Client Security Responsibilities and Prerequisites 

The security and effectiveness of managed services require Client's active participation. The following responsibilities are non-delegable duties and Client Security Prerequisites (collectively, "Prerequisites") for service delivery. Client's failure to maintain these requirements may result in service degradation, security vulnerabilities, and releases Decypher from related service obligations. Client acknowledges that the efficacy of Decypher's Security Measures (as detailed in DPA) is  contingent upon Client fulfilling these Prerequisites 

(a) Physical and Logical Access Control 

Client Shall: 

1. Implement reasonable physical security controls for all managed equipment. 
2. Restrict physical access to all managed equipment (servers, workstations, network hardware) to authorized personnel 
3. Maintain locked server rooms/network closets with documented access logs 

Note: Without adequate physical security, Decypher cannot ensure logical security controls remain effective. Physical breaches resulting from Client's failure to implement or maintain these controls void related service commitments and may result in exclusion of insurance coverage. 

(b) Administrative Access Management 

Client Shall: 

1. Implement and enforce Multi-Factor Authentication (MFA) for all administrative and privileged accounts, and for all users accessing information systems containing customer information. 
2. Maintain exclusive administrative credentials for Decypher's use 
3. NOT share administrative passwords with third parties without written notification 
4. NOT create additional administrative accounts without Decypher approval 
5. Immediately report any suspected credential compromise 
6. Follow Decypher's recommendations for privilege management 

Note: Unauthorized administrative access by third parties or failure to implement and maintain mandatory Multi-Factor Authentication (MFA) releases Decypher from all liability for system changes, security incidents, or service disruptions. 

(c) Security Awareness and Training 

Client Shall: 

1. Ensure all personnel authorized to process Personal Data complete security awareness training 
2. Promptly report suspicious activities or Security Incidents through designated channels 
3. Follow established security policies and procedures 
4. NOT attempt to circumvent security controls 
5. Participate in security exercises if requested (e.g., phishing simulations) 

Note: Client's failure to participate in security training or follow security practices negates Decypher's responsibility for user-initiated security incidents. 

(d) Audit and Assessment Support 

Client Acknowledges and Agrees: 

1. Decypher’s security program is designed with consideration of recognized industry frameworks (e.g., SOC 2) and that Client’s audit requirements may be satisfied by Processor's provision of a current SOC 2 Type II report or relevant excerpts 
2. Decypher may conduct security assessments as part of service delivery 
3. Client will provide reasonable access for assessment activities 
4. Information discovered during assessments may require remediation 
5. Client bears costs for remediating pre-existing vulnerabilities 
6. Assessment schedules are at Decypher's discretion 

Note: Decypher's assessment activities are for service delivery purposes only, not comprehensive security audits or compliance validation. Client remains solely responsible for conducting its own written risk assessment that incorporates the risks associated with using the Service. 

(e) Reporting and Communication 

Client Must: 

1. Report security concerns, including suspected Security Incidents, immediately through designated channels only. 
2. Provide timely responses to security-related inquiries to enable Decypher to meet its twenty-four (24) hour initial notification deadline 
3. Designate authorized contacts for security matters 
4. Report security concerns through designated channels only 
5. Provide timely responses to security-related inquiries 
6. NOT publicly disclose security vulnerabilities without coordination 
7. Maintain current contact information for emergency notifications 

Note: Delayed or improper reporting may impact Decypher's ability to respond effectively and void response time commitments. 

(f) Minimum Environmental Standards 

Client Maintains: 

1. All hardware under current manufacturer support 
2. Licensed, genuine software only 
3. Minimum bandwidth and connectivity as specified 
4. Compatible, supported operating systems 
5. Current firmware on network devices 

Note: Decypher may exclude non-compliant devices from service scope or require remediation at Client's expense. 

Consequences of Non-Cooperation 

If Client fails to maintain these requirements: 

1. Service Degradation Accepted: Client accepts that services may not function as designed 
2. Security Risks Assumed: Client assumes all risks from their non-compliance 
3. Liability Released: Decypher is released from liability for related incidents to the extent that such incident arises from or is related to Client's failure to maintain the Client Security Prerequisites, including failure to follow documented security Advice or remediate documented deficiencies. 
4. Additional Costs: Remediation efforts billable at standard hourly rates 
5. Service Suspension Rights: Modification: Decypher may suspend affected services upon notice or immediately without notice if Client non-compliance creates an unacceptable security risk or compliance violation. 
6. Compliance Impact: Client's compliance certifications or attestations may be affected 

