Statement of Services

1. Effective Date and Go-Live Date

The Effective Date is the date listed on the most recent accepted quote for services. Synivate will notify Customer of the date when all Services specified in this SOW are available to Customer (the "Go Live Date") and will provide Customer with information needed for Customer to access the Services. Prior to the Go Live Date, Synivate will be in the implementation process, which means the Services will not be active. Synivate's obligation to deliver Service as specified herein does not begin until the Go Live Date.

Failure of the Customer to engage with Synivate effectively and efficiently during the implementation period, including but not limited to failing to provide required access and information, to the extent that impedes or delays the Go Live Date by more than sixty (60) days after the date this SOW is signed, may lead to all or any of the following, at Synivate's sole discretion, regardless of the status of implementation: a start of billing for the Services; additional fees; the beginning of the SOW Term; termination of this SOW. The Term shall begin on the Go Live Date.

2. On-Boarding Services

If onboarding services are provided under the Quote, then the following services will be provided to you:

• Uninstall any monitoring tools or other software installed by previous IT consultants.
• Compile a full inventory of all protected servers, workstations, and laptops.
• Uninstall any previous virus protection and install our managed antivirus application.
• Install remote support access application on each managed device to enable remote support.
• Configure patch management application and check for missing security updates.
• Review firewall configuration and other network infrastructure devices.
• Review status of battery backup protection on all devices.
• Stabilize network and assure that all devices can securely access the file server.
• Review and document current server configuration and status.
• Determine existing backup strategy and status; prepare backup options for consideration.
• Review password policies and update administrative device passwords.
• As applicable, make recommendations for changes that should be considered to the managed environment.

The foregoing list is subject to change if we determine, in our discretion, that different or additional onboarding activities are required.

If deficiencies are discovered during the onboarding process, we will bring those issues to your attention and discuss the impact of the deficiencies on our provision of our monthly managed services. Please note, unless otherwise expressly stated in the Quote, onboarding-related services do not include the remediation of any issues, errors, or deficiencies ("Issues"), and we cannot guarantee that all Issues will be detected during the onboarding process.

3. Term

The initial term is listed on the quote (the "Initial Term"). The term automatically renews for additional terms equal in length to the Initial Term (each, a "Renewal Term") unless either party gives the other party written notice of its intent not to renew at least sixty (60) days prior to the end of the then-current term. The Initial Term and the Renewal Term(s) together are the "Term."

4. Fees

Initial Fees and Changes to Environment

Initially, you will be charged the monthly fees indicated in the Quote. Thereafter, if the managed environment changes, or if the number of authorized users accessing the managed environment changes, then you agree that the fees will be automatically and immediately modified to accommodate those changes.

Minimum Monthly Fees

The initial Fees indicated in Quote are the minimum monthly fees ("MMF") that will be charged to you during the term. You agree that the amounts paid by you under the Quote will not drop below the MMF regardless of the number of users or devices to which the Services are directed or applied, unless we agree to the reduction. All modifications to the amount of hardware, devices, or authorized users under the Quote (as applicable) must be in writing and accepted by both parties.

Increases

In addition, we reserve the right to increase our monthly recurring fees; provided, however, if an increase is more than eight percent (8%) of the fees charged for the services in the prior calendar year, then you will be provided with a sixty (60) day opportunity to terminate the services affected by the fee increase by providing us with written notice of termination. You will be responsible for the payment of all fees that accrue up to the termination date and all pre-approved, non-mitigatable expenses that we incurred in our provision of the services through the date of termination. Your continued acceptance, or use of the services after this sixty (60) day period will indicate your acceptance of the increased fees.

Travel Time

If onsite services are provided, we will travel up to 45 minutes from our office to your location at no charge. Time spent traveling beyond 45 minutes will be billed to you at our then-current hourly rates. In addition, you will be billed for all tolls, parking fees, and related expenses that we incur if we provide onsite services to you.

Appointment Cancellations

You may cancel or reschedule any appointment with us at no charge by providing us with notice of cancellation at least one business day in advance. If we do not receive timely notice of cancellation/re-scheduling, or if you are not present at the scheduled time or if we are otherwise denied access to your premises at a pre-scheduled appointment time, then you agree to pay us a cancellation fee equal to two (2) hours of our normal billable time.

Automated Payment

You may pay your invoices by credit card and/or by ACH, as described below. If you authorize payment by credit card and ACH, then the ACH payment method will be attempted first. If that attempt fails for any reason, then we will process payment using your designated credit card.

