MSA & Terms of use
HTG 360 provides managed security monitoring, security operation center as a service, managed detection and response services, and other managed services to help clients manage and defend their technology operations (the “Managed Services”).
Client wishes to engage HTG 360 to provide Managed Services.
HTG 360 and Client therefor agree as follows
ARTICLE ONE: MANAGED AND PROFESSIONAL SERVICES
1.1 Services. Under the terms of this MSA, Client may choose to purchase Managed Services, as specified on an MS SOW, or Professional Services, as specified on a PS SOW. An initial MS SOW is attached hereto as Exhibit A.
1.2 HTG 360 Personnel. HTG 360 shall provide the necessary skilled personnel to render agreed-upon Managed Services as well as proprietary and third-party software solutions. HTG 360 reserves the right to utilize such personnel and software as it deems proper, subject to Client’s right to request a change in assigned personnel for good cause. HTG will appoint a Project Manager, responsible for administering this agreement, interfacing with Client, attending weekly update calls, delivering agreed reports, overseeing HTG 360 staff, and managing incident response.
1.3 Client Staffing/Support. Client shall designate a Security Manager, primarily responsible for interfacing with HTG 360 and overseeing incident response. Client shall support the Managed and Professional Services hereunder in all reasonable, technical, administrative, and commercial ways so as to facilitate provision of useful services hereunder.
1.4 Invoicing. HTG 360 fees for Managed Services typically involve either a Fixed-Price Fee per month, or Time and Materials, or a combination of both, as defined in each MS SOW. Invoices will issue at the end of each month for professional service or at the beginning of each month/quarter/bi-annual/annual for managed services, or a combination of both and must be paid within twenty (20) days of issuance. Client must report any objection to or deficiencies in the Managed or Professional Services within thirty (30) days of the date that such deficiencies were reasonably discoverable by Client.
ARTICLE TWO: HARDWARE AND SOFTWARE
2.1 Hardware/Software Orders. From time to time, as specified in separate Sales Proposals, HTG 360 may offer to quote and then sell third party hardware and/or software to Client. Any Sales Proposal from HTG 360 for such sales shall be considered an offer and shall be accepted when Client: (i) signs and returns the Sales Proposal, or otherwise confirms its acceptance of same in form accepted by HTG 360, (ii) accepts delivery of such products, or (iii) issues a purchase order accepted by HTG 360.
2.2 Shipment. Such products will primarily ship, or be delivered electronically by the manufacturer or vendor of the products. Risk of loss generally will pass to the Client when such products leave the shipping point.
2.3 Returns. Returns shall be subject to prior authorization by HTG 360 for acknowledged damage, breach of warranty, erroneous delivery, and, in some cases, upgrades.
Warranty. Warranties on third party hardware and software are provided exclusively by the manufacturer or vendor and shall pass to Client upon acceptance.
ARTICLE THREE: IMPLEMENTATION
After this Agreement is fully executed, HTG 360 (360 SOC) and Client will reach a mutual agreement on scheduling the engagement (the “Commencement Date”). Once the Commencement Date for Managed Services has been mutually agreed upon, changes by the Client will incur a $2,500 re-scheduling fee.
ARTICLE FOUR: FEE AND PRICING ASSUMPTIONS
Fees are set forth on the respective MS SOW and PS SOW subject to these provisions:
- Fees may be adjusted mid-term based upon material changes to the number of monitored endpoints (any device with installed software, workstations, servers, or firewalls (Laptops, Desktops, Servers, Controllers and Firewalls to name a few) that are directly sending or transferring data (log collection) within a 30 day period within the client environment).
- Travel expenses will be billed separately, subject to Client’s prior travel authorization. Travel charges will be billed at actual incurred expense.
- T&M Standard Billing Rate: HTG 360’ current standard hourly rate is $333.00 per hour. Time will be billed on at a minimum of 1 hour charge and in .25 increments hour thereafter. Involved projects will be the subject of a separate PS SOW.
- Client will remain responsible for balance of term on Licensing and Appliances expense if this agreement is cancelled for any reason.