 

Mutual Cooperation Framework: While Decypher implements technical controls, security effectiveness requires Client cooperation. This shared responsibility model means: 

• Decypher provides tools and configurations; Client ensures proper use 
• Decypher implements technical controls; Client maintains physical security 
• Decypher monitors for threats; Client reports suspicious activity 
• Decypher maintains service infrastructure; Client maintains endpoints 

No guarantee exists that controls will remain effective if Client: 

• Fails to maintain described responsibilities 
• Modifies configurations without approval 
• Delays critical security updates 
• Ignores security recommendations 
• Provides access to unauthorized partie 

Client explicitly acknowledges that security frameworks like SOC 2 assume certain environmental conditions and user behaviors. Deviation from these assumptions may render controls ineffective despite Decypher's compliance status. SOC 2 attestation or other certifications by Decypher does not guarantee specific security outcomes or prevent all Security Incidents. 

Fees 

The fees for the Services will be as indicated in the Quote. 

Reconciliation. Fees for certain Third-Party Services that we facilitate or resell to you may begin to accrue prior to the “go-live” date of other applicable Services. (For example, Microsoft Azure or AWS-related fees begin to accrue on the first date on which we start creating and/or configuring certain hosted portions of the Environment; however, the Services that rely on Microsoft Azure or AWS may not be available to you until a future date). You understand and agree that you will be responsible for the payment of all fees for Third Party Services that are required to begin prior to the “go-live” date of Services, and we reserve the right to reconcile amounts owed for those fees by including those fees on your monthly invoices. 

Changes to Environment. Initially, you will be charged the monthly fees indicated in the Quote. Thereafter, if the managed environment changes, or if the number of authorized users accessing the managed environment changes, then you agree that the fees will be automatically and immediately modified to accommodate those changes.  

Pass-Through Increases. We reserve the right to pass through to you any incremental increases in the costs and/or fees for Third Party Services ("Pass Through Increases"). We will endeavor to provide you with at least thirty (30) days advance notice of such increases where possible. 

Payment Method Surcharges. The fees listed in a Quote assume that all payments will be made via ACH, check, or debit card. If you elect to pay by credit card, we reserve the right to charge a credit card processing surcharge, which shall not exceed the actual merchant discount fee that we incur in processing the transaction. This fee is 3% for transactions using Mastercard and Visa, and 3.5% for transactions using American Express. This surcharge does not apply to payments made by ACH. 

Travel Time. If onsite services are provided, one-way travel will be charged up to 60 minutes from our office to your location. Time spent traveling beyond 60 minutes (e.g., locations that are beyond 60 minutes from our office, occasions on which traffic conditions extend our drive time beyond 60 minutes one-way, etc.) will be billed to you as a round-trip charge at our then current hourly rates.  In addition, you will be billed for all tolls, parking fees, and related expenses that we incur if we provide onsite services to you. 

Mobilization Fee. Fee to standardize and streamline the costs associated with having a technician onsite. Our goal is to ensure transparency and consistency in what you can expect when our team arrives to assist you. Here is what the mobilization fee covers: 

Rising Operational Costs: To ensure that we continue to offer reliable and efficient service, we need to adjust how we cover these expenses. 

Focused Resource Allocation: The mobilization fee helps us allocate resources more effectively. This fee directly supports the costs associated with dispatching our skilled technicians to your location, including transportation and time. 

Maintaining Quality Service: By implementing this fee, we can avoid raising our hourly service rates, which allows us to continue providing the same high level of expertise and support that you expect from us without compromising on service quality. 

Please note that this mobilization fee is waived for our Managed Service clients. Managed service clients will not see this fee on their invoices for work covered under their agreements 

Appointment Cancellations. You may cancel or reschedule any appointment with us at no charge by providing us with notice of cancellation at least one business day in advance. If we do not receive timely a notice of cancellation/re-scheduling, or if you are not present at the scheduled time or if we are otherwise denied access to your premises at a pre-scheduled appointment time, then you agree to pay us a cancellation fee equal to two (2) hours of our normal consulting time (or non-business hours consulting time, whichever is appropriate), calculated at our then-current hourly rates. 

Access Licensing. One or more of the Services may require us to purchase certain “per seat” or “per device” licenses (often called “Access Licenses”) from one or more Third Party Providers. (Microsoft “New Commerce Experience” licenses as well as Cisco Meraki “per device” licenses are examples of Access Licenses.) Access Licenses cannot be canceled once they are purchased and often cannot be transferred to any other customer. For that reason, you understand and agree that regardless of the reason for termination of the Services, fees for Access Licenses are non-mitigatable and you are required to pay for all applicable Access Licenses in full for the entire term of those licenses. This requirement is independent of the termination date and remains subject to the terms of the Master Services Agreement. Provided that you have paid for the Access Licenses in full, you will be permitted to use those licenses until they expire. 

