Service Agreement
This Service Agreement (“Agreement”) is executed by and between (“CLIENT”) and Zeneth Technology Partners (ZenOpz), and the terms and provisions of the Agreement are incorporated by this reference and govern the Services specified herein.
1. Statement of Work
In executing these requirements, ZenOpz will implement its proposed technology against the following specific business processes:
• Log monitoring of CLIENT’s endpoints, cybersecurity devices, applications (to include firewalls and routers), and other devices operating on the CLIENT’s TCP/IP networks and subnets; and
• Vulnerability scanning of CLIENT endpoints, cybersecurity devices, applications (to include
firewalls and routers), and other devices operating on the CLIENT’s TCP/IP networks and subnets.
To meet these requirements, ZenOpz will provide a pre-configured security appliance and the necessary software (collectively, the “Security Appliance”) to be installed by the CLIENT on its networks that will connect back to the ZenOpz monitoring network automatically upon installation, and immediately commence reporting and relaying information from the CLIENT’s network. Upon the completion of installation of the Security Appliance on the CLIENT’s network, three actions will occur within 24 hours:
• All visible TCP/IP data from the CLIENT’s logs will be checked against the ZenOpz proprietary threat intelligence system and any results will be reported back to the CLIENT via their selected mechanism (email or text message). The customer will continue to receive such email/text message reports at the requested frequency as well as via a weekly report.
• ZenOpz will review all log data delivered to it from the CLIENT network for indicators of compromise within the CLIENT’s equipment. Any results will be reported back to the CLIENT via their selected communication preference (email or text message). All devices visible to the security appliance will be scanned for existing vulnerabilities and configuration issues that increase the risk of a successful cybersecurity attack against the CLIENT’s network. The results will be reported back to the CLIENT via email upon the successful completion of the scan.
Once the installation and initiation of the Security Appliance has been successfully completed, the CLIENT will receive the following on an ongoing basis:
1. All alerts considered “high” or “critical” will be transmitted to the CLIENT within 1 hour of detection of the alert by ZenOpz, via email or text at the CLIENT’s discretion.
2. A weekly report will be sent, summarizing the events of the week specific to:
a. Detected security incidents;
b. Detected security vulnerabilities from the weekly vulnerability scan;
c. Comparison of the CLIENT’s data versus an aggregate of similar CLIENT data (as collected over time); and
d. Complete reporting supporting security incidents and security vulnerabilities to include:
i. Detailed summaries of any issue;
ii. Recommended security patches; and
iii. Resources for additional information. ZenOpz will conduct a 2-phase assessment (“360 Assessment”) of the CLIENT’s network using data collected by the Security Appliance and information provided by the CLIENT. Upon completion of Phase 1 of the 360 Assessment, ZenOpz will provide the CLIENT with a High-Level Security Posture Report, which will contain an inventory of the devices in their network, identification and definition of their operating system, and a report of the vulnerabilities that currently exist in their environment. Upon completion of Phase 2 of the 360 Assessment, ZenOps will provide the CLIENT with a Threat Profile Report which will include the CLIENT’s threat profile as well as a comparison of their organization’s security posture to that of a similar organization.
2. Pricing
All pricing will be for the term of the Agreement unless modified by agreement of both ZenOpz and the CLIENT. Additional ZenOpz services may be added to the program with the agreement of both parties. Additional pricing will be negotiated at the time the additional services are added to the program.
Table 2.1
| Item or Service | Short Description | Conditions / Requirements | Price | Total Price | Term |
|---|
| [Starter Level] | Security Appliance, the Managed Security Services, and reports defined in section 3.0 | A single Security Appliance provided by ZenOpz to be used for 50 or fewer endpoints | Price is all inclusive and includes the Security Appliance | $69.99 per month | 12 months |
If the services require an updated Security Appliance (typically every 3 years), the new Security Appliance will be configured and shipped to the CLIENT at a cost $79.00 along with all necessary support to configure the new Security Appliance.
3. Deliverables and Reports ZenOpz deliverables include one (1) Security Appliance, security monitoring services as described above, and the reports (“Reports”) outlined in the Table 3.1 below.