- Client must maintain OEM or other acceptable Maintenance and Support Contracts on all items supported by HTG.
- Failure resulting in the need to recover or replace configuration will be billed at T&M.
- Early Termination Penalty is equal to 100% of the remaining contractual balance and any outstanding T&M.
- An implementation charge equal to one months recurring charge is due upon acceptance on all Managed Services and Managed Security Services.
- Invoices billed and due Annually in Advance.
- Client claims liability to any taxes or surcharges that may be implemented by their residing state, territory or country, relieving Horizon Technology Group of any tax liability, not limited to sales tax, international duty or any other additional expense implemented.
ARTICLE FIVE: HTG 360 RESPONSIBILITIES
5.1 Non-Infringement. HTG 360 warrants that its Managed Services, to the best of its knowledge, do not infringe on the intellectual property rights of any third-party.
5.2 Industry Standard. HTG 360 warrants that its Managed and Professional Services provided hereunder will be performed in a manner consistent with the standards and the general customs and practices of the industry.
5.3 Data Protection. HTG 360 warrants that it will maintain reasonable administrative, physical, and technical safeguards for protection of the security, confidentiality, and integrity of Client Data.
ARTICLE SIX: CLIENT RESPONSIBILITIES
6.1 Systems Configuration. Client warrants that its systems are and will be configured properly to best practices and operating properly at start date, including with sufficient hardware and reasonably up-to-date software. Client further warrants that it will maintain backup and patching systems sufficient for ongoing operations. HTG 360 work to correct or remediate systems will be billed at T&M rates.
6.2 Access. Client will allow reasonable access to its systems, including allowing e-mail alerts to HTG 360 (or its technologies, e.g., ticketing system) from managed technologies. Client will also allow HTG 360 to export system and security alert meta-data, as specified from time to time by HTG 360, to HTG 360’s monitoring platform to allow HTG 360 to detect threats, improve reporting, and maintain the security and health of the environment. Alert meta-data includes: Public domain threat intelligence indicators, alert urgency, alert name, alert creation date, alert status transition times and alert status. Alert meta-data will be transmitted using TLS1.2 or higher over the HTTPS protocol. If Client does not purchase managed backend service, Client will be responsible for onboarding to HTG 360 any data reasonable and necessary, as requested, for HTG 360 to complete its work. Client will provide access to its physical operation and key personnel as necessary.
6.3 Escalation Submissions. Client will submit security escalations or helpdesk requests using the HTG 360 Security FRESHDESK Service Desk (or other system as specified from time to time). Client will make its personnel available for any necessary training to ensure proper and efficient use of the system.
ARTICLE SEVEN: SCOPE LIMITATIONS
Unless specifically agreed upon, the scope of this engagement will not include an e-commerce website or websites that batch PCI related transactions and will not permit Client access to internal HTG IT Service teams, system or data.
ARTICLE EIGHT: ACKNOWLEDGMENTS, LIMITATION OF LIABILITY
8.1 Acknowledgment. HTG 360’s Managed Services are reliant on third-party software that may not always be available or which may not always provide timely information to HTG 360 regarding any security threat. Such Managed Services depend in part upon proper logging of all data by Client necessary to evaluate global risks. It is not possible to identify all risks, in part due to low frequency and/or latency.
8.2 No Refund. Because HTG 360’s services could not reasonably be expected identify and avert every possible threat, Client shall not be entitled to any refund, rebate, discount, or any other financial remuneration for any threat not identified and/or evaluated by HTG 360.
8.3 Client Risk. Client assumes risk of failure or loss of service based on security threats as a normal and unavoidable risk of doing business. HTG 360 will do its best to mitigate these risks. And HTG 360 will also be available, at T&M, to help remediate any incident.
