This Services Guide contains provisions that define, clarify, and govern the scope of the services described in the quote that has been provided to you (the "Quote"), as well as the policies and procedures that we follow (and to which you agree) when we provide a service to you or facilitate a service for you. If you do not agree with the terms of this Services Guide, you should not sign the Quote and you must contact us for more information.

This Services Guide is our "owner's manual" that generally describes all managed services provided or facilitated by CMIT Solutions of Clayton ("CMIT Solutions," "CMIT", "we," "us," or "our"); however, only those services specifically described in the Quote will be facilitated and/or provided to you (collectively, the "Services").

This Services Guide is governed under our Master Services Agreement ("MSA"). You may locate our MSA through the link in your Quote or, if you want, we will send you a copy of the MSA by email upon request. Capitalized terms in this Services Guide will have the same meaning as the capitalized terms in the MSA, unless otherwise indicated below.

Activities or items that are not specifically described in the Quote will be out of scope and will not be included unless otherwise agreed to by us in writing.

This Services Guide contains important provisions pertaining to the auto-renewal of the Services in the Quote, as well as fee increases that may occur from time-to-time. Please read this Services Guide carefully and keep a copy for your records.

Onboarding Services

In the Onboarding phase of our services, we will prepare your IT environment for the monthly managed services described in the Quote. During this phase, we will work with your Authorized Contact(s) to review the information we need to prepare the targeted environment, and we may also:

Uninstall, or request the uninstall of, any monitoring tools or other software installed by previous IT service providers.
Compile a full inventory of all protected servers, workstations, and laptops.
Uninstall, or request the uninstall of, any previous endpoint protection and install our managed security solutions (as indicated in the Quote).
Install remote support access agents (i.e., software agents) on each managed device to enable remote support.
Configure Windows® and application patch management agent(s) and check for missing security updates.
Optimize device performance including disk cleanup and endpoint protection scans.
Review firewall configuration and other network infrastructure devices.
Document important aspects of your IT environment including data backup, hardware and software inventory, internet service provider, administrator credentials for critical systems, and 3rd-party vendors for systems we do not manage.
As applicable, make recommendations for changes that should be considered to the managed environment.
Coordinate the transition of support services from the prior IT support provider. Prepare our internal services automation systems to support your IT environment.

This list is subject to change if we determine, at our discretion, that different or additional onboarding activities are required.

If deficiencies are discovered during the onboarding process, we will bring those issues to your attention and discuss the impact of the deficiencies on our provision of our monthly managed services. Please note, unless otherwise expressly stated in the Quote, onboarding-related services do not include the remediation of any issues, errors, or deficiencies ("Issues"), and we cannot guarantee that all Issues will be detected during the onboarding process.

The duration of the onboarding process depends on many factors, many of which may be outside of our control—such as product availability/shortages, required third-party vendor input, etc. As such, we can estimate, but cannot guarantee, the timing and duration of the onboarding process. We will keep you updated as the onboarding process progresses.

Ongoing / Recurring Services

Ongoing/recurring services are services that are provided to you or facilitated for you on an ongoing basis and, unless otherwise indicated in a Quote, are billed to you monthly. Some ongoing/recurring services will begin with the commencement of onboarding services; others will begin when the onboarding process is completed. Please direct any questions about start or "go live" dates to your Account Manager.