Security Incident Response Fees. You acknowledge that basic Security Incident notification and statutory cooperation are included in your Base Fees, but the following services are Out-of-Scope Services and subject to additional charges at our then-current hourly rates or as specified in the Quote: Forensic investigation and root cause analysis; Remediation and recovery services beyond initial containment; Coordination with law enforcement or regulatory authorities; Preparation of detailed incident reports for insurance or compliance purposes; and Extended monitoring or implementation of additional security measures post-incident. 

Compliance Assessment and Audit Support Fees. If you require our assistance with compliance assessments, regulatory audits (including SOC 2, HIPAA, or PCI-DSS), or Data Subject Requests (DSRs) that necessitate significant effort or resources, such services will be provided at our then-current hourly rates unless specifically included in your Quote. This includes: Preparation of custom compliance documentation; Assistance with audit responses or evidence collection; and Responding to Legal Requests or subpoenas related to Client Data. 

Offboarding and Data Deletion Fees. Unless expressly stated in a Quote, Offboarding Services (i.e., services required to transition managed services or data to a different provider) are Out-of-Scope Services. These services will be provided on a time and materials basis at our then-current hourly rates and include the retrieval of passwords, conversion of data beyond standard formats, system decommissioning, documentation, and transition support to an incoming provider. 

Term; Termination 

The Services will commence, and billing will begin, on the date indicated in the Quote (“Commencement Date”) and will continue through the initial term listed in the Quote (“Initial Term”). We reserve the right to delay the Commencement Date until all onboarding/transition services (if any) are completed, and all deficiencies / revisions identified in the onboarding process (if any) are addressed or remediated to Decypher’s satisfaction.  

The Services will continue through the Initial Term until terminated as provided in the Agreement, the Quote, or as indicated in this Service Guide (the “Service Term”). 

Per Seat/Per Device Licensing: Regardless of the reason for the termination of the Services, you will be required to pay for all per seat or per device licenses that we acquire on your behalf. Please see “Access Licensing” in the Fees section above for more details. 

Automatic Renewal and Required Notices 
Unless otherwise expressly stated in the Quote, the Services will automatically renew for successive terms equal to twelve (12) months unless either party provides written notice of non-renewal at least sixty (60) days prior to the end of the then-current term. 

Auto-Renewal Notice Requirement: For all contracts which requires us by law to send renewal notice, Decypher will send Client a written renewal reminder notice in compliance with the said law. 

If Client provides any notice of intent to cancel in response to our renewal reminder as required by law, we will honor such cancellation even if received less than sixty (60) days before renewal. 

Removal of Software Agents; Return of Hardware; Return of Firewall & Backup Appliances: Unless we expressly direct you to do so, you will not remove or disable, or attempt to remove or disable, any software agents that we installed in the managed environment or any of the devices on which we installed software agents. Doing so without our guidance may make it difficult or impracticable to remove the software agents, which could result in network vulnerabilities and/or the continuation of license fees for the software agents for which you will be responsible, and/or the requirement that we remediate the situation at our then-current hourly rates, for which you will also be responsible.  Depending on the particular software agent and the costs of removal, we may elect to keep the software agent in the managed environment but in a dormant and/or unused state. 

Within ten (10) days after being directed to do so, you must remove, package and ship, at your expense and in a commercially reasonable manner, all hardware, equipment, and accessories leased, loaned, rented, or otherwise provided to you by Decypher.  If you fail to timely return all such equipment to us, or if the equipment is returned to us damaged (normal wear and tear excepted), then we will have the right to charge you, and you hereby agree to pay, the replacement value of all such unreturned or damaged equipment. 

Data Deletion and Offboarding Mandates: Upon termination of the Agreement or Services, and upon your written request, we shall, at your election, either return all Personal Data to you in a commonly used, machine-readable format or securely delete all Personal Data in accordance with industry standards. Processor shall complete the return or deletion within thirty (30) days of receiving Controller's written instruction. We may retain Personal Data only to the extent required by Applicable Data Protection Laws or if retained as part of routine, secure backup systems. We shall provide you with a written certification of deletion upon request. 