Table 3.1 - Reports
| Item | Description | Submt To | Due Date (in Business Days (BD) | Quantity/Format |
|---|
| 1. | Alerts:- Vulnerability
- Log based alert
- Pierce Threat Intelligence
| CLIENT POC | As required by events | In an editable electronic form |
| 2. | Weekly report | CLIENT POC | Weekly | In an editable electronic form |
| 3. | A description of the ZenOpz security appliance for under 50 endpoints to include:- Hardware description
- Software description
- Installation directions
- FAQ
| CLIENT POC | Delivered prior to the initialization of the service and updated quarterly concurrent with the device change control processes. | In an editable electronic form |
4. Definitions and Descriptions Managed Security Services Basic Descriptions, Limitation of Liability
1. ZenOpz Managed Security Services (MSS) are designed to provide the CLIENT with the capability to fully outsource information security needs and requirements as defined. ZenOpz MSS leverages the security tools and processes customers already have in place and supplements existing capabilities with established security processes and controls. The services described herein will be delivered from the ZenOpz Security Operations center and by designated appliances located on the CLIENT’s site and in cloud environments. In the event of expected or unexpected downtime impacting the level or quality of service, the CLIENT will be notified immediately. Details related to Service Levels are listed in Exhibit A - Service Levels.
2. Security Intelligence Monitoring Service provides the CLIENT with IP/Traffic, for the purpose of determining threats, risks or issues specific to their organization. Emergent issues such as connecting with a known bad IP address, identifying exposed credentials or organization specific data, will result in the CLIENT’s point of contact receiving notification by their preferred method of communication (email or text message). All threat intelligence information will be periodically reported in accordance with the CLIENT’s reporting package.
3. Log Monitoring and Reporting Service provides the CLIENT with endpoint, server and application log monitoring in accordance with their selected service package. Emergent issues that are considered “critical” or “high”, such as identifying exposed credentials or uncontrolled organization specific data, will result in the CLIENT’s point of contact receiving a notification from ZenOpz via the CLIENT preferred method of communication (email or text). All monitoring services are performed 24x7x365. ITEM DESCRIPTION SUBMIT TO DUE DATE (in Business Days (BD) QUANTITY/ FORMAT
1. Alerts:
• Vulnerability
• Log based alert
• Pierce Threat Intelligence CLIENT POC As required by events In an editable electronic form
2. Weekly report CLIENT POC Weekly In an editable electronic form
3. A description of the ZenOpz security appliance for under 50 endpoints to include:
• Hardware description
• Software description
• Installation directions
• FAQ CLIENT POC Delivered prior to the initialization of the service and updated quarterly concurrent with the device change control processes.
In an editable electronic form
4. Vulnerability Scanning and Reporting Service provides the CLIENT with network-wide identification and detection of weaknesses potentially impacting network service capabilities. All identified vulnerabilities will be reported to the CLIENT with recommended remediation approaches. Any vulnerabilities found during routine scanning will also be reported to the CLIENT per their established reporting regimen.
5. By employing ZenOpz MSS, the CLIENT recognizes that ZenOpz is no way responsible for a breach, loss of data, business disruption, or any other damages resulting from a security incident involving the CLIENT’s IT environment. During the period in which the CLIENT employs ZenOpz, no ZenOpz products or services should be used on any other network or endpoint other than those of the CLIENT. The CLIENT also recognizes that the MSS and the Security Appliance described herein may not be supported by the CLIENT’s existing network architecture, or in the case that they are supported, some features may not be available, dependent on CLIENT’s network architecture.
General Business Terms
A. Services.
The services provided by Zeneth Technology Partners ("ZenOpz") under the Statement of Work to which these terms are attached may include advice and recommendations, but ZenOpz will not make any decisions on behalf of the CLIENT in connection with the implementation of such advice and recommendations.
1. Payment of invoices.
The CLIENT will compensate ZenOpz under the terms of the Agreement for the Services performed and expenses incurred, through the term or effective date of termination of this Agreement. ZenOpz invoices are due on Net 30 terms. If payment is not received within sixty (60) days of receipt of an invoice, (a) such invoice shall accrue a late charge equal to the lesser of (i) 1½% per month or (ii) the highest rate allowable by law, in each case compounded monthly to the extent allowable by law, and
(b) ZenOpz may also suspend or terminate the Services. The CLIENT shall be responsible for any taxes imposed on the Services or on this Agreement, other than taxes imposed by employment withholding for ZenOpz personnel or on ZenOpz income or property.