Managed Services

SERVICES	GENERAL DESCRIPTION
Technology Success Program	CMIT's technology success program aligns your business and technology to best practices for technology success. By combining your business strategy with technology best-practices, we will identify opportunities to make improvements that will benefit your business through increased efficiency, cost containment, and risk management. This program will minimize the number of reactive issues faced by you and your users. Your assigned CMIT Account Manager and CMIT Technology Success Manager will be responsible for delivering technology success to your business. Periodically, your Technology Success Manager will visit your office to perform a standards alignment, identify gaps, and address any misconfigurations. Your Account Manager will develop your Strategic IT Roadmap and meet with you periodically to review and adjust the plan. The components of this service include: Technology Alignment Periodic onsite visit by your CMIT Technology Success Manager. Benchmark your IT environment against CMIT and industry best-practices. Identify gaps in your IT environment including business impact and cybersecurity risk. IT Strategy Understand your business and business strategy. Align your technology strategy to your business objectives. Align your technology to best practices including trends in the IT industry. Develop and maintain an IT Roadmap including initiatives to enable your business strategy and help address business risks. Periodic IT strategy meetings to review priorities and plans. Reporting Periodic reporting of overall health of your IT environment.
24x7 Remote Support	Remote support provided 24x7 for managed users on covered devices and software. If remote efforts are unsuccessful, then CMIT Solutions will dispatch a technician to the Client's premises to resolve covered incidents during normal business hours.
Business Hours Onsite Support	Issues related to covered devices and software that cannot be resolved remotely will be handled by our technicians onsite at no additional service fee.
Vendor Management	CMIT, with your authorization, will work with your other technology vendors on your behalf for issue remediation.
Remote Access Software	Our secure remote support tool enables us to respond more quickly to problems by accessing your network from our office and eliminating the delay of waiting for an engineer to come onsite. Our remote access tools can be made available to end users so they may access their computers when working outside the office.
24x7x365 Device Monitoring	Our Network Operations Center engineering staff will be monitoring your managed environment around the clock for critical issues that may occur. This includes monitoring covered firewalls, switches, wireless access points, servers, event logs, and printers.
Preventative Maintenance and Patching	Software agents installed on Covered Equipment (defined below) report status and IT-related events on a 24x7 basis, as well as handle software patching on operating systems and other critical software. Includes capacity monitoring, alerting us to severely decreased or low disk capacity (covers standard fixed HDD partitions, not external devices such as USB or mapped drives). Includes Hard Drive integrity checks on SMART enabled computers. Includes routine operating system inspection and cleansing to help ensure that disk space is increased before space-related issues occur. Review and installation of updates and patches for supported software. Remotely deploy updates (e.g., x.1 to x.2), as well as bug fixes, minor enhancements, and security updates as deemed necessary on all managed hardware. Deploy, manage, and monitor the installation of approved service packs, security updates and firmware updates as deemed necessary on all applicable managed hardware. Please note: We will keep all managed hardware and managed software current with critical patches and updates ("Patches") as those Patches are released generally by the applicable manufacturers. Patches are developed by third-party vendors and, on rare occasions, may make the Environment, or portions of the Environment, unstable or cause the managed equipment or software to fail to function properly even when the Patches are installed correctly. We will not be responsible for any downtime or losses arising from or related to the installation or use of any Patch. We reserve the right, but not the obligation, to refrain from installing a Patch if we are aware of technical problems caused by a Patch, or we believe that a Patch may render the Environment, or any portion of the Environment, unstable.
Email Security Services	Implementation and facilitation of a trusted email threat protection solution from our designated Third-Party Provider with the following features: Email Security using cloud-based protection against: Spam. Email-borne viruses (inbound and outbound). Email-based malware. Phishing emails. Undelivered emails. Unsecured emails. Denial-of-Service attacks. Advanced Threat Protection using full-system emulation sandbox. Agentless email encryption. Link and URL protection against typo squatting. Email Continuity: Failover to cloud-based email service to continue operations. Provides email continuity for up to 96 hours. Emergency mailbox allows users to send, receive, read, and respond to email. Secure Cloud Data Centers: AES 256-bit encryption at rest and in transit. Public key cryptography (RSA 1024). Isolated customer metadata databases. Redundant storage (geographic or within Co-location). Data stored in-country (based on Co-location). Tier 3 & 4 data centers. SSAE 16 or SOC audited data centers.
Advanced Cloud Security	Advanced cloud security monitors for suspicious activity that could potentially indicate a threat actor is attempting to gain access or has already gained access to your environment by monitoring common risk areas. Our 24x7x365 Security Operations Center (SOC) will also be monitoring for suspicious activity. As with all such solutions, this service is not 100% effective at stopping all breaches. Core Functionality: Monitoring employee interactions with popular SaaS platforms such as Microsoft 365 and Google Workspace, detecting threats in real-time. Threat Detection: Identifies suspicious activities, including unauthorized access, data exfiltration, ransomware indicators, and compliance violations. Automated Response: For some threats, automated remediation will take immediate actions like suspending user accounts or forcing password resets to mitigate risks.
365 Backup	Implementation and facilitation of an industry-leading third-party cloud backup of Microsoft 365 data. Backup Exchange (email), Teams, SharePoint and OneDrive data. Find and restore the data that you want. Immutable storage to protect against modification or removal. Granular restoration of detailed data using advanced search.
Web Filter	Implementation and facilitation of an industry-leading third-party Web Filter. Device based filtering (no DNS changes). Real Time Updates. Role Based Policies. Unblock Requests. GeoIP Blocking. User and Entity Behavior Analytics. Unlimited Timeline Activity Logs. 90-Day Traffic Log Access.
Security Awareness Training and Phishing Simulation	Implementation and facilitation of a security awareness training solution from an industry-leading third-party solution provider. Baseline testing to assess the phish-prone percentage of users; simulated phishing email campaigns designed to educate employees about security threats. Online, on-demand training videos (multi-lingual). Online, on-demand quizzes to verify employee retention of training content.
Dark Web Monitoring	Implementation and facilitation of a Dark Web Monitoring solution from our designated Third-Party Provider. Credentials supplied by Client will be added into a system that continuously uses human and machine-powered monitoring to determine if the supplied credentials are located on the dark web. If compromised credentials are found, they are reported to Help Desk Services staff who will review the incident and notify affected end-users. Dark web monitoring can be a highly effective tool to reduce the risk of certain types of cybercrime; however, we do not guarantee that the dark web monitoring service will detect all actual or potential uses of your designated credentials or information.
Managed Detection & Response (MDR)	Implementation and facilitation of an endpoint malware protection solution with extended functionalities from our designated Third-Party Provider. Protect endpoints in real-time. Detect threats without human intervention. Remediate threats with 1-click or automated or response actions. AI-based malware and ransomware protection. Patented 1-click remediation and rollback. Coverage for Windows, Mac, and Linux. Autonomous operation; Works on- and off-network. Rapid deployment interoperability features ensure a fast, smooth rollout. Security Operations Center: 24x7 monitoring and response to notifications by the cybersecurity team.
Managed Firewall (Basic Security Services)	During services onboarding, provide a firewall configured for your organization's specific bandwidth, remote access, and user needs. Helps to prevent hackers from accessing internal network(s) from outside the network(s). Provides secure and encrypted remote network access. Provides antivirus scanning for all traffic entering and leaving the managed network to block spyware, viruses, trojans, worms, rogue ware, and heuristics to catch unknown viruses. Provides website content filtering functionality. Provides intrusion prevention services to protect against spyware, SQL injections, cross-site scripting and buffer overflows. Provides Virtual Private Network (VPN) services including Multi-Factor Authentication (MFA). When the initial firewall provided during onboarding reaches end of life or is otherwise recommended for replacement, the cost of replacement will be Client's responsibility.
Password Manager	Implementation and facilitation of a password management protection solution from our designated Third-Party Provider. Password Vault: Securely store and organize passwords in a secure digital location accessed through your browser or an app. Password Generation: Generate secure passwords with editable options to meet specific criteria. Financial Information Vault: Securely store and organize financial information such as bank accounts and credit card information in a secure digital location accessed through your browser or an app. Contact Information Vault: Store private addresses and personal contact information within your vault accessed through your browser or an app. Browser App: Browser extension permits easy access to your information including the vaults, financial information, contact information, and single sign-on through the app. Smart-Phone App: Mobile phone app enables access to your vault and stored information on your mobile device.

