure to achieve multiple Security Service Levels. In such case, Customer may claim one (1) Service Credit of its choosing. Service Credits must also be equal to or greater than twenty dollars ($20.00) to be processed.

7.     Exclusive Remedy. CommandLink's issuance of Service Credits or other actions set forth in this SLA represents CommandLink Parties' sole liability and obligation to Customer, and Customer's sole and exclusive remedy against CommandLink Parties, for any Service issue, including the Security Services non-performance, or failure to meet the Security Service Levels set forth herein. Any Service Credits issued by CommandLink under this SLA shall count toward the limitation of liability under the MSA.

8.     Service Credit Ineligibility. Customer will not be entitled to Service Credits if an event was caused by, related to or arising from any of the following:

a.     Scheduled and/or emergency maintenance, service alteration, or implementation;

b.     Failure of CPE or other third-party systems, equipment, applications or facilities not owned or controlled by CommandLink;

c.     Acts or omissions of, and/or caused by, Customer, its employed staff, contracted representatives, end users or other third parties;

d.     If Customer is receiving rate limited Services as a result of data, priority or plan allowances being exceeded;

e.     A Force Majeure Event;

f.       Termination or suspension of Service or right to use the Service in accordance with the MSA, Security Services Agreement or Order Form, including for cause due to a Customer breach;

g.     CommandLink Parties' lack of reasonable access to Customer's Location;

h.     Interruptions to a Service due to power failure or outage at a Customer Location; and/or

i.       Customer's failure to timely act on or implement any Security Recommendation.