Master Services Agreement
This Master Services Agreement (this "Agreement") is entered into as of [Effective Date] by and between CyberGrid ("Provider") and [Customer Legal Name] ("Customer"). Each a "Party"; together the "Parties."
1. Services and Statements of Work
Provider will perform security testing services ("Services") for Customer as described in one or more written Statements of Work ("SoW") executed by both Parties. Each SoW references this Agreement and is incorporated by reference. In the event of conflict between this Agreement and an SoW, the SoW controls, but only as to that specific engagement.
2. Fees and payment
Fees. Customer shall pay fees as set forth in each SoW. Unless otherwise stated, fees are flat-rate and quoted in U.S. dollars. CyberGrid's standard pricing: Automated Security Assessment $1,999/year; Penetration Test $4,999 flat; Retest $1,999 flat.
Invoicing. Provider invoices upon SoW execution (for engagement-based services) or annually (for subscription services). All invoices are due net thirty (30) days from invoice date. Late payments accrue interest at 1.0% per month or the maximum permitted by law, whichever is less.
Taxes. Fees are exclusive of sales, use, and value-added taxes; Customer is responsible for all applicable taxes other than taxes on Provider's net income.
Refunds. Subscription fees are non-refundable but may be cancelled at any time to prevent renewal. Engagement fees are non-refundable once the engagement has commenced.
3. Customer obligations
Customer shall:
- provide written authorization for Provider to test the targets specified in each SoW (Customer represents and warrants it owns or has authority to test the specified targets);
- provide reasonable cooperation, including timely access to environments, accounts, and information necessary for Provider to perform the Services;
- designate a technical point of contact reachable during testing windows; and
- back up its systems and data prior to testing windows.
4. Intellectual property
Customer materials. Customer retains all right, title, and interest in and to its systems, data, code, and any materials it provides to Provider. Provider receives a limited, non-exclusive license to use Customer materials solely for the purpose of performing the Services.
Deliverables. Upon Customer's full payment for an engagement, Provider assigns to Customer all right, title, and interest in the reports, findings, attestations, and other deliverables specifically prepared for Customer under that engagement (collectively, "Deliverables"). Customer owns its Deliverables and may use them for any lawful purpose, including providing them to its customers, auditors, and regulators.
Provider IP. Provider retains all right, title, and interest in its testing tools, methodology, internal templates, know-how, and any pre-existing intellectual property used to perform the Services. Nothing in this Agreement transfers ownership of Provider's IP to Customer.
5. Confidentiality
The Parties' obligations of confidentiality are set forth in the Mutual Non-Disclosure Agreement separately executed between the Parties, which is incorporated by reference. If no such NDA is in place, the confidentiality terms in Exhibit A (attached) apply.
6. Data protection
Where Provider processes personal data on behalf of Customer in performing the Services, the Parties shall execute the Data Processing Addendum available at thecybergrid.com/trust-package, which is incorporated by reference.
7. Warranties and disclaimers
Provider warranty. Provider warrants that the Services will be performed in a professional and workmanlike manner consistent with industry standards. Customer's exclusive remedy for breach of this warranty is, at Provider's option, re-performance of the deficient Services or refund of fees paid for the deficient Services.
Disclaimer. EXCEPT AS EXPRESSLY SET FORTH HEREIN, THE SERVICES AND DELIVERABLES ARE PROVIDED "AS IS" AND PROVIDER DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND ANY WARRANTY THAT THE SERVICES WILL IDENTIFY ALL VULNERABILITIES OR SECURITY ISSUES. SECURITY TESTING DETECTS A SUBSET OF POSSIBLE ISSUES; THE ABSENCE OF FINDINGS DOES NOT CONSTITUTE A WARRANTY OF SECURITY.
8. Limitation of liability
IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR FOR LOST PROFITS, LOST DATA, OR LOSS OF GOODWILL, ARISING OUT OF OR RELATED TO THIS AGREEMENT, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
EACH PARTY'S TOTAL CUMULATIVE LIABILITY UNDER THIS AGREEMENT, REGARDLESS OF THE FORM OF ACTION, SHALL NOT EXCEED THE TOTAL FEES PAID OR PAYABLE BY CUSTOMER TO PROVIDER IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM.
The limitations in this Section 8 do not apply to: (a) breach of confidentiality obligations; (b) infringement of intellectual property rights; (c) gross negligence or willful misconduct; or (d) indemnification obligations under Section 9.
9. Indemnification
By Provider. Provider shall defend, indemnify, and hold harmless Customer from third-party claims alleging that the Services or Deliverables infringe a U.S. patent, copyright, or trademark, subject to Customer providing prompt notice, sole control of the defense, and reasonable cooperation. This obligation does not apply to claims arising from Customer materials, modifications by Customer, or use of Deliverables in combination with non-Provider materials.
By Customer. Customer shall defend, indemnify, and hold harmless Provider from third-party claims arising from Customer's breach of its representations and warranties (including authorization to test targets), Customer's gross negligence, or Customer's willful misconduct.
10. Term and termination
This Agreement begins on the Effective Date and continues for an initial term of one (1) year, automatically renewing for additional one-year terms unless either Party gives at least thirty (30) days' written notice of non-renewal. Either Party may terminate this Agreement immediately upon written notice if the other Party materially breaches and fails to cure the breach within thirty (30) days of written notice. Sections 4 (Intellectual property), 5 (Confidentiality), 7 (Warranties — disclaimer), 8 (Limitation of liability), 9 (Indemnification), and 11 (Miscellaneous) survive termination.
11. Miscellaneous
Independent contractors. The Parties are independent contractors. Nothing in this Agreement creates an employment, agency, partnership, or joint venture relationship.
Assignment. Neither Party may assign this Agreement without the other Party's prior written consent, except that either Party may assign this Agreement to a successor in interest in connection with a merger, acquisition, or sale of substantially all of its assets.
Force majeure. Neither Party is liable for delays or failure to perform due to causes beyond its reasonable control.
Governing law & venue. This Agreement is governed by the laws of the State of [State], without regard to its conflict-of-laws rules. The Parties consent to the exclusive jurisdiction of the state and federal courts located in [County, State].
Notices. Notices under this Agreement must be in writing and delivered by email (with read receipt) to the addresses on the cover page or signature block, or by overnight courier with confirmed delivery.
Entire agreement. This Agreement, together with all executed SoWs and any incorporated NDA / DPA, constitutes the entire understanding of the Parties with respect to the Services and supersedes all prior or contemporaneous communications.
Amendments. Amendments must be in writing and signed by both Parties.
Counterparts & electronic signature. This Agreement may be executed in counterparts. Electronic and digital signatures are valid and binding.
IN WITNESS WHEREOF, the Parties have executed this Master Services Agreement as of the Effective Date.