• ACH: When enrolled in an ACH payment processing method, you authorize us to electronically debit your designated checking or savings account, as defined and configured by you in our payment portal, for any payments due under the Quote. This authorization will continue until otherwise terminated in writing by you. We will apply a $50.00 service charge to your account for any electronic debit that is returned unpaid due to insufficient funds or due to your bank's electronic draft restrictions.
• Credit Card: When enrolled in a credit card payment processing method, you authorize us to charge your credit card, as designated by you in our payment portal, for any payments due under the Quote. When paying with a credit card, our third-party payment processor may collect a convenience fee associated with the transaction. This fee will be outlined in the payment portal at the time of the transaction.

5. Covered Equipment / Hardware / Software

Managed Services will be applied to the equipment listed in the Quote ("Covered Hardware").

The Services will apply to the software listed in the Quote ("Supported Software") provided, however, that all Supported Software must, at all times, be properly licensed, and under a maintenance and support agreement from the Supported Software's manufacturer. In this Service Statement, Covered Hardware and Supported Software will be referred to as the "Environment" or "Covered Equipment."

6. Physical Locations Covered by Services

Services will be provided remotely unless, in our discretion, we determine that an onsite visit is required. Onsite visits will be scheduled in accordance with the priority assigned to the issue (below), and are subject to technician availability. Unless we agree otherwise, all onsite Services will be provided at Client's primary office location listed in the Quote. Additional fees may apply for onsite visits: Please review the Service Level section below for more details.

7. Service Catalog

The services listed below may or may not be included in your service quote. A full catalog of available services is provided here and corresponds with the line items listed in the service quote. Only those services specifically described in the Quote will be provided.

Help Desk Support

Automated monitoring is provided on an ongoing (i.e., 24x7x365) basis; response, repair, and/or remediation services (as applicable) will be provided only during business hours unless otherwise specifically stated in the Quote. We will respond to problems, errors, or interruptions in the provision of the Services in the timeframe(s) described below. Severity levels will be determined by Synivate in our discretion after consulting with the Client. All remediation services will initially be attempted remotely; Synivate will provide onsite service only if remote remediation is ineffective and, under all circumstances, only if covered under the Service plan selected by Client.

Standard hours of support are 8:00 AM – 5:00 PM ET Monday – Friday.

We are closed on New Year's Day, Memorial Day, Independence Day, Labor Day, Thanksgiving Day and Christmas Day. We are still available 24×7 for emergency on-call support. If the holiday falls on a Sunday, we will be closed the following Monday, and if the holiday falls on a Saturday, we will be closed the preceding Friday. Emergency tickets are limited to core network outages (Server/Network/Firewall/Application) that are affecting multiple end users. Emergency support requests must be raised by calling 617-517-0704. Tickets are not monitored outside of business hours.

End users must register support requests by e-mailing support AT synivate.com, utilizing our support portal at https://synivate.deskdirector.com/ or by calling 617-517-0704.

Priority Response Times

Priority	Description	Type	Weekdays	After Hours
P1	Service not available (all users and functions unavailable, e.g. Server Down / Network Down / Security Incident)	Remote	1 Hour	2 Hours
		On-Site	4 Hours	8 Hours
P2	Significant degradation of service (large number of users or business critical functions affected)	Remote	2 Hours	4 Hours
		On-Site	8 Hours	8 Hours
P3	Limited degradation of service (limited number of users or functions affected, business process can continue)	Remote	8 Hours	16 Hours
		On-Site	72 Hours	72 Hours
P4	Small service degradation or request for change (one user affected, e.g. User Locked Out / Software Issues / Hardware Issues / Password Resets / New Hire Requests)	Remote	24 Hours	72 Hours
		On-Site	72 Hours	72 Hours

Weekdays: 8:00 AM – 5:00 PM ET, Mon–Fri.   |   After Hours: Weekdays 5:00 PM – 8:00 AM, Weekends, and Holidays.

All time frames are calculated as of the time that Synivate is notified of the applicable issue/problem by Client through Synivate's designated support portal, help desk, or by telephone at the telephone number listed in the Quote. Notifications received in any manner other than described herein may result in a delay in the provision of remediation efforts. Help desk support provided outside of our normal support hours, that is not classified as a critical problem, will be billed to Client at our then-current hourly rates (2x) with a minimum of one (1) hour.

Acceptable use of Help Desk services is established at an average of two (2) tickets per user per month, measured quarterly and excluding both the initial three (3) month onboarding period and any tickets attributable to approved project work. Should utilization patterns approach these thresholds, Synivate will notify Client and may propose service restructuring, additional user training, or infrastructure improvements to address underlying causes. Client acknowledges that sustained excessive utilization may indicate service plan misalignment warranting contract modification or termination of the Help Desk service entirely. Standard termination obligations and any applicable early termination provisions remain in effect. Synivate may terminate this service upon sixty (60) days written notice if Client's support ticket volume consistently exceeds acceptable use parameters. 