2. Term.
Unless terminated sooner, as set forth below, this Agreement shall terminate upon the completion of the Services. Either party may terminate this Agreement, with or without cause, by giving thirty (30) days prior written notice to the other party. In the event of a termination for cause, the breaching party shall have the right to cure the breach within the notice period. ZenOpz may terminate this Agreement upon written notice to the CLIENT if ZenOpz determines that the performance of any part of the Services would be in conflict with law, independence or professional rules.
3. Deliverables
a) ZenOpz has rights in, and may, in connection with the performance of the Services, use, create, modify, or acquire rights in works of authorship, materials, information, and other intellectual property (collectively, "ZenOpz").
b) Upon full payment to ZenOpz hereunder, and subject to the terms and conditions contained herein, (i) the tangible items specified as deliverables or work product in the Agreement (the "Deliverables") shall become the property of the CLIENT, and (ii) ZenOpz hereby grants the CLIENT a royalty-free, fully paid-up, worldwide, nonexclusive license to use ZenOpz. Except for the foregoing license grant, ZenOpz or its licensors retain all rights in and to ZenOpz.
4. Limitation on Warranties.
This is a Services Agreement. ZenOpz warrants that it shall perform the Services in good faith and with due professional care. ZENOPZ DISCLAIMS ALL OTHER WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANT ABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
5. Limitation on Damages and Indemnification.
a) ZenOpz, its subsidiaries and subcontractors, and their respective personnel shall not be liable to the CLIENT for any claims, liabilities, or expenses relating to this Agreement ("Claims") for an aggregate amount in excess of the fees paid by the CLIENT to ZenOpz pursuant to this Agreement, except to the extent resulting from bad faith, or intentional misconduct of ZenOpz or its subcontractors. In no event shall ZenOpz, its subsidiaries or subcontractors, or their respective personnel be liable to the CLIENT for any loss of use, data, goodwill, revenues, or profits (whether or not deemed to constitute a direct Claim), or any consequential, special, indirect,incidental, punitive, or exemplary loss, damage, or expense relating to this Agreement.
b) The CLIENT shall indemnify and hold harmless ZenOpz, its subsidiaries and subcontractors, and their respective personnel from all Claims, except to the extent resulting from gross negligence, bad faith, or intentional misconduct of ZenOpz or its subcontractors.
c) In circumstances where any limitation on damages or indemnification provision hereunder is unavailable, the aggregate liability of ZenOpz, its subsidiaries and subcontractors, and their respective personnel for any Claim shall not exceed an amount that is proportional to the relative fault that the conduct of ZenOpz and its subcontractors bears to all other conduct giving rise to such Claim.
6. CLIENT Responsibilities.
The CLIENT shall cooperate with ZenOpz in the performance of the Services, including providing ZenOpz with reasonable facilities and timely access to data, information, and personnel of the CLIENT. The CLIENT shall be solely responsible for, among other things (a) the performance of its personnel and agents, (b) the accuracy and completeness of all data and information provided to ZenOpz for purposes of the performance of the Services, (c) making all management decisions and performing all management functions, (d) designating a competent management member to oversee the Services, (e) evaluating the adequacy and results of the Services, and (f) accepting responsibility for the results of the Services. ZenOpz performance is dependent upon the timely and effective satisfaction of the CLIENT's responsibilities hereunder and timely decisions and approvals of the CLIENT in connection with the Services. ZenOpz shall be entitled to rely on all decisions and approvals of the CLIENT.
7. Force Majeure.
Neither party shall be liable for any delays or nonperformance directly or indirectly resulting from circumstances or causes beyond its reasonable control, including fire, epidemic or other casualty, act of God, strike or labor dispute, war or other violence, or any law, order, or requirement of any governmental agency or authority.
8. Limitation on Actions.
No action, regardless of form, relating to this Agreement, may be brought by either party more than one year after a party learns of the facts giving rise to a cause of action has accrued, except that an action for nonpayment may be brought by a party not later than one year following the due date of the last payment owing to the party bringing such action.
9. Independent Contractor.
Each party hereto is an independent contractor and neither party is, nor shall be considered to be, nor shall purport to act as, the other's agent, partner, fiduciary, joint venturer, or representative.