Other Services


Security Information & Event Management (SIEM)	Implementation and facilitation of an industry leading SIEM solution from our designated Third-Party Provider. The SIEM service utilizes threat intelligence to detect threats that can exploit potential vulnerabilities against your managed network. 400 day log archives. Threat Dashboard. Insider Threat Protection. Cloud Hosted. 24/7 Monitoring. Daily Security Report. Detect File Modifications (FIM). Minimize false positives. Full guided remediation recommendations. Prioritize vulnerabilities. Incident Response Support. Compliance Reporting (PCI DSS, GDPR, HIPAA, NIST 800-171).
Backup and Disaster Recovery	Implementation and facilitation of a backup and file recovery solution from our designated Third-Party Provider. 24/7 monitoring of backup system, including offsite backup, offsite replication, and an onsite backup appliance ("Backup Appliance"). Troubleshooting and remediation of failed backup disks. Preventive maintenance and management of imaging software. Firmware and software updates of backup appliances. Problem analysis by the network operations team. Monitoring of backup successes and failures. Backup Data Security: All backed up data is encrypted in transit and at rest in 256-bit AES encryption. All facilities housing backed up data implement physical security controls and logs and have multiple internet connections with failover capabilities. Backup Retention: Backed up data will be retained for the periods indicated below, unless a different time period is expressly stated in the Quote. This includes both on-premise and cloud backups. On-Premise Backups: All on-premise backups will be stored on a backup appliance, which will be kept in a secure location with restricted access. On-premises backups will be performed daily and retained on a rolling one year basis as long as local storage space is available. Cloud Backups: All cloud backups will be stored in a secure, off-site location that meets the organization's security standards. Cloud backups will be performed daily and retained on a rolling one year basis. Backup Alerts: Managed servers will be configured to inform of any backup failures. Recovery of Data: If you need to recover any of your backed up data, then the following procedures will apply: Service Hours: Backed up data can be requested during our normal business hours, which are currently 8am to 5pm Central Time. Request Method: Requests to restore backed up data should be made by contacting our support desk. Restoration Time: We will endeavor to restore backed up data as quickly as possible following our receipt of a request to do so; however, in all cases data restoration services are subject to (i) technician availability and (ii) confirmation that the restoration point(s) is/are available to receive the backed up data.
Client Watch Recurring Third-Party Security Analysis Quarterly Penetration Testing	Find out what a hacker would get to when they break into your organization: Penetration testing performed using one of two attack vectors. These penetration tests analyze the cyber security response of both the tools and the security operations center professionals in the environment. These attack vectors include: Supply Chain—Where a piece of software is compromised inside the environment allowing an attacker to gain access to your organization's computer systems. Insider Threat—An employee begins working against your organization and allows the attacker into the environment. Quarterly Internal Vulnerability Analysis Firewall Testing—Thoroughly tests the IPS and IDS as well as the firewall's antivirus capabilities. Active Directory Evaluation—Evaluate users, administrators, service accounts, policies, and settings on the domain. Evaluate M365 Security—Fully analyze their M365 security settings for best practices and security misconfigurations. Evaluate Endpoint and Server Security—Endpoint and server security misconfigurations make it easier for hackers to enter, move laterally, or create persistence in your network. Evaluate Local and Active Directory Account Configuration—Local and Active Directory Account and policy configuration includes issues like ticket rotation, password policy enforcement, and account deactivation. This keeps attackers from getting access to all your data by simply compromising a single account. Evaluate User Cyber Hygiene—When it comes to security, users are often your worst enemy. Cyber security hygiene is a critical part of defense. We crack passwords, review cookies, and even analyze tokens on their devices to measure the users' cyber hygiene. Evaluate Network Device Vulnerabilities—We scan your network devices for vulnerabilities. Windows devices aren't the only way in for hackers. Once they get a user to click a malicious link, hackers search for ways to move laterally inside the environment. We use similar methodologies to identify vulnerabilities in your network devices like printers, scanners, copiers, switches, and routers. Identify Unencrypted PII Stored on Devices—Ransomware isn't the only way hackers make money these days. One key method is finding unencrypted personally identifiable information and exfiltrating it from networks. We analyze your users to make sure they don't have unencrypted PII sitting around. Evaluate Unencrypted Drives—Even though we all know drive encryption is very important, a staggering number of unencrypted hard drives within networks store sensitive data. Assess Missed Patches—Whether maintenance windows are being skipped or patches aren't properly being applied, the result is the same: vulnerability. We've seen it all when it comes to missing patches. Our team not only analyzes the patches on the device, but we also keep a list of hacker tool craft and can show you which patches are actually being actively exploited in the wild. Evaluate Improperly Configured Endpoint Security Tools—Our team reviews your environment for missing and improperly configured endpoint security tools like SIEM, EDR, XDR, and MDX. If you don't have these tools set up or properly reporting back, it doesn't matter how attentive your security operations staff are; they have nothing to see. Monthly External Vulnerability Analysis Evaluate the Outside of the Network—Analyze the outside of the network by brute forcing DNS, examine the external address of each device we check in, and analyze each of the open ports for vulnerabilities.

Covered Users and Environment

Managed Services will be applied to the number of users indicated in the Quote ("Covered Users"). We reserve the right to modify the list of Covered Users at any time if we discover users that were not previously included in the list of Covered Users and which are receiving Services, or as necessary to accommodate changes to the quantity of Covered Users.

Unless otherwise stated in the Quote, Covered Devices will only include technology assets (such as computers, servers, and networking equipment) owned by the Client's organization. As an accommodation, CMIT Solutions may provide guidance in connecting a personal device to the Client's organization's technology, but support of personal devices is generally not included in the Scope of Services.

If the Quote indicates that the Services are billed on a "per user" basis, then the Services will be provided for a total number of devices not to exceed 125% of the total number of users indicated in the Quote. A "Business Device" is a device that (i) is owned or leased by Client and used primarily for business, (ii) is regularly connected to Client's managed network, and (iii) has installed on it a software agent through which we (or our designated Third-Party Providers) can monitor the device. If the total number of devices exceeds 125% of the total number of users, additional fees may be incurred.

We will provide support for software applications on a "best effort" basis only and any support required beyond basic support will be facilitated with the applicable software vendor/producer. Should our technicians provide you with advice concerning software, the provision of that advice should be viewed as an accommodation, not an obligation, to you.

If we are unable to remediate an issue with software, then we will contact the manufacturer/distributor of the software for further support. Please note: Manufacturers/distributors of such software may charge fees, some of which may be significant, for technical support; therefore, we strongly recommend that you maintain service or support contracts for all Software ("Service Contract"). If you request that we facilitate technical support for Software and if you have a Service Contract in place, our facilitation services will be provided at no additional cost to you. If you do not have a Service Contract in place, we may be unable to support the software and/or may be required to charge for our support services on a time and materials basis.