Employee Journey Management

Company approvers must register new hire requests and termination requests by submitting a form through our Help Desk application located here: https://synivate.deskdirector.com/

New Hire Turnaround Times

Request	Description	ETA
New Hire (Email-Only)	We will provision the necessary licensing for the new hire account and complete the setup.	8 Business Hours
Laptop/Workstation from Inventory*	Day 1** – Wipe machine, install Windows Updates, Manufacturer Drivers, BIOS Updates and baseline applications (e.g. MS Office, Adobe PDF Reader). Must be notified prior to 12PM ET to start same day. Install cybersecurity software suite and line-of-business applications. Day 2 – Quality control and ship to facility or end user. Day 3 – Transit (UPS/FedEx). Day 4 – Transit & Delivery by End of Day (Massachusetts).	3–4 Business Days
New Laptop/Workstation (Custom Order)	Day 1 – Quote generated and ordered from manufacturer (orders by 1PM ET typically ship same day). Days 2–3 – Transit & Delivery. Day 4** – Wipe, install updates, drivers, BIOS, and baseline apps. Day 5 – Cybersecurity suite and LOB applications. Day 6 – QC and ship. Days 7–8 – Transit & Delivery (Massachusetts).	8–10 Business Days

*Inventory refers to spare machines in our MA facility purchased in advance to expedite new laptop/workstation provisioning.

**This process takes a full business day as the machine needs to reboot several times to complete various updates and driver installations.

For terminations, please provide as much notice as possible so we can schedule accordingly. If we are working with the individual to reclaim equipment, please provide 8 business days notice. If equipment is not being reclaimed, please provide a minimum of 2 business days notice. For urgent terminations requiring limited notice, please allow a minimum of 1 business hour to temporarily block primary access.

All time frames are calculated as of the time that Synivate is notified of the applicable issue/problem by Client through Synivate's designated support portal. Notifications received in any manner other than described herein will result in a delay.

Outbound SMTP E-Mail Services

You are solely responsible for the proper use of any hosted email service provided to you ("Hosted Email"). Hosted Email solutions are subject to acceptable use policies ("AUPs"), and your use of Hosted Email must comply with those AUPs. In all cases, you agree to refrain from uploading, posting, transmitting or distributing any prohibited content, which is generally content that (i) is obscene, illegal, or intended to advocate the violation of any law, (ii) violates intellectual property or privacy rights, (iii) mischaracterizes you or creates a false identity, (iv) interferes with services provided by Synivate or third parties, or (v) contains Viruses or malicious code. You must not use Hosted Email for sending unsolicited commercial electronic messages ("SPAM") in violation of any federal or state law. Synivate reserves the right to suspend Client's access to the Hosted Email if Synivate believes the account(s) are being used in an improper or illegal manner.

VoIP & Phone Systems

Synivate no longer provides any VoIP services directly. Synivate may introduce Client to a third-party who can provide these services. Synivate has no affiliation with the third party service providers and makes no claims or warranties. Client shall hold Synivate harmless for any and all claims or causes of action arising from or related to Client’s inability to use traditional 911 or E911 services.

Patch Management

We will keep all managed hardware and managed software current with critical patches and updates ("Patches") as those Patches are released generally by the applicable manufacturers. Patches are developed by third party vendors and, on rare occasions, may make the Environment or portions of the Environment unstable or cause managed equipment or software to fail to function properly even when the Patches are installed correctly. We will not be responsible for any downtime or losses arising from the installation or use of any Patch. We reserve the right to refrain from installing a Patch if we are aware of technical problems caused by a Patch, or we believe that a Patch may render the Environment unstable.

Managed Backup (BCDR) Services

All data transmitted over the Internet may be subject to malware and computer contaminants such as viruses, worms and trojan horses, as well as attempts by unauthorized users to access or damage Client's data. Neither Synivate nor its designated affiliates will be responsible for the outcome or results of such activities. BCDR services require a reliable, always-connected internet solution. Data backup and recovery time will depend on the speed and reliability of your internet connection. Internet and telecommunications outages will prevent the BCDR services from operating correctly. Due to technology limitations, all computer hardware has an error transaction rate that can be minimized but not eliminated. Synivate cannot and does not warrant that data corruption or loss will be avoided. Client is strongly advised to keep a local backup of all stored data to mitigate against unintentional loss of data.

Virtual Chief Information Officer (vCIO)

Synivate will assign Client a vCIO and through our iterative process, meet with Client from time to time to identify risks and recommend solutions to align the Client with best practices. Suggestions and advice rendered to Client are provided in accordance with relevant industry practices, based on Client's specific needs and Synivate's opinion and knowledge of the relevant facts and circumstances. By rendering advice, or by suggesting a particular service or solution, Synivate is not endorsing any particular manufacturer or service provider. The advice and suggestions provided in our capacity as a virtual chief technology or information officer will be for your informational and/or educational purposes only. Synivate will not hold an actual director or officer position in Client's company, and we will neither hold nor maintain any fiduciary relationship with Client. Under no circumstances shall Client list or place Synivate on Client's corporate records or accounts.