Offboarding Scope and Fees: Offboarding services, data conversion beyond standard formats, system decommissioning, documentation, and transition support to an incoming provider are Out-of-Scope Services. Such additional services, if requested, will be provided on a time and materials basis at Processor's then-current hourly rates. We reserve the right to refrain from providing or engaging in Offboarding Services if your account is in default or you fail to pay any upfront costs that we may require prior to the commencement of such services. 

Offboarding 

Offboarding services are required to facilitate the transition of services to another provider or the cessation of services. Unless expressly stated in a Quote, the following Offboarding Services are Out-of-Scope Services and subject to additional charges on a time and materials basis at our then-current hourly rates. 

1. Removal / disabling of monitoring agents in the Environment. 
2. Removal / disabling of endpoint software from the Environment.  
3. Removal / disabling of Microsoft 365 from the Environment (unless the licenses for Microsoft 365 are being transferred to your incoming provider; please speak to your technician for details.) 
4. Termination of SQL or Remote Desktop licenses provided by Decypher. 
5. Removal of credentials from the Environment. 
6. Removal of backup software from the Environment.  
7. Retrieval and provision of passwords, log files, administrative server information, or conversion of data beyond standard formats. 
8. System decommissioning. 
9. Documentation of current system configurations. 
10. Transition support to an incoming provider.  
11. License transfers or domain name transfers. 

Upon termination of the Agreement or Services, and upon your written request, we shall, at your election: 

1. Return all Personal Data to you in a commonly used, machine-readable format 
2. Securely delete all Personal Data in accordance with industry standards 

Processor shall complete the return or deletion within thirty (30) days of receiving Controller's written request. We shall provide you with a written certification of deletion upon request. 

We may retain Personal Data only to the extent required by Applicable Data Protection Laws or if retained as part of routine, secure backup systems. Any retained data remains subject to the security and confidentiality obligations of the DPA. 

We reserve the right, and you hereby agree, that we may refrain from providing or engaging in Offboarding Services if your account is in default, or you fail to pay any upfront costs that we may require prior to the commencement of such services. 

Removal/disabling of software agents will be performed by Decypher. You will not remove or disable agents without our express direction, as doing so may result in network vulnerabilities and/or the continuation of non-mitigatable license fees for which you will be responsible. 

Additional Policies 

The following additional policies (“Policies”) apply to Services that we provide or facilitate under a Quote and form a binding part of the overall Agreement. By accepting a Service for which one or more of the Policies apply, you agree to the applicable Policy and acknowledge that these Policies reinforce the contractual limitations set forth in the Master Services Agreement. 

Authenticity 

Everything in the managed environment must be genuine and licensed, including all hardware, software, etc. If we ask for proof of authenticity and/or licensing, you must provide us with such proof. All minimum hardware or software requirements as indicated in a Quote, or this Services Guide (“Minimum Requirements”) must be implemented and maintained as an ongoing requirement of us providing the Services to you.  

Monitoring Services; Alert Services 

Unless otherwise indicated in the Quote, all monitoring and alert-type services are limited to detection and notification functionalities only. Monitoring levels will be set by Decypher, and Client shall not modify these levels without our prior written consent. 

Configuration of Third-Party Services 

Certain third-party services provided to you under a Quote may provide you with administrative access through which you could modify the configurations, features, and/or functions (“Configurations”) of those services. However, any modifications of Configurations made by you without authorization could disrupt the Services and/or cause a significant increase in the fees charged for those third-party services. For that reason, we strongly advise you to refrain from changing the Configurations unless we authorize those changes. You will be responsible for paying any increased fees or costs arising from or related to changes to the Configurations, and any unauthorized changes shall constitute a failure to maintain Client Security Prerequisites, releasing Decypher from liability for resulting security incidents or downtime. 

  

Modification of Environment 

Changes made to the Environment without our prior authorization or knowledge may have a substantial, negative impact on the provision and effectiveness of the Services and may impact the fees charged under the Quote. You agree to refrain from moving, modifying, or otherwise altering any portion of the Environment without our prior knowledge or consent. For example, you agree to refrain from adding or removing hardware from the Environment, installing applications on the Environment, or modifying the configuration or log files of the Environment without our prior knowledge or consent. 

  

Anti-Virus; Anti-Malware 

Our anti-virus / anti-malware solution will generally protect the Environment from becoming infected with new viruses and malware (“Malware”); however, Malware that exists in the Environment at the time that the security solution is implemented may not be capable of being removed without additional services, for which a charge may be incurred. We do not warrant or guarantee that all Malware will be detected, avoided, or removed, or that any data erased, corrupted, or encrypted by Malware will be recoverable. To improve security awareness, you agree that Decypher or its designated third-party affiliate may transfer information about the results of processed files, information used for URL reputation determination, security risk tracking, and statistics for protection against spam and malware. Any information obtained in this manner does not and will not contain any personal or confidential information.  