In this Services Guide, Covered Hardware and Supported Software will be referred to as the "Environment" or "Covered Equipment."

Physical Locations Covered by Services

Services will be provided remotely unless, in our discretion, we determine that an onsite visit is required. CMIT Solutions visits will be scheduled in accordance with the priority assigned to the issue (below) and are subject to technician availability. Unless we agree otherwise, all onsite Services will be provided at Client's primary business location. Additional fees may apply for onsite visits: Please review the Service Level section below for more details.

Minimum Requirements / Exclusions

The scheduling, fees and provision of the Services are based upon the following assumptions and minimum requirements, all of which must be provided/maintained by Client at all times:

Server hardware must be under current warranty coverage.
All equipment with Microsoft Windows® operating systems must be running then-currently supported versions of such software and have all the latest Microsoft service packs and critical updates installed.
All software must be genuine, licensed, and vendor- or OEM-supported.
Servers in the managed environment must use CMIT's recommended solution or have a currently licensed, vendor-supported backup solution that CMIT approves as sufficient.
All wireless data traffic in the managed environment must be securely encrypted.
All servers must be connected to working UPS devices.
Recovery coverage assumes data integrity of the backups or the data stored on the backup devices. We do not guarantee the integrity of the backups or the data stored on the backup devices. Server restoration will be to the point of the last successful backup.
Client must provide all software installation media and key codes in the event of a failure.
Any costs required to bring the Environment up to these minimum standards are not included.
Client must provide us with exclusive administrative privileges to the Environment.
Client must not affix or install any accessory, addition, upgrade, equipment, or device on to the firewall, server, or NAS appliances (other than electronic data) unless expressly approved in writing by us.

Exclusions. Services that are not expressly described in the Quote will be out of scope and will not be provided to Client unless otherwise agreed, in writing, by CMIT Solutions. Without limiting the foregoing, the following services are expressly excluded, and if required to be performed, must be agreed upon by CMIT Solutions in writing:

Installation and/or Procurement of New Hardware, New Software, and Third-Party Vendor Requirements
Services required to install new hardware, new software, PC swap outs.
Upgrades to existing software
Service and/or assistance to address equipment or software installed without our knowledge or quoted support.
Customization of third-party applications, or programming of any kind.
Support for operating systems, applications, or hardware no longer supported by the manufacturer.
Data/voice wiring or cabling services of any kind.
Equipment and/or network relocation.
The cost to bring the managed environment up to these minimum requirements (unless otherwise noted in the Quote).
The cost of repairs to hardware or any supported equipment or software, or the costs to acquire parts or equipment, or shipping charges of any kind.
Backup of individual computers or workstations.
Litigation support services for client legal needs.

Software Licensing

All software provided to you by or through CMIT Solutions is licensed, not sold, to you ("Software"). In addition to any Software-related requirements described in CMIT Solutions' Master Services Agreement, Software may also be subject to end user license agreements (EULAs), acceptable use policies (AUPs), and other restrictions all of which must be strictly followed by you and any of your authorized users.

When installing/implementing software licenses in the managed environment or as part of the Services, we may accept (and you agree that we may accept) any required EULAs or AUPs on your behalf. You should assume that all Software has an applicable EULA and/or AUP to which your authorized users and you must adhere. If you have any questions or require a copy of the EULA or AUP, please contact us.

Service Levels

Automated monitoring is provided on an ongoing (i.e., 24x7x365) basis. Response, repair, and/or remediation services (as applicable) will be provided only during our business hours (currently M-F, 8 AM – 5 PM Central Time), excluding legal holidays and CMIT Solutions-observed holidays as listed below, unless otherwise specifically stated in the Quote or as otherwise described below.

We will respond to problems, errors, or interruptions in the provision of the Services during business hours in the timeframe(s) described below. Severity levels will be determined by CMIT Solutions in our discretion after consulting with the Client. All remediation services will initially be attempted remotely; CMIT Solutions will provide onsite service only if remote remediation is ineffective and, under all circumstances, only if covered under the Service plan selected by Client.

Trouble / Severity	Response Time
Critical / Service Not Available Problem that is causing significant productivity impact for a majority of end users and/or has significant business impact.	Response within one (1) business hour after notification.
High / Significant Degradation Single user unable to work (complete work stoppage) or problem that impacts multiple users impeding their productivity.	Response within one (1) business hour after notification.
Standard / Limited Degradation Single user impacted with workaround and/or no significant work slow-down or stoppage.	Response within two (2) business hours after notification.
Low / No Service Degradation No end-user impact.	Response within five (5) business days after notification.
Service requests for moves, adds and changes	Response within six (6) business days after notification.

* All time frames are calculated as of the time that we are notified of the applicable issue / problem by Client through our designated support portal, help desk, or the phone number provided during onboarding. Notifications received in any manner other than described herein may result in a delay in the provision of remediation efforts.

On-Site Support During Off-Hours/Non-Business Hours: Technical on-site support provided outside of our normal business hours is offered on a case-by-case basis and is subject to technician availability. If CMIT Solutions agrees to provide off-hours/non-business hours support ("Non-Business Hour Support"), then that support may be provided on a time and materials basis (which is not covered under any Service plan) and will be billed to Client at 150% of the Project Hourly rate as defined in the Quote.

All hourly services are billed in 15 minute increments, and partial increments are rounded to the next highest increment. A one (1) hour minimum applies to all On-Site Non-Business Hour Support.

CMIT Solutions-Observed Holidays: CMIT Solutions observes the following holidays:

New Year's Day
Memorial Day
Independence Day
Labor Day
Thanksgiving Day
Christmas Day

Fees

The fees for the Services will be as indicated in the Quote.

Reconciliation. Fees for certain Third-Party Services that we facilitate or resell to you may begin to accrue prior to the "go-live" date of other applicable Services. (For example, Microsoft Azure or AWS-related fees begin to accrue on the first date on which we start creating and/or configuring certain hosted portions of the Environment; however, the Services that rely on Microsoft Azure or AWS may not be available to you until a future date). You understand and agree that you will be responsible for the payment of all fees for Third-Party Services that are required to begin prior to the "go-live" date of Services, and we reserve the right to reconcile amounts owed for those fees by including those fees on your monthly invoices.