Technology Alignment Manager (TAM)

As part of our enhanced service delivery, Client will be assigned a dedicated Technology Alignment Manager (TAM) who will coordinate routine onsite visits to ensure the technology environment remains aligned with industry best practices and business objectives. Working in close collaboration with the virtual Chief Information Officer (vCIO), the TAM will provide hands-on guidance, address immediate concerns, and ensure strategic initiatives are progressing as planned. Initial visit cadence typically begins on a monthly or quarterly basis depending on the Client's size and complexity; however, Synivate reserves the flexibility to adjust this schedule as needed to best serve Client's evolving requirements and our operational capacity.

Vulnerability Management

Synivate will perform external vulnerability scanning against Client's public-facing IP addresses on a recurring basis to identify potential security weaknesses accessible from the internet. Synivate will manage the remediation of identified vulnerabilities in accordance with industry-standard prioritization frameworks to the best of their ability, addressing critical and high-severity findings within timeframes appropriate to the assessed risk level. Client acknowledges that scanning frequency, scope, and remediation timelines may be adjusted by Synivate based on threat landscape changes, resource availability, and Client's specific risk profile. Client acknowledges that some applications or services in use by Client will prohibit Synivate from addressing certain vulnerabilities. Client further acknowledges that certain remediation activities may require scheduled maintenance windows or Client approval where business-critical systems are affected.

Vulnerability Management Advanced

Synivate will perform comprehensive vulnerability scanning against both Client's external public-facing IP addresses and internal network infrastructure on a recurring basis to identify potential security weaknesses. Synivate will manage the remediation of identified vulnerabilities across both external and internal assets in accordance with industry-standard prioritization frameworks, addressing critical and high-severity findings within timeframes appropriate to the assessed risk level. Client acknowledges that scanning frequency, scope, and remediation timelines may be adjusted by Synivate based on threat landscape changes, resource availability, and Client's specific risk profile. Client acknowledges that some applications or services in use by Client will prohibit Synivate from addressing certain vulnerabilities. Client further acknowledges that certain remediation activities may require scheduled maintenance windows or Client approval where business-critical systems are affected.

Domain Name Registration

If you register, renew, or transfer a domain name through Synivate, we will submit the request to the applicable domain name services provider (the "Registrar") on your behalf. Our sole responsibility is to submit the request to the Registrar, and we are not responsible for any errors, omissions, or failures of the Registrar.

Hardware as a Service (HaaS)

HaaS Equipment. We will provide you with the HaaS Equipment described in the Quote or, if no hardware is expressly designated as HaaS Equipment in the Quote, then a complete list of HaaS Equipment will be provided to you under separate cover.

Deployment. We will deploy the HaaS Equipment within the timeframe stated in the Quote, provided that you promptly provide all information that we reasonably request from you to complete deployment. If you wish to delay deployment, you may do so with written notice no later than five (5) days following the date you sign the Quote. Deployment shall not extend beyond two (2) months following the date on which you sign the Quote. You will be charged at 50% of the monthly recurring fees during the period of delay.

Equipment Hardware Repair or Replacement. Synivate will repair or replace HaaS Equipment by the end of the business day following the business day on which the applicable problem is identified and determined to be incapable of being remediated remotely. This warranty does not include the time required to rebuild your system, such as configuring a replacement device, rebuilding a RAID array, reloading the operating system, reloading applications, and/or restoring from backup.

Service Credits. If Synivate fails to meet the warranties in this section and the failure materially and adversely affects your hosted environment ("Hosted System"), you are entitled to a credit in the amount of 5% of the monthly fee per hour of downtime (after the initial one (1) hour allocated to problem identification), up to 100% of your monthly fee for the affected HaaS Equipment.

Periodic Replacement. From time to time, we may decide to swap out older HaaS Equipment for updated or newer equipment. Generally, equipment that is five years old or older may be appropriate for replacement. We will notify you and arrange a mutually convenient time for such activity.

Return of HaaS Equipment. Unless we expressly direct you to do so, you will not remove or disable any software agents installed in the HaaS Equipment. Within ten (10) days after the termination of HaaS-related Services, Client will provide Synivate access to the premises so that all equipment may be retrieved. If you fail to provide timely access or the equipment is returned damaged (normal wear and tear excepted), we have the right to charge you the replacement value.