10. Confidentiality and Internal Use.
a) All Services and Deliverables shall be solely for the CLIENT's benefit and are not intended to be relied upon by any person or entity other than the CLIENT. The CLIENT shall not disclose the Services or Deliverables or refer to the Services or Deliverables in any communication, to any person or entity except (i) as specifically set forth in the Agreement, or (ii) to the CLIENT's contractors solely for the purpose of their providing services to the CLIENT relating to the subject matter of this Agreement, provided that such contractors comply with the restrictions on disclosure set forth in this sentence. The CLIENT, however, may create its own materials based on the content of such Services and Deliverables and use and disclose such CLIENT-created materials for external purposes, provided that the CLIENT does not in any way, expressly or by implication, attribute such materials to ZenOpz or its subcontractors.
b) To the extent that, in connection with this Agreement, either party (each, the "receiving party") comes into possession of any confidential information of the other (the "disclosing party"), it will not disclose such information to any third party without the disclosing party's consent, using at least the same degree of care as it employs in maintaining in confidence its own confidential information of a similar nature, but in no event less than a reasonable degree of care. The disclosing party hereby consents to the receiving party disclosing such information: (i) asexpressly permitted in the Agreement; (ii) to subcontractors, whether located within or outside of the United States, that are providing services in connection with this Agreement and that have agreed to be bound by confidentiality obligations similar to those in this Section ll (b); (iii) as may be required by law, regulation, judicial or administrative process, or in accordance with applicable professional standards or rules, or in connection with litigation or arbitration pertaining hereto; or (iv) to the extent such information (a) is or becomes publicly available other than as the result of a disclosure in breach hereof, (b) becomes available to the receiving party on a nonconfidential basis from a source that the receiving party believes is not prohibited from disclosing such information to the receiving party, (c) is already known by the receiving party without any obligation of confidentiality with respect thereto, or (d) is developed by the receiving party independently of any disclosures made to the receiving party hereunder. Nothing in this Section ll (b) shall alter the CLIENT's obligations under Section ll (a). ZenOpz, however, may use and disclose any knowledge and ideas acquired in connection with the Services to the extent they are retained in the unaided memory of its personnel.
11. Survival and Interpretation.
All provisions that are intended by their nature to survive performance of the Services shall survive such performance, or the expiration or termination of this Agreement. No affiliated or related entity of ZenOpz, or such entity's personnel, shall have any liability hereunder to the CLIENT and the CLIENT will not bring any action against any such affiliated or related entity or such entity's personnel in connection with this Agreement. Without limiting the foregoing, such affiliated and related entities are intended third-party beneficiaries of these terms and may in their own right enforce such terms. Each of the provisions of these terms shall apply to the fullest extent of the law, whether in contract, statute, tort (such as negligence), or otherwise, notwithstanding the failure of the essential purpose of any remedy. Any references herein to the term "including" shall be deemed to be followed by "without limitation."
12. Assignment and Subcontracting. Except as provided below, neither party may assign any of its rights or obligations hereunder (including interests or Claims) without the prior written consent of the other party. The CLIEN hereby consents to ZenOpz subcontracting any portion of the Services to any affiliate or related entity, whether located within or outside of the United States. Services performed hereunder by ZenOpz subcontractors shall be invoiced as professional fees on the same basis as Services performed by ZenOpz's personnel unless otherwise agreed.
13. Waiver of Jury Trial. THE PARTIES HEREBY IRREVOCABLY WAIVE, TO THE FULLEST EXTENT PERMITTED BY LAW, ALL RIGHTS TO TRIAL BY JURY IN ANY ACTION, PROCEEDING, OR COUNTERCLAIM RELATING TO THIS Agreement.
14. Non-exclusivity.
ZenOpz may (a) provide any services to any person or entity, and (b) develop for itself, or for others, any materials or processes, including those that may be similar to those produced as a result of the Services, provided that ZenOpz complies with its obligations of confidentiality set forth hereunder.
15. Non-solicitation.
During the term of this Agreement and for a period of one (1) year thereafter, each party agrees that its personnel (in their capacity as such) who had substantive contact with personnel of the other party in the course of this Agreement shall not, without the other party's consent, directly or indirectly employ, solicit, engage, or retain the services of such personnel of the other party. In the event a party breaches this provision, the breaching party shall be liable to the aggrieved party for an amount equal to thirty percent (30%) of the annual base compensation of the relevant personnel in his or her new position. Although such payment shall be the aggrieved party's exclusive means of monetary recovery from the breaching party for breach of this provision, the aggrieved party shall be entitled to seek injunctive or other equitable relief. This provision shall not restrict the right of either party to solicit or recruit in the media.