Changes to Environment. Initially, you will be charged the monthly fees indicated in the Quote. Thereafter, if the managed environment changes, or if the number of authorized users accessing the managed environment changes, then you agree that the fees will be automatically and immediately modified to accommodate those changes.

Travel. If one of our team members must travel to a Client location that is more than 49 miles from a CMIT Office Location, the following trip charges will apply. If longer travel distances and overnight stays are required, expense estimates will be quoted and approved by Client before travel begins. In addition, you will be billed for all tolls, parking fees, and related expenses that we incur if we provide onsite services to you.

Miles One-Way	Round-Trip Charge
0-49	$0.00
50-99	$150.00
100-149	$350.00
150-199	$550.00
200-249	$750.00
250-299	$950.00

Appointment Cancellations. You may cancel or reschedule any appointment with us at no charge by providing us with notice of cancellation at least one business day in advance. If we do not receive timely a notice of cancellation/re-scheduling, or if you are not present at the scheduled time or if we are otherwise denied access to your premises at a pre-scheduled appointment time, then you agree to pay us a cancellation fee equal to two (2) hours of our normal consulting time (or non-business hours consulting time, whichever is appropriate), calculated at our then-current hourly rates, plus the travel charge if applicable.

Access Licensing. One or more of the Services may require us to purchase certain "per seat" or "per device" licenses (often called "Access Licenses") from one or more Third-Party Providers. (Microsoft "New Commerce Experience" licenses are examples of Access Licenses.) Access Licenses cannot be canceled once they are purchased and often cannot be transferred to any other Client. For that reason, you understand and agree that regardless of the reason for termination of the Services, fees for Access Licenses are non-mitigatable and you are required to pay for all applicable Access Licenses in full for the entire term of those licenses. Provided that you have paid for the Access Licenses in full, you will be permitted to use those licenses until they expire.

Term; Termination

The Services will commence, and billing will begin, on the date indicated in the Quote ("Commencement Date") and will continue through the initial term listed in the Quote ("Initial Term"). We reserve the right to delay the Commencement Date until all onboarding/transition services (if any) are completed, and all deficiencies / revisions identified in the onboarding process (if any) are addressed or remediated to CMIT Solutions' satisfaction.

The Services will continue through the Initial Term until terminated as provided in the Agreement, the Quote, or as indicated in this Service Guide (the "Service Term").

Per Seat/Per Device Licensing: Regardless of the reason for the termination of the Services, you will be required to pay for all per seat or per device licenses that we acquire on your behalf. Please see "Access Licensing" in the Fees section above for more details.

Removal of Software Agents; Return of Firewall & Backup Appliances: Unless we expressly direct you to do so, you will not remove or disable, or attempt to remove or disable, any software agents that we installed in the managed environment or any of the devices on which we installed software agents. Doing so without our guidance may make it difficult or impracticable to remove the software agents, which could result in network vulnerabilities and/or the continuation of license fees for the software agents for which you will be responsible, and/or the requirement that we remediate the situation at our then-current hourly rates, for which you will also be responsible. Depending on the particular software agent and the costs of removal, we may elect to keep the software agent in the managed environment but in a dormant and/or unused state.

Within ten (10) days after being directed to do so, you must remove, package and ship, at your expense and in a commercially reasonable manner, all hardware, equipment, and accessories leased, loaned, rented, or otherwise provided to you by CMIT Solutions "as a service." If you fail to return all such equipment to us within 30 calendar days, or if the equipment is returned to us damaged (normal wear and tear excepted), then we will have the right to charge you, and you hereby agree to pay, the replacement value of all such unreturned or damaged equipment.

Offboarding

Subject to the requirements in the MSA, CMIT Solutions will off-board Client from CMIT Solutions' services by performing one or more of the following:

Removal / disabling of monitoring agents in the Environment.
Removal / disabling of endpoint software from the Environment.
Removal of credentials from the Environment.
Removal of backup software from the Environment.

Additional Policies

The following additional policies ("Policies") apply to Services that we provide or facilitate under a Quote. By accepting a Service for which one or more of the Policies apply, you agree to always abide by the applicable Policy.

Authenticity

Everything in the managed environment must be genuine and licensed, including all hardware, software, etc. If we ask for proof of authenticity and/or licensing, you must provide us with such proof. All minimum hardware or software requirements as indicated in a Quote or this Services Guide ("Minimum Requirements") must be implemented and maintained as an ongoing requirement of us providing the Services to you.

Monitoring Services; Alert Services

Unless otherwise indicated in the Quote, all monitoring and alert-type services are limited to detection and notification functionalities only. Monitoring levels will be set by CMIT Solutions, and Client shall not modify these levels without our prior written consent.

Configuration of Third-Party Services

Certain third-party services provided to you under a Quote may provide you with administrative access through which you could modify the configurations, features, and/or functions ("Configurations") of those services. However, any modifications of Configurations made by you without authorization could disrupt the Services and/or cause a significant increase in the fees charged for those third-party services. For that reason, we strongly advise you to refrain from changing the Configurations unless we authorize those changes. You will be responsible for paying any increased fees or costs arising from or related to changes to the Configurations.

Modification of Environment

Changes made to the Environment without our prior authorization or knowledge may have a substantial, negative impact on the provision and effectiveness of the Services and may impact the fees charged under the Quote. You agree to refrain from moving, modifying, or otherwise altering any portion of the Environment without our prior knowledge or consent. For example, you agree to refrain from adding or removing hardware from the Environment, installing applications on the Environment, or modifying the configuration or log files of the Environment without our prior knowledge or consent.

Managed Detection & Response

Our Managed Detection and Response solution will generally protect the Environment from becoming infected with new viruses and malware ("Malware"); however, Malware that exists in the Environment at the time that the security solution is implemented may not be capable of being removed without additional services, for which a charge may be incurred. We do not warrant or guarantee that all Malware will be detected, avoided, or removed, or that any data erased, corrupted, or encrypted by Malware will be recoverable. To improve security awareness, you agree that CMIT Solutions or its designated third-party affiliate may transfer information about the results of processed files, information used for URL reputation determination, security risk tracking, and statistics for protection against spam and malware.