Device Monitoring & Alerting

Synivate will provide continuous monitoring of Client's enrolled servers and endpoints to detect critical system conditions requiring intervention. For servers, monitoring includes critical errors, system failures, disk failures, low disk space conditions, service outages (including SQL Server services where applicable), performance degradation, and other conditions that may impact system availability or data integrity. For workstations and laptops, monitoring is limited exclusively to critical disk space conditions of 2GB or less. Synivate will configure monitoring thresholds, alert parameters, and escalation procedures at its discretion based on industry best practices and system criticality. Client acknowledges that monitoring is dependent upon proper agent installation, network connectivity, and system accessibility. Synivate is not responsible for conditions that occur during periods when monitoring agents are offline, disabled, or unable to communicate with monitoring infrastructure. Detection of a monitored condition does not guarantee prevention of system failure or data loss. Synivate reserves the right to modify monitoring parameters, alert thresholds, and covered metrics as necessary to reduce false positives or address operational requirements.

Network Device Monitoring

Synivate will provide monitoring of Client's network infrastructure devices as specifically listed on the Quote. Monitoring encompasses device availability, interface status, performance metrics, and SNMP-based alerts for the explicitly listed network switches, routers, firewalls, wireless controllers, and other network equipment designated for coverage. Synivate will configure monitoring parameters and alert thresholds at its discretion based on device capabilities and operational best practices. Client acknowledges that monitoring coverage is limited exclusively to devices enumerated in the governing service documentation, and that network devices not specifically listed are excluded from monitoring scope. Addition or removal of monitored devices requires amendment to the service agreement and may result in fee adjustments. Synivate is not responsible for conditions affecting devices during periods of network connectivity loss, device misconfiguration, or SNMP communication failures. Synivate reserves the right to modify monitoring protocols, SNMP community strings, or collection methods as necessary to maintain effective monitoring or address security requirements.

Cybersecurity Awareness & Phishing Simulation

Synivate will provide ongoing security awareness training and simulated phishing campaigns to educate Client's users on cybersecurity threats and safe computing practices. Training modules cover phishing recognition, password security, social engineering, data protection, and incident reporting. Synivate will determine training assignments, simulation frequency, and curriculum content based on industry best practices and Client's risk profile. Synivate will provide periodic reporting on completion rates and performance metrics. Client is responsible for ensuring users complete assigned training within designated timeframes. Synivate reserves the right to modify training platforms, content, and simulation parameters as necessary to maintain effectiveness. Client acknowledges that individual user behavior remains outside Synivate's direct control.

Advanced DNS Filtering & Web Protection

Synivate will provide DNS-layer security services to protect Client against web-based threats including phishing sites, malware distribution domains, command-and-control infrastructure, and inappropriate or high-risk web content. This service operates at the DNS resolution level to block access to malicious or policy-violating domains before connections are established, providing protection across all Client devices regardless of location. Synivate will manage DNS security platform configuration, threat intelligence feeds, content category policies, and allowlist/blocklist administration on Client's behalf. Synivate reserves the right to modify filtering policies, category definitions, and blocking thresholds as necessary to address evolving threat landscapes and maintain effective protection levels. Client acknowledges that DNS-layer filtering may occasionally result in legitimate websites being blocked, and agrees to promptly report suspected false positives to Synivate for review and adjustment. Client is responsible for ensuring endpoints are configured to utilize Synivate-managed DNS resolvers for protection to remain effective.

E-Mail Security & Threat Defense

Synivate will provide advanced email security services including spam filtering, phishing detection, malicious URL protection, and attachment sandboxing to defend against email-borne threats. Synivate will manage platform configuration, security policy enforcement, and quarantine administration on Client's behalf. Client users may receive quarantine notifications and release false positives subject to administrative review. Synivate reserves the right to modify security policies and filtering rules to address evolving threats. Client acknowledges that legitimate messages may occasionally be quarantined and agrees to report suspected false positives for review.

24x7 Managed Endpoint Detection & Response

Synivate will provide continuous endpoint security monitoring and threat response services through a third-party Security Operations Center (SOC) operating on a 24x7x365 basis. The SOC will monitor Client's enrolled endpoints for malicious activity, advanced persistent threats, and security anomalies using behavioral analysis and threat intelligence. Upon detection of confirmed threats, the SOC will initiate containment and remediation actions in accordance with established response protocols. Synivate will coordinate with the SOC to manage alert triage, threat investigation, and remediation activities on Client's behalf. Client acknowledges that response actions may include automatic isolation of compromised endpoints to prevent lateral movement or data exfiltration. Synivate reserves the right to modify SOC provider, monitoring technologies, or response procedures as necessary to maintain effective threat detection and response capabilities. Client is responsible for maintaining endpoint agent deployment and ensuring adequate network connectivity for telemetry transmission to the SOC platform.