  

Breach/Cyber Security Incident Recovery 

Unless otherwise expressly stated in the Quote, the scope of the Services does not include the remediation and/or recovery from a Security Incident (defined below). Such services, if requested by you, will be provided on a time and materials basis under our then-current hourly labor rates. Initial incident response and notification when required by law includes (i) Immediate containment measures (ii) Initial assessment of scope (iii) Client notification within required timeframes (iv) Coordination with Client's response team and (v) Basic remediation guidance. Given the varied number of possible Security Incidents, we cannot and do not warrant or guarantee (i) the amount of time required to remediate the effects of a Security Incident (or that recovery will be possible under all circumstances), or (ii) that all data or systems impacted by the incident will be recoverable or remediated.  For the purposes of this paragraph, a Security Incident means any unauthorized or impermissible access to or use of the Environment, or any unauthorized or impermissible disclosure of Client’s confidential information (such as user names, passwords, etc.), that (i) compromises the security or privacy of the information or applications in, or the structure or integrity of, the managed environment, or (ii) prevents normal access to the managed environment, or impedes or disrupts the normal functions of the managed environment. 

Environmental Factors  

Exposure to environmental factors, such as water, heat, cold, or varying lighting conditions, may cause installed equipment to malfunction. Unless expressly stated in the Quote, we disclaim all warranties (express or implied) that installed equipment will operate error-free or in an uninterrupted manner, and Decypher shall not be liable for failures or losses caused by physical or environmental factors beyond our direct control. 

  

Fair Usage Policy 

Our Fair Usage Policy (“FUP”) applies to all services that are described or designated as “unlimited” or which are not expressly capped in the number of available usage hours per month. An “unlimited” service designation means that, subject to the terms of this FUP, you may use the applicable service as reasonably necessary for you to enjoy the use and benefit of the service without incurring additional time-based or usage-based costs. However, unless expressly stated otherwise in the Quote, all unlimited services are provided during our normal business hours only and are subject to our technicians’ availability, which cannot always be guaranteed. In addition, we reserve the right to assign our technicians as we deem necessary to handle issues that are more urgent, critical, or pressing than the request(s) or issue(s) reported by you. Consistent with this FUP, you agree to refrain from (i) creating urgent support tickets for non-urgent or non-critical issues, (ii) requesting excessive support services that are inconsistent with normal usage patterns in the industry (e.g., requesting support in lieu of training), (iii) requesting support or services that are intended to interfere, or may likely interfere, with our ability to provide our services to our other customers.   

Hosted Email 

You are solely responsible for the proper use of any hosted email service provided to you (“Hosted Email”).  

Hosted Email solutions are subject to acceptable use policies (“AUPs”), and your use of Hosted Email must comply with those AUPs—including ours. In all cases, you agree to refrain from uploading, posting, transmitting or distributing (or permitting any of your authorized users of the Hosted Email to upload, post, transmit or distribute) any prohibited content, which is generally content that (i) is obscene, illegal, or intended to advocate or induce the violation of any law, rule or regulation, or (ii) violates the intellectual property rights or privacy rights of any third party, or (iii) mischaracterizes you, and/or is intended to create a false identity or to otherwise attempt to mislead any person as to the identity or origin of any communication, or (iv)  interferes or disrupts the services provided by Decypher or the services of any third party, or (v) contains Viruses, trojan horses or any other malicious code or programs.  In addition, you must not use the Hosted Email for the purpose of sending unsolicited commercial electronic messages (“SPAM”) in violation of any federal or state law. Decypher reserves the right, but not the obligation, to suspend Client’s access to the Hosted Email and/or all transactions occurring under Client’s Hosted Email account(s) if Decypher believes, in its discretion, that Client’s email account(s) is/are being used in an improper or illegal manner.  

  

Backup (BDR) Services 

All data transmitted over the Internet may be subject to malware and computer contaminants such as viruses, worms and trojan horses, as well as attempts by unauthorized users, such as hackers, to access or damage Client’s data. Neither Decypher nor its designated affiliates will be responsible for the outcome or results of such activities.  