Breach/Cyber Security Incident Recovery

Unless otherwise expressly stated in the Quote, the scope of the Services does not include the remediation and/or recovery from a Security Incident (defined below). Such services, if requested by you, will be provided on a time and materials basis under our then-current hourly labor rates. Given the varied number of possible Security Incidents, we cannot and do not warrant or guarantee (i) the amount of time required to remediate the effects of a Security Incident (or that recovery will be possible under all circumstances), or (ii) that all data or systems impacted by the incident will be recoverable or remediated. For the purposes of this paragraph, a Security Incident means any unauthorized or impermissible access to or use of the Environment, or any unauthorized or impermissible disclosure of Client's confidential information (such as user names, passwords, etc.), that (i) compromises the security or privacy of the information or applications in, or the structure or integrity of, the managed environment, or (ii) prevents normal access to the managed environment, or impedes or disrupts the normal functions of the managed environment.

Environmental Factors

Exposure to environmental factors, such as water, heat, cold, or varying lighting conditions, may cause installed equipment to malfunction. Unless expressly stated in the Quote, we do not warrant or guarantee that installed equipment will operate error-free or in an uninterrupted manner, or that any video or audio equipment will clearly capture and/or record the details of events occurring at or near such equipment under all circumstances.

Fair Usage Policy

Our Fair Usage Policy ("FUP") applies to all services that are described or designated as "unlimited" or which are not expressly capped in the number of available usage hours per month. An "unlimited" service designation means that, subject to the terms of this FUP, you may use the applicable service as reasonably necessary for you to enjoy the use and benefit of the service without incurring additional time-based or usage-based costs. However, unless expressly stated otherwise in the Quote, all unlimited services are provided during our normal business hours only and are subject to our technicians' availability, which cannot always be guaranteed. In addition, we reserve the right to assign our technicians as we deem necessary to handle issues that are more urgent, critical, or pressing than the request(s) or issue(s) reported by you.

You will submit support requests (opening a ticket) via our support email address or via our ticket portal. Support requests should not be opened via a phone call unless the nature of the request is Critical or High. Refer to Service Levels paragraph above for the definition of Critical and High Severity Levels. By submitting support requests in this fashion your requests will be triaged and assigned to the most appropriate service team member resulting in faster and more efficient remediation of the issue. This also frees up our team to be available to answer phone calls for Critical and High Severity issues.

Consistent with this FUP, you agree to refrain from (i) creating urgent support tickets for non-urgent or non-critical issues, (ii) requesting excessive support services that are inconsistent with normal usage patterns in the industry (e.g., requesting support in lieu of training), (iii) requesting support or services that are intended to interfere, or may likely interfere, with our ability to provide our services to our other customers.

Acceptable Use Policies

You are solely responsible for your proper use of any hosted solution provided to you ("Hosted Solution").

Hosted Solutions are subject to acceptable use policies ("AUPs"), and your use of Hosted Solutions must comply with those AUPs. In all cases, you agree to refrain from uploading, posting, transmitting or distributing (or permitting any of your authorized users of a Hosted Solution to upload, post, transmit or distribute) any prohibited content, which is generally content that (i) is obscene, illegal, or intended to advocate or induce the violation of any law, rule or regulation, or (ii) violates the intellectual property rights or privacy rights of any third party, or (iii) mischaracterizes you, and/or is intended to create a false identity or to otherwise attempt to mislead any person as to the identity or origin of any communication, or (iv) interferes or disrupts the services provided by CMIT Solutions or the services of any third party, or (v) contains viruses, trojan horses or any other malicious code or programs. In addition, you must not use any Hosted Solution for illegal purposes. CMIT Solutions reserves the right, but not the obligation, to suspend Client's access to a Hosted Solution if CMIT Solutions believes, in its discretion, that solution is being used in an improper or illegal manner.

Backup (BDR) Services

BDR services require a reliable, always-connected internet solution. Data backup and recovery time will depend on the speed and reliability of your internet connection. Internet and telecommunications outages will prevent the BDR services from operating correctly. In addition, all computer hardware is prone to failure due to equipment malfunction, telecommunication-related issues, etc., for which we will be held harmless. Due to technology limitations, all computer hardware, including communications equipment, network servers and related equipment, has an error transaction rate that can be minimized, but not eliminated. CMIT Solutions cannot and does not warrant that data corruption or loss will be avoided, and Client agrees that CMIT Solutions shall be held harmless if such data corruption or loss occurs.

Procurement

Equipment and software procured by CMIT Solutions on Client's behalf ("Procured Equipment") may be covered by one or more manufacturer warranties, which will be passed through to Client to the greatest extent possible. By procuring equipment or software for Client, CMIT Solutions does not make any warranties or representations regarding the quality, integrity, or usefulness of the Procured Equipment. Certain equipment or software, once purchased, may not be returnable or, in certain cases, may be subject to third party return policies and/or re-stocking fees, all of which shall be Client's responsibility in the event that a return of the Procured Equipment is requested. CMIT Solutions is not a warranty service or repair center. CMIT Solutions will facilitate the return or warranty repair of Procured Equipment; however, Client understands and agrees that (i) the return or warranty repair of Procured Equipment is governed by the terms of the warranties (if any) governing the applicable Procured Equipment, for which CMIT Solutions will be held harmless, and (ii) CMIT Solutions is not responsible for the quantity, condition, or timely delivery of the Procured Equipment once the equipment has been tendered to the designated shipping or delivery courier. The return or warranty repair of equipment acquired by the Client will be the responsibility of the Client.

Business Review / IT Strategic Planning Meetings

We strongly suggest that you participate in business review/strategic planning meetings as may be requested by us from time to time. These meetings are intended to educate you about recommended (and potentially crucial) modifications to your IT environment, as well as to discuss your company's present and future IT-related needs. These reviews can provide you with important insights and strategies to make your managed IT environment more efficient and secure. You understand that by suggesting a particular service or solution, we are not endorsing any specific manufacturer or service provider.