24x7 Managed Identity Detection & Response

Synivate will provide continuous identity-focused security monitoring and threat response services through a Security Information and Event Management (SIEM) platform monitored by a third-party Security Operations Center (SOC) operating on a 24x7x365 basis. The SOC will monitor Client's identity systems, authentication events, privileged access activities, and user behavior patterns to detect unauthorized access attempts, credential compromise, privilege escalation, and anomalous account activity. Upon detection of confirmed threats, the SOC will initiate containment and remediation actions in accordance with established response protocols, which may include account suspension, session termination, or access revocation. Synivate will coordinate with the SOC to manage alert triage, threat investigation, and remediation activities on Client's behalf. Client acknowledges that response actions may result in temporary disruption to user access in order to contain active threats. Synivate reserves the right to modify SOC provider, SIEM platform, monitoring technologies, or response procedures as necessary to maintain effective threat detection and response capabilities. Client is responsible for ensuring log sources are properly configured and integrated with the SIEM platform for comprehensive monitoring coverage.

Critical On-Site Support

Synivate will provide onsite technical support in the event of critical issues that cannot be resolved through remote assistance and require physical presence at Client's location. Critical issues are defined as those that result in significant business disruption, complete system failure, or circumstances where remote troubleshooting has been exhausted without resolution. Onsite support will be dispatched at Synivate's discretion based on issue severity, troubleshooting outcomes, and operational necessity. Where the affected equipment is covered under an active manufacturer warranty or third-party maintenance agreement and the issue falls within the scope of services described in this Agreement, Synivate will provide onsite labor at no additional charge to Client. Client acknowledges that onsite support for non-critical issues, equipment outside of warranty coverage, or services beyond the defined support scope may be subject to additional fees as outlined in Synivate's standard rate schedule. Synivate reserves the right to determine the appropriateness of onsite dispatch based on technical assessment and resource availability.

Block Hours

Block Hours Support is a flexible, pre-paid bank of time dedicated to IT consulting and technical assistance for RMM, Office 365, Azure, or any other remote technical or engineering IT consulting and support needs. This service is provided on a best-effort basis, meaning there are no Service Level Agreements (SLAs) or guaranteed response times associated with block time usage. Each individual request or incident is subject to a minimum engagement of one (1) hour, with any time thereafter billed in thirty (30) minute increments. All services rendered under this agreement are strictly for remote work only and must be utilized during standard business hours, Monday through Friday, from 8:00 AM to 5:00 PM. Please note that these hours cannot be used for Incident Response (IR) work, such as active security breaches or forensic investigations, which fall under a separate emergency protocol. Any unused time remains valid and carries forward for a period of up to sixty (60) days from the date of purchase, after which it will expire.

Private Cloud Services

You agree that you are responsible for the actions and behaviors of your users of the Services. You agree that neither Client, nor any employees or designated representatives, will use the Services in a manner that violates the laws, regulations, ordinances, or other requirements of any jurisdiction.

Client agrees not to: transmit unsolicited commercial or bulk email; engage in "spamming"; carry out "denial of service" attacks; infringe on intellectual property rights; collect personally identifiable information without consent; or undertake any action harmful to Synivate or its infrastructure.

Client is solely responsible for ensuring that login information is utilized only by authorized users and agents, including ensuring the secrecy and strength of user identifications and passwords. If login information is lost, stolen, or used by unauthorized parties, Client must notify Synivate immediately. Synivate will use commercially reasonable efforts to implement security requests as soon as practicable.

Co-Managed IT

In Co-Managed situations (e.g., where you have designated other vendors or personnel, or "Co-Managed Providers," to provide you with services that overlap or conflict with the Services provided by us), we will endeavor to implement the Services in an efficient and effective manner; however, (a) we will not be responsible for the acts or omissions of Co-Managed Providers, or the remediation of any problems arising from those acts or omissions, and (b) in the event that a Co-Managed Provider's determination on an issue differs from our position, we will yield to the Co-Managed Provider's determination and bring that situation to your attention.

In Co-Managed situations, Client agrees to indemnify and hold us harmless from and against any and all Environment-related issues, damages, expenses, costs, and claims, where the issues cannot directly and unambiguously be traced back to any wrongdoing by Synivate.

Where Customer has been provided with separate administrative access credentials to systems, networks, or applications ("Admin Access"), Synivate expressly disclaims all liability for any modifications, changes, configurations, or alterations made by Customer or Customer's personnel using Admin Access. Synivate further disclaims liability for any security breaches, data loss, system failures, or other incidents resulting from the use, misuse, or compromise of Admin Access credentials, as well as any unauthorized access to Customer systems resulting from Customer's handling, storage, or sharing of Admin Access credentials.