8.4 LIABILITY LIMITATION. APART FROM DAMAGES OR LIABILITY ARISING OUT OF OR RELATED TO A BREACH OF THE
TERMS AND COVENANTS CONTAINED IN THIS AGREEMENT, CLIENT’S SOLE AND EXCLUSIVE REMEDY FOR ANY MATERIAL BREACH
OF ANY PROVISION OF THIS AGREEMENT OR FOR ANY WARRANTY SHALL NOT, UNDER ANY CIRCUMSTANCES, EXCEED THE
AMOUNT ALREADY PAID BY THE CLIENT FOR MANAGED SERVICES WITHIN THE ONE YEAR PRIOR TO ANY SUCH BREACH. IN NO
EVENT SHALL HTG 360 BE LIABLE FOR ANY LOST REVENUES OR LOST PROFITS, OR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL OR OTHER DAMAGES OF ANY NATURE WHATSOEVER. THIS DAMAGE EXCLUSION IS INDEPENDENT OF ANY REMEDIES PROVIDED FOR HEREIN.
8.5 WARRANTY DISCLAIMER. EXCEPT TO THE EXTENT EXPRESSLY PROVIDED IN THIS AGREEMENT, HTG 360 DISCLAIMS
ALL OTHER WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. HTG 360 DISCLAIMS RESPONSIBILITY FOR WARRANTIES FOR THIRD PARTY SOFTWARE WHICH SHALL BE THE SOLE OBLIGATION OF THE THIRD-PARTY SOFTWARE VENDOR.
ARTICLE NINE: PAYMENT TERMS
HTG 360 invoices are due net twenty (20) days from date of invoice. Accounts not paid within these terms are subject to a 2% monthly finance charge. Invoices will be e-mailed to the “bill to” contact as specified from time to time by the Client.
ARTICLE TEN: EXPORT COMPLIANCE
10.1 Compliance. Client understands and acknowledges that United States law and, in particular, the United States Export Administration
Regulations (“EAR”) may govern the sale, export or other disposition of products and related technical data that are the subject of this
Agreement. Client therefore agrees to adhere to all provisions of the EAR and the terms, conditions, required procedures, and documentation of any export licenses or other approvals issued for such products and related technical data. Specifically, Client agrees that it will not participate in the transfer by any means of any products or technical data acquired from Company: (i) in violation of the EAR or any order or license issued under its provisions, or (ii) with the knowledge or with reason to know that a violation of the EAR, an order or a license has occurred, is about to occur, or is intended to occur with respect to any such Product or technical data.
10.2 Violations. HTG 360 shall be relieved of all obligations to Client and HTG 360 shall be entitled to terminate this Agreement immediately if Client violates the EAR or the provisions of any export license or approval, or if such export licenses or approvals are not issued, are suspended or revoked by the United States Government.
ARTICLE ELEVEN: CONFIDENTIALITY; NON-SOLICITATION
11.1 During the Term of this Agreement, and to serve its purposes, each Party may disclose to or make available to the other Party certain confidential information. Neither Party will use such information for any purpose other than to carry out this Agreement. Neither Party shall make any such information it receives, or receives access to, available to any person except its own employees and contractors for the sole purpose of carrying out the provisions of this Agreement, and MS SOWs and PS SOWs hereunder. Except as required by law or in response to a lawful subpoena, the Parties will not, at any time, during or at any time after the term of this Agreement, in any fashion, form or manner, either directly or indirectly, divulge, disclose or communicate to any person, firm, or corporation in any manner whatsoever any information of any kind, nature or description concerning any matters relating to each other’s business, including, but not limited to, names of employees, its manner of operation, the nature or descriptions of its plans, processes or data of any kind. This confidentiality commitment does not apply to information in the public domain at the time of disclosure, or which is or becomes publicly available without breach of the Agreement, or which is otherwise already known to the Parties receiving it at the time of disclosure.
ARTICLE TWELVE: IP OWNERSHIP / RESPONSIBILITY
12.1 IP Rights/Use. HTG 360 has and shall have sole and exclusive ownership of all rights, title, and interest in and to the intellectual property associated with the provision of its Managed Services, including all trade secrets, copyrights, and other intellectual property stemming or arising therefrom). HTG 360 shall also have the right further exploit any work product stemming from its provision of Professional Services to Client. Client shall the right to use and exploit for its own internal use only any Professional Service deliverable provided by HTG 360.