CMIT Solutions will not hold an actual director or officer position in Client's company, and we will neither hold nor maintain any fiduciary relationship with Client. Under no circumstances shall Client list or place CMIT Solutions on Client's corporate records or accounts.

Sample Policies, Procedures.

From time to time, we may provide you with sample (i.e., template) policies and procedures for use in connection with Client's business ("Sample Policies"). The Sample Policies are for your informational use only, and do not constitute or comprise legal or professional advice, and the policies are not intended to be a substitute for the advice of competent counsel. You should seek the advice of competent legal counsel prior to using or distributing the Sample Policies, in part or in whole, in any transaction. We do not warrant or guarantee that the Sample Policies are complete, accurate, or suitable for your (or your customers') specific needs, or that you will reduce or avoid liability by utilizing the Sample Policies in your (or your customers') business operations.

Penetration Testing; Vulnerability Scanning

You understand and agree that security devices, alarms, or other security measures, both physical and virtual, may be tripped or activated during the penetration testing and/or vulnerability scanning processes, despite our efforts to avoid such occurrences. You will be solely responsible for notifying any monitoring company and all law enforcement authorities of the potential for "false alarms" due to the provision of the penetration testing or vulnerability scanning services, and you agree to take all steps necessary to ensure that false alarms are not reported or treated as "real alarms" or credible threats against any person, place, or property. Some alarms and advanced security measures, when activated, may cause the partial or complete shutdown of the Environment, causing substantial downtime and/or delay to your business activities. We will not be responsible for any claims, costs, fees, or expenses arising or resulting from (i) any response to the penetration testing or vulnerability scanning services by any monitoring company or law enforcement authorities, or (ii) the partial or complete shutdown of the Environment by any alarm or security monitoring device.

No Third Party Scanning

Unless we authorize such activity in writing, you will not conduct any test, nor request or allow any third party to conduct any test (diagnostic or otherwise), of the security system, protocols, processes, or solutions that we implement in the managed environment ("Testing Activity"). Any services required to diagnose or remediate errors, issues, or problems arising from unauthorized Testing Activity are not covered under the Quote, and if you request us (and we elect) to perform those services, those services will be billed to you at our then-current hourly rates.

Obsolescence

If at any time any portion of the managed environment becomes outdated, obsolete, reaches the end of its useful life, or acquires "end of support" status from the applicable device or software manufacturer ("Obsolete Element"), then we may designate the device or software as "unsupported" or "non-standard" and require you to update the Obsolete Element within a reasonable time period. If you do not replace the Obsolete Element reasonably promptly, then in our discretion we may (i) continue to provide the Services to the Obsolete Element using our "best efforts" only with no warranty or requirement of remediation whatsoever regarding the operability or functionality of the Obsolete Element, or (ii) eliminate the Obsolete Element from the scope of the Services by providing written notice to you (email is sufficient for this purpose). In any event, we make no representation or warranty whatsoever regarding any Obsolete Element or the deployment, service level guarantees, or remediation activities for any Obsolete Element.

Licenses

If we are required to re-install or replicate any software provided by you as part of the Services, then it is your responsibility to verify that all such software is properly licensed. We reserve the right, but not the obligation, to require proof of licensing before installing, re-installing, or replicating software into the managed environment. The cost of acquiring licenses is not included in the scope of the Quote unless otherwise expressly stated therein.

VOIP – Dialing 911 (Emergency) Services

The following terms and conditions apply to your use of any VoIP service that we facilitate for you or that is provided to you by a third-party provider of such service. Please note, by using VoIP services you agree to the provisions of the waiver at the end of this section. If you do not understand or do not agree with any of the terms below, you must not subscribe to, use, or rely upon any VoIP service and, instead, you must contact us immediately.

There is an important difference in how 9-1-1 (i.e., emergency) services can be dialed using a VoIP service as compared to a traditional telephone line. Calling emergency services using a VoIP service is referred to as "E911."

Registration: The E911 dialing feature must be registered to the address where you will use the VoIP service. Unless we expressly take responsibility, in writing, for registering your address you must take this step on your own initiative. To do this, you must log into your VoIP control panel and provide a valid physical address. If you do not take this step, then E911 services may not work correctly, or at all, using the VoIP service. Emergency service dispatchers will only send emergency personnel to a properly registered E911 service address.

Location: The address you provide in the control panel is the location to which emergency services (such as the fire department, the police department, etc.) will respond. For this reason, it is important that you correctly enter the location at which you are using the VoIP services. PO boxes are not proper addresses for registration and must not be used as your registered address. Please note, even if your account is properly registered with a correct physical address, (i) there may be a problem automatically transmitting a caller's physical location to the emergency responders, even if the caller can reach the 911 call center, and (ii) a VoIP 911 call may go to an unstaffed call center administrative line or be routed to a call center in the wrong location. These issues are inherent to all VoIP systems and services. We will not be responsible for, and you agree to hold us harmless from, any issues, problems, incidents, damages (both bodily- and property-related), costs, expenses, and fees arising from or related to your failure to register timely and correctly your physical location information into the control panel.

Address Change(s): If you change the address used for E911 calling, the E911 services may not be available and/or may operate differently than expected. Moreover, if you do not properly and promptly register a change of address, then emergency services may be directed to the location where your services are registered and not where the emergency may be occurring. For that reason, you must register a change of address with us through the VoIP control panel no less than three (3) business days prior to your anticipated move/address change. Address changes that are provided to us with less than three (3) business days notice may cause incorrect/outdated information to be conveyed to emergency service personnel. If you are unable to provide us with at least three (3) business days notice of an address change, then you should not rely on the E911 service to provide correct physical location information to emergency service personnel. Under those circumstances, you must provide your correct physical location to emergency service dispatchers if you call them using the VoIP services.

If you do not register the VoIP service at your location and you dial 9-1-1, that call will be categorized as a "rogue 911 call." If you are responsible for dialing a rogue 911 call, you will be charged a non-refundable and non-disputable fee in the amount(s) determined by the regulatory authorities located in your jurisdiction.

Power Loss: If you lose power or there is a disruption to power at the location where the VoIP services are used, then the E911 calling service will not function until power is restored. You should also be aware that after a power failure or disruption, you may need to reset or reconfigure the device prior to utilizing the service, including E911 dialing.