Customer acknowledges and agrees that Customer assumes full responsibility for all actions taken using Admin Access credentials and will maintain the confidentiality and security of all Admin Access credentials. Customer further acknowledges that any use of Admin Access credentials, whether authorized or unauthorized, is at Customer's sole risk.

Any work performed by Synivate to remediate, repair, restore, or otherwise address issues arising from or related to the use of Admin Access credentials shall be billed at Synivate's then-current emergency or rush rates, regardless of when such work is performed or whether it occurs during regular business hours. This includes, but is not limited to, system restoration or recovery, security incident response, configuration correction or rollback, and data recovery or reconstruction.

Customer agrees to indemnify and hold harmless Synivate from any claims, damages, losses, or expenses arising from Customer's use of Admin Access credentials.

9. Public Cloud Services

Public Cloud Platforms (AWS / Google Cloud / Microsoft Azure)

Synivate works with third-parties to provide comprehensive public cloud services including AWS, Google Cloud, and Microsoft Azure. We will provide Client with a cost estimate prior to migrating or setting up resources in public cloud systems. The cost estimate is obtained directly from the vendor and is subject to change. Any changes made to public cloud resources will result in a cost change. Client agrees to pay Synivate for all charges associated with their public cloud systems.

Microsoft 365 and Office 365 Services

All Microsoft 365 and Microsoft Office 365 subscriptions will be billed monthly unless otherwise specified on the quote. All subscriptions will have an annual commitment and will auto-renew according to Microsoft's then-current terms of service. Any termination fees associated with a reduction or change in service to the current Microsoft license will be billed in accordance with the Microsoft service agreement. Microsoft licensing, although billed monthly, under the annual commitment requires the Client to pay the balance upon cancellation or termination.

By using these public cloud services, Client agrees to the terms listed at https://www.microsoft.com/en-us/servicesagreement

10. Assumptions / Minimum Requirements / Exclusions

The scheduling, fees and provision of the Services are based upon the following assumptions and minimum requirements:

• All hardware must be covered under the manufacturer warranty with an on-site support agreement.
• All equipment with Microsoft Windows® operating systems must be running then-currently supported versions with all latest service packs and critical updates installed, and must be the Business, Professional or Enterprise edition.
• All software must be genuine, licensed and vendor-supported.
• Server file systems and e-mail systems (if applicable) must be protected by licensed and up-to-date virus protection software, and backed up on a regular basis.
• The Environment must have a currently licensed, vendor-supported server-based backup solution that can be monitored.
• All wireless data traffic must be securely encrypted with then-current wireless security standards.
• All servers and networking equipment must be connected to working UPS devices with networked cards and environmental sensors.
• Workstations and laptops must have a minimum of 16GB of RAM, at least 500GB of SSD OS Disk Storage and have been manufactured within the last six years.
• Recovery coverage assumes data integrity of the backups. We do not guarantee the integrity of backups. Server restoration will be to the point of the last successful backup.
• Client must provide all software installation media and key codes in the event of a failure.
• Any costs required to bring the Environment up to these minimum standards are not included in this Service Statement.
• Client must provide us with exclusive administrative privileges to the Environment.
• Client must not affix or install any accessory, addition, upgrade, equipment, or device on to the firewall, server, or NAS appliances unless expressly approved in writing by us.

Exclusions

Services that are not expressly described in the Quote will be out of scope. Without limiting the foregoing, the following services are expressly excluded:

• Any service not specifically identified as included in a Quote.
• Customization of third party applications, or programming of any kind.
• Support for operating systems, applications, or hardware no longer supported by the manufacturer.
• Data/voice wiring or cabling services of any kind.
• Battery backup replacement.
• Equipment relocation.
• The cost to bring the Environment up to the Minimum Requirements.
• The cost of repairs to hardware or any supported equipment or software, or the costs to acquire parts or equipment, or shipping charges.
• The cost to send a technician on-site for a change request, new equipment install, new workstation install or other non-remedial service.
• Maintenance of application software packages.
• Data restoration due to failed hardware or software corruption.
• Any response to or remediation of an identified security incident (ransomware, business email compromise, data exfiltration, etc.).
• Response to any issue not reported in accordance with the support procedures described herein.

10. Synivate Property

Synivate may place at Customer's site or otherwise provide equipment, other goods, materials/supplies and/or similar items, software, and information owned by Synivate or a third party, for the purposes of carrying out this SOW (collectively, "Synivate Property"). Such placement or provision of Synivate Property shall not create any rights of ownership in Customer or any third party. Customer shall use reasonable care with Synivate Property, but no less care than Customer uses with respect to its own property. Customer shall return Synivate Property upon Synivate request or upon termination or expiration of this SOW. Customer's failure to return Synivate Property within seven (7) days of request or upon termination/expiration will result in a fee equivalent to the new replacement cost of Synivate Property.