16. Entire Agreement, Amendment, and Notices.
These terms, and the Agreement, including attachments, constitute the entire agreement between the parties with respect to this Agreement; supersede all other oral and written representations, understandings, or agreements relating, to this Agreement; and may not be amended except by a written agreement signed by the parties. In the event of any conflict or ambiguity between these terms and the Agreement, these terms shall control. All notices hereunder shall be (a) in writing; (b) delivered to the representatives of the parties at the addresses set forth in the Agreement, unless changed by either party by notice to the other party; and (c) effective upon receipt.
17. Governing Law, Jurisdiction and Venue, and Severability.
These terms, the Agreement, including attachments, and all matters relating to this Agreement shall be governed by, and construed in accordance with, the laws of the Commonwealth of Virginia (without giving effect to the choice of law principles thereof). Any action based on or arising out of this Agreement or the Services shall be brought and maintained exclusively in any state or federal court, in each case located in Fiarfax County, Commonwealth of Virginia. Each of the parties hereby expressly and irrevocably submits to the jurisdiction of such courts for the purposes of any such action and expressly and irrevocably waives, to the fullest extent permitted by law, any objection that it may have or hereafter may have to the laying of venue of any such action brought in any such court and any claim that any such action has been brought in an inconvenient forum. If any provision of these terms or the Agreement is unenforceable, such provision shall not affect the other provisions, but such unenforceable provision shall be deemed modified to the extent necessary to render it enforceable, preserving to the fullest extent permissible the intent of the parties set forth herein.
Exhibit A – Service Levels
1. Service Level Agreements (SLAs)
ZenOpz is a provider of Managed Security Services for small and mid-sized businesses. ZenOpz provides these SLAs in order to demonstrate its ongoing commitment to provide top quality security service offerings for our customer’s needs.
1. ZenOpz provides these SLAs subject to the terms and conditions of the then current ZenOpz service agreement asnd may be updated by ZenOpz from time to time as agreed to by the CLIENT.
2. In order to receive a Service Credit under any of these SLAs, the CLIENT must make a credit request via email within thirty (30) days of the occurrence of the breach in service levels (or earlier if specifically set forth below). The CLIENT must also promptly provide ZenOpz with evidence as reasonably requested by ZenOpz of the SLA violation subject to the Service Credit request. A “Service Credit” entitles the CLIENT to the free use of the affected ZenOpz provided services for the time period set forth in the applicable SLA.
3. Credits for any CLIENT problems with the Managed Security Services will be provided under a single SLA for a single claim, with the SLA that the claim is based upon determined by the CLIENT. One claim cannot result in Service Credits under multiple SLAs.
4. The SLAs will not apply to situations where:
• The Security Appliance is incorrectly configured by the CLIENT.
• The CLIENT provides incorrect configuration information to ZenOpz. • ZenOpz is performing scheduled or routine maintenance of the Security Appliance, where the CLIENT has been notified of the maintenance no less than five (5) days in advance.
• The CLIENT’s applications or equipment or Internet connection has failed through no fault of ZenOpz.
• The CLIENT has exceeded the number of network device as set forth in Table 2.1 above.
• The failure of the SLA is based on reasons beyond ZenOpz’s reasonable control as set out in the ZenOpz Agreement.
5. The remedies set forth in these SLAs are CLIENT’s sole and exclusive remedy for any failure by ZenOpz to comply with the SLAs.
2. SLAs for CLIENT Services
2.1. Log Monitoring.
• For 95% of all identified logs processed, automated alerts generated by the ZenOpz security intelligence platform will be delivered to the CLIENT via their selected/ backup means of communication or the CLIENT portal as a ticket within 30 minutes of the initial report.
2.2. Vulnerability Scanning Service
• The vulnerability scanning service will be available 99.99% of the time, as calculated on a monthly basis.
• For Vulnerability Scanning, “Service Unavailability” means the inability of the vulnerability scanning service to scan and transmit reports in a seven-day period from the last successful vulnerability scan of the environment unless impacted by a declared maintenance window.
• In the event of Service Unavailability for more than 0.01% of any calendar month, following a request submitted by the CLIENT in accordance with Section 1 above, ZenOpz will credit the CLIENT with one day’s Service Credit for each week of Service Unavailability, subject to a maximum credit of five (5) days in any one month.