Internet Disruption: If your internet connection or broadband service is lost, suspended, terminated or disrupted, E911 calling will not function until the internet connection and/or broadband service is restored.

Account Suspension: If your account is suspended or terminated, then all E911 dialing services will not function.

Network Congestion: There may be a greater possibility of network congestion and/or reduced speed in the routing of E911 calls as compared to 911 dialing over traditional public telephone networks.

Acceptable Use Policy

The following policy applies to all hosted services provided to you, including but not limited to (and as applicable) hosted applications, hosted websites, hosted email services, and hosted infrastructure services ("Hosted Services").

CMIT Solutions does not routinely monitor the activity of hosted accounts except to measure service utilization and/or service uptime, security-related purposes and billing-related purposes, and as necessary for us to provide or facilitate our managed services to you; however, we reserve the right to monitor Hosted Services at any time to ensure your compliance with the terms of this Acceptable Use Policy (this "AUP") and our master services agreement, and to help monitor and ensure the safety, integrity, reliability, or security of the Hosted Services.

Similarly, we do not exercise editorial control over the content of any information or data created on or accessible over or through the Hosted Services. Instead, we prefer to advise our customers of inappropriate behavior and any necessary corrective action. If, however, Hosted Services are used in violation of this AUP, then we reserve the right to suspend your access to part or all of the Hosted Services without prior notice.

Violations of this AUP: The following constitute violations of this AUP:

Harmful or illegal uses: Use of a Hosted Service for illegal purposes or in support of illegal activities, to cause harm to minors or attempt to contact minors for illicit purposes, to transmit any material that threatens or encourages bodily harm or destruction of property or to transmit any material that harasses another is prohibited.
Fraudulent activity: Use of a Hosted Service to conduct any fraudulent activity or to engage in any unfair or deceptive practices, including but not limited to fraudulent offers to sell or buy products, items, or services, or to advance any type of financial scam such as "pyramid schemes," "Ponzi schemes," and "chain letters" is prohibited.
Forgery or impersonation: Adding, removing, or modifying identifying network header information to deceive or mislead is prohibited. Attempting to impersonate any person by using forged headers or other identifying information is prohibited. The use of anonymous remailers or nicknames does not constitute impersonation.
SPAM: CMIT Solutions has a zero tolerance policy for the sending of unsolicited commercial email ("SPAM"). Use of a Hosted Service to transmit any unsolicited commercial or unsolicited bulk e-mail is prohibited. You are not permitted to host, or permit the hosting of, sites or information that is advertised by SPAM from other networks. To prevent unnecessary blacklisting due to SPAM, we reserve the right to drop the section of IP space identified by SPAM or denial-of-service complaints if it is clear that the offending activity is causing harm to parties on the Internet, if open relays are on the hosted network, or if denial of service attacks are originated from the hosted network.
Internet Relay Chat (IRC). The use of IRC on a hosted server is prohibited.
Open or "anonymous" proxy: Use of open or anonymous proxy servers is prohibited.
Crypto mining. Using any portion of the Hosted Services for mining cryptocurrency or using any bandwidth or processing power made available by or through a Hosted Services for mining cryptocurrency, is prohibited.
Hosting spammers: The hosting of websites or services using a hosted server that supports spammers, or which causes (or is likely to cause) our IP space or any IP space allocated to us or our customers to be listed in any of the various SPAM databases, is prohibited. Customers violating this policy will have their server immediately removed from our network and the server will not be reconnected until such time that the customer agrees to remove all traces of the offending material immediately upon reconnection and agree to allow CMIT Solutions to access the server to confirm that all material has been completely removed. Any subscriber guilty of a second violation may be immediately and permanently removed from the hosted network for cause and without prior notice.
Email/message forging: Forging any email message header, in part or whole, is prohibited.
Unauthorized access: Use of the Hosted Services to access, or to attempt to access, the accounts of others or to penetrate, or attempt to penetrate, CMIT Solutions' security measures or the security measures of another entity's network or electronic communications system, whether or not the intrusion results in the corruption or loss of data, is prohibited. This includes but is not limited to accessing data not intended for you, logging into or making use of a server or account you are not expressly authorized to access, or probing the security of other networks, as well as the use or distribution of tools designed for compromising security such as password guessing programs, cracking tools, or network probing tools.
IP infringement: Use of a Hosted Service to transmit any materials that infringe any copyright, trademark, patent, trade secret or other proprietary rights of any third party, is prohibited.
Collection of personal data: Use of a Hosted Service to collect, or attempt to collect, personal information about third parties without their knowledge or consent is prohibited.
Network disruptions and sundry activity. Use of the Hosted Services for any activity which affects the ability of other people or systems to use the Hosted Services or the internet is prohibited. This includes "denial of service" (DOS) attacks against another network host or individual, "flooding" of networks, deliberate attempts to overload a service, and attempts to "crash" a host.
Distribution of malware: Intentional distribution of software or code that attempts to and/or causes damage, harassment, or annoyance to persons, data, and/or computer systems is prohibited.
Excessive use or abuse of shared resources: The Hosted Services depend on shared resources. Excessive use or abuse of these shared network resources by one customer may have a negative impact on all other customers. Misuse of network resources in a manner which impairs network performance is prohibited. You are prohibited from excessive consumption of resources, including CPU time, memory, and session time. You may not use resource-intensive programs which negatively impact other customers or the performance of our systems or networks.
Allowing the misuse of your account: You are responsible for any misuse of your account, even if the inappropriate activity was committed by an employee or independent contractor. You shall not permit your hosted network, through action or inaction, to be configured in such a way that gives a third party the capability to use your hosted network in an illegal or inappropriate manner. You must take adequate security measures to prevent or minimize unauthorized use of your account. It is your responsibility to keep your account credentials secure.

To maintain the security and integrity of the hosted environment, we reserve the right, but not the obligation, to filter content, CMIT Solutions requests, or website access for any web requests made from within the hosted environment.

Revisions to this AUP: We reserve the right to revise or modify this AUP at any time. Changes to this AUP shall not be grounds for early contract termination or non-payment.

Services Guide