11. Third Party Providers

To enhance the Services provided by Synivate to Customer, Synivate may utilize third parties for certain products ("Third-Party Product Vendors") or services ("Third-Party Service Providers"). In addition to Synivate, Customer may be legally bound by certain third party terms and conditions.

SYNIVATE IS NOT RESPONSIBLE FOR THE ACTS OR OMISSIONS OF THIRD-PARTY PROVIDERS. CUSTOMER'S RIGHTS REGARDING CLAIMS AGAINST THIRD-PARTY PROVIDERS SHALL BE GOVERNED BY SUCH SERVICE PROVIDER'S END USER LICENSE AGREEMENT OR TERMS AND CONDITIONS.

Third-Party Providers may be changed/replaced during the service period. Synivate will inform Customer via e-mail of the change and advise of the new terms and conditions.

Third Party Vendors and their Terms and Conditions applicable to Customer are listed at https://synivate.com/third-party-eulas.

12. Security

The physical security of all electronic equipment, computers, servers, and network is the responsibility of Customer. While Synivate may make recommendations regarding the electronic security of IT equipment, it is in no way responsible for the security of said items, whether or not Synivate's recommendations are followed, as no security measures are 100% effective.

THEREFORE, CUSTOMER AGREES TO HOLD SYNIVATE HARMLESS FROM ANY LOSS, INJURY, OR DAMAGE TO CUSTOMER OR ANY HARDWARE, SOFTWARE, AND/OR COMPUTER DATA OF CUSTOMER CAUSED BY MALICIOUS ACTIVITIES. Synivate is not responsible for criminal acts of third parties, including but not limited to hackers, phishers, crypto-locker, and any network environment subject to ransom. CUSTOMER AGREES TO PAY RANSOM AND HOLD SYNIVATE HARMLESS FOR ANY ACTIVITY AFFECTING NETWORK SECURITY ON CUSTOMER'S ENVIRONMENT RELATED TO THIRD-PARTY CRIMINAL ACTIVITY, NETWORK SECURITY, OR PRIVACY.

13. Viruses and Other Threats

Synivate recommends, and has advised Customer, of the importance of using active firewalls and up-to-date virus and malware protection. Customer understands that any attacks on Customer's computer networks and/or computers as a result of malicious software, viruses, worms, social engineering, phishing, and other hacker threats are not the responsibility of Synivate, and that while Synivate does recommend certain security measures, it is not responsible for failure to comply with said recommendations or the failure of the recommended measures to protect Customer's systems, as no such measures are 100% effective.

14. Electrical Power, Lightning, and Surges

Synivate recommends, and has advised Customer, that Customer use UPS (Uninterrupted Power Supply/Backup Batteries) on all computer and network equipment. It is Customer's responsibility to provide such protection and/or backup batteries along with power outlets with sufficient power to support equipment at desired locations. Customer further acknowledges and agrees that surges, power spikes, brownouts, blackouts, lightning damage, or any acts of God are not the responsibility of Synivate and are outside the scope of this SOW.

15. Multi-Factor Authentication

Synivate requires the use of multi-factor authentication on M365 and externally-available applications to provide increased security and to protect Customer from various security threats. Customer agrees to conform to the use of the multi-factor authentication software that is provided by Synivate, and to keep any dependent software up to date to support multi-factor authentication. Customer agrees to train Customer's employees on the importance of complying with multi-factor authentication security requirements.

16. Admin Credentials

During the Term of this SOW, only Synivate will have access to Customer's administrative credentials. In the event Customer demands access to the administrative credentials and/or access prior to the end of the Term, it may be deemed to be a termination for convenience of this SOW and Customer shall pay to Synivate as liquidated damages and not as a penalty, eighty-five percent (85%) of the sum of the last month's fee multiplied by the number of remaining months.

17. Pre-Existing Defects and Conditions

Customer understands and agrees that pre-existing defects and conditions to Customer's computers, network, servers, and software are outside the scope of this SOW.

18. Customer Responsibilities

Customer agrees to be bound by and comply with the Customer Responsibilities listed at https://synivate.com/client-responsibilities.

19. Out-of-Scope Issues

Upon request of Customer, Synivate may provide services on a Time & Materials ("T&M") basis. T&M is a method of engaging Synivate that allows Customer to utilize a variety of Synivate technical resources on an as-needed basis. With a T&M engagement, Customer is not purchasing a fixed set of deliverables, but instead is purchasing time on an as-used basis. The work performed during the resource's time is governed by the expressed requirements of Customer, and Synivate makes no warranty or guarantees beyond "reasonable endeavors" and "best efforts."

All actual hours used by the Customer will be billed according to the details and rates at https://synivate.com/rate-card.