12.2 License. To the extent in connection with Managed or Professional Services provided hereunder HTG 360 make available to Client any third party software, Client agrees that it shall only use such software in conjunction with the natural intended purpose of such Services. Client acknowledges that it is prohibited from engaging in, causing, assisting or permitting, the reverse engineering, disassembly, translation, adaption or recompilation of any such Services or third party software for the benefit of others. Client also shall not attempt to obtain or create the source code from the object code of any such software provided to it pursuant to the Agreement, unless expressly permitted to do so by HTG 360. Client agrees that it will not use the Managed or Professional Services offered by HTG 360 hereunder for any illegal purpose or activity.
12.3 Client IP. Client shall retain ownership of the entire right, title and interest in and to all materials, data and information provided by Client to HTG 360 in connection with its work under this Agreement, including all derivative works of such materials, data, and information, including without limitation, all Client data and Client confidential information. No ownership right or interest in such materials, data, or information is transferred from Client to HTG 360.
ARTICLE THIRTEEN TERM, TERMINATION, AND BREACH
13.1 Term. The term of this Agreement is for 36 Months and shall commence upon the execution of this Agreement and shall continue in full force and effect until the earlier of (i) the date that all obligations of the Parties hereunder, and under any related MS SOW or PS SOW or Sales Proposal are completed; or (ii) either party terminates pursuant to the terms set forth below.
13.2 Termination for Convenience. Either Party may terminate this Agreement on not less than sixty (60) days written notice to the other Party.
13.3 Breach. Upon breach, the aggrieved Party shall give written notice of such breach and thirty (30) days to cure such breach. Absent cure, the aggrieved Party may thereafter terminate this Agreement, with immediate effect.
13.4 Termination, Specific Cases. Either Party may terminate on fifteen (15) days’ notice if the other party ceases doing business as a going concern, makes a general assignment for the benefit of creditors, or files a voluntary petition for bankruptcy under Chapter 7 of the Bankruptcy Code.
13.5 Transition Assistance. Following termination, HTG 360 shall provide Client such reasonable transition assistance, subject to advance deposit for reasonable professional services fees, as may be requested by Client.
13.6 Automatic Renewal. The term of this agreement will automatically renew thereafter if written notice to terminate has not been received on not less than sixty (60) days prior to expiration of the term of this agreement.
ARTICLE FOURTEEN: MISCELLANEOUS
14.1 Assignment. Neither Party’s rights or obligations hereunder may be assigned without prior written consent of the other Party, in its reasonable discretion, except in case of assignment to a successor in interest of such Party’s entire business.
14.2 Force Majeure. HTG 360 (360 SOC) shall not be liable for any delays in the performance of any of its obligations hereunder due to causes beyond its reasonable control, including, but not limited to, third-party software failures or, fire, strike, war, riots, acts of civil or military, judicial actions, acts of God, or any other casualty or natural calamity.
14.3 Entire Agreement. This Agreement, represents the entire understanding of the Parties with respect to its subject matter, and supersedes, and extinguishes all prior oral or written communications between the Parties about its subject matter. Any Client order or similar document which may be issued with this Agreement does not modify this Agreement, and in case of conflict, this Agreement shall control. No modification of this Agreement will be effective unless it is in writing, and is signed by each Party.
14.4 No Third Party Beneficiaries. The provisions of this Agreement are for the sole and exclusive benefit of the Parties hereto and will not be construed as conferring any rights on any third party. No third party shall be presumed to be a third-party beneficiary of this Agreement.
14.5 Independent Contractor/No Agency, Partnership. HTG 360 provides services to Client hereunder as an independent contractor and neither it nor its employees or agents shall be deemed to be employees or agents of Client.
14.6 Governing Law. This Agreement shall be governed by and construed in accordance with the internal laws of the state of Arizona and jurisdiction.
14.7 Arbitration. Any dispute arising out of or related in any way to this Agreement, or any MS SOW or PS SOW hereunder, shall be resolved by binding arbitration before a single arbitrator in Phoenix, Arizona.
14.8 Notices. Notices will be effective either upon delivery by Federal Express or other overnight service or two business days after confirmed delivery by email care of the following:
Horizon Technology Group Inc. dba HTG 360, 360 SOC
7227 N 16th Street
Suite 217
Phoenix, AZ 85020
Attn: Legal Department
Email: info@360soc.com
Managed Services
Statement of Work #1
- HTG 360 Managed Services.
- Security Review: Search for anomalies with daily reviews of Client’s managed environment. By review of alerts and dashboards, identify potentially malicious activity. Filter false positives, investigate potential threats, and escalates valid security incidents according to Escalation Plan.
- Security Rule Tuning: Tune Client’s environment to reduce false positives and increase coverage.
- Notable Event Investigation: Perform a first level investigation before escalation.
- Security Use Case Development: Use managed platform to identify and communicate security incidents to Client; adjust notification procedures as needed.
- Availability.
- Business Day Coverage: Managed Services are provided, in full, between the hours of 8am and 8pm EST Monday through Friday (excepting holidays). Events occurring outside of these hours will be captured and reviewed during standard hours.
- 24x7x365: For critical security events only.
- Service Level Objectives.
- Analyst shall evaluate security events according to their urgency designations.
- Investigations commence when the analysts reviews the triggered event.
- Evaluations are focused on identifying severity level and ruling out false positives.
- Severity levels are classified as High, Medium, or Low according to the following general standards:
High/Critical Impact : Security event(s) that constitutes a breach or has high likelihood of material business disruption/high impact on assets, user. Examples:
Ransomware.
Large scale malware outbreak.
Phishing campaign.
Confidential data exfiltration.
Medium Impact: Security event(s) that has the potential to cause material disruption or damage. Examples:
Denial of Service (DoS) attack.
Advanced Persistent Threat (APT) activity.
Unauthorized access attempts.
Network intrusion detection alerts.
Misconfigured systems or applications.
Low Impact: Security event(s) that poses potential or limited risk. Examples:
Spam or unsolicited emails.
Failed login attempts.
Network traffic anomalies.
Outdated software or systems.
Minor policy violations or non-compliance issues.
- Severity level in turn informs goal and maximum response times as follows:
*Not all configuration, performance, or software risks can be identified. Ability to meet the Service Level Objectives may depend on systems and software outside of HTG 360 control.
- Platform Details.
- HTG 360 uses the SOAR platform powered by 36OSOC-SOAR to collect, analyze, distribute and share threat indicators including providing access to SOC customers.
- Support.
- HTG 360 generally provides support remotely
- Reporting and communications through platform.
- Request submissions by Clients through GUI or through portal at htg360.com.
- Reporting.
- Weekly Alert Triage Report
- Monthly Meetings
- Quarterly Business Review
- Escalations (as needed)
- Onboarding.
HTG 360 will assign a Project Manager who will develop a formal project plan, including timeline and task lists. The PM will lead project status meetings and provide weekly status reports.
- Timeline. Onboarding typically will occur within about one month. Here is an example:
Activities: Wk1Wk1Wk2Wk2Wk3
MSSP Health Check x x
MSSP Onboarding x x x x x
Planning & Documentation x
Service Provisioning x
Initial Engineering & Security Tuning x
Monitoring Soft-Launch x
Monitoring Production Launch x
- Tasks. Typical onboarding tasks include: Welcome meeting; kickoff call; data collection; escalation plan; identify access requirements and data links; document users / devices; establish Client portal access; define reporting; confirm connectivity, including VPN; setup network; establish mobile access if applicable; setup service; implement dashboards; review initial logs; tuning and noise reduction; client review / approval; training; soft launch; testing of escalation plan; launch; final onboarding call; certify completion.
- HTG 360 bills in two parts, services and software. Charges are listed at the beginning of this agreement. Client assumes these charges and any applicable fess and taxes.
- Exclusions.
- Incident Response: Extended breach and/or major incident response and related forensic analysis will be billed at Time and Materials.
- Detailed configuration and project changes. These changes will be billed at Time and Materials.
- Other services and project shall require a separate SOW.