BDR services require a reliable, always-connected internet solution. Data backup and recovery time will depend on the speed and reliability of your internet connection. Internet and telecommunications outages will prevent the BDR services from operating correctly. In addition, all computer hardware is prone to failure due to equipment malfunction, telecommunication-related issues, etc., for which we will be held harmless. Due to technology limitations, all computer hardware, including communications equipment, network servers and related equipment, has an error transaction rate that can be minimized, but not eliminated. Decypher cannot and does not warrant that data corruption or loss will be avoided, and Client agrees that Decypher shall be held harmless if such data corruption or loss occurs.  Client is strongly advised to keep a local backup of all of stored data to mitigate against the unintentional loss of data. 

Procurement 

Equipment and software procured by Decypher on Client’s behalf (“Procured Equipment”) may be covered by one or more manufacturer warranties, which will be passed through to Client to the greatest extent possible. By procuring equipment or software for Client, Decypher does not make any warranties or representations regarding the quality, integrity, or usefulness of the Procured Equipment. Certain equipment or software, once purchased, may not be returnable or, in certain cases, may be subject to third party return policies and/or re-stocking fees, all of which shall be Client’s responsibility in the event that a return of the Procured Equipment is requested. Decypher is not a warranty service or repair center.  Decypher will facilitate the return or warranty repair of Procured Equipment; however, Client understands and agrees that (i) the return or warranty repair of Procured Equipment is governed by the terms of the warranties (if any) governing the applicable Procured Equipment, for which Decypher will be held harmless, and (ii) Decypher is not responsible for the quantity, condition, or timely delivery of the Procured Equipment once the equipment has been tendered to the designated shipping or delivery courier. 

  

Business Review / IT Strategic Planning Meetings 

We strongly suggest that you participate in business review/strategic planning meetings as may be requested by us from time to time. These meetings are intended to educate you about recommended (and potentially crucial) modifications to your IT environment, as well as to discuss your company’s present and future IT-related needs. These reviews can provide you with important insights and strategies to make your managed IT environment more efficient and secure. You understand that by suggesting a particular service or solution, we are not endorsing any specific manufacturer or service provider.  

  

VCTO or VCIO Services 

The advice and suggestions provided by us in our capacity as a virtual chief technology or information officer (if applicable) will be for your informational and/or educational purposes only. Decypher will not hold an actual director or officer position in Client’s company, and we will neither hold nor maintain any fiduciary relationship with Client. Under no circumstances shall Client list or place Decypher on Client’s corporate records or accounts. Client is advised to consult its own legal resources before relying on any advice or recommendations made by Decypher that pertain to or impact Applicable Laws. 

  

Sample Policies, Procedures. 

From time to time, we may provide you with sample (i.e., template) policies and procedures for use in connection with Client’s business (“Sample Policies”). The Sample Policies are for your informational use only, and do not constitute or comprise legal or professional advice, and the policies are not intended to be a substitute for the advice of competent counsel.  You should seek the advice of competent legal counsel prior to using or distributing the Sample Policies, in part or in whole, in any transaction.  We do not warrant or guarantee that the Sample Policies are complete, accurate, or suitable for your (or your customers’) specific needs, or that you will reduce or avoid liability by utilizing the Sample Policies in your (or your customers’) business operations. 

  

Penetration Testing; Vulnerability Scanning 

You understand and agree that security devices, alarms, or other security measures, both physical and virtual, may be tripped or activated during the penetration testing and/or vulnerability scanning processes, despite our efforts to avoid such occurrences. You will be solely responsible for notifying any monitoring company and all law enforcement authorities of the potential for “false alarms” due to the provision of the penetration testing or vulnerability scanning services, and you agree to take all steps necessary to ensure that false alarms are not reported or treated as “real alarms” or credible threats against any person, place, or property.  Some alarms and advanced security measures, when activated, may cause the partial or complete shutdown of the Environment, causing substantial downtime and/or delay to your business activities. We will not be responsible for any claims, costs, fees, or expenses arising or resulting from (i) any response to the penetration testing or vulnerability scanning services by any monitoring company or law enforcement authorities, or (ii) the partial or complete shutdown of the Environment by any alarm or security monitoring device.  

  

No Third-Party Scanning 

Unless we authorize such activity in writing, you will not conduct any test, nor request or allow any third party to conduct any test (diagnostic or otherwise), of the security system, protocols, processes, or solutions that we implement in the managed environment (“Testing Activity”). Unauthorized Testing Activity poses an unacceptable security risk, constitutes a failure to comply with Client Security Prerequisites, and violates the mutual cooperation framework. Any services required to diagnose or remediate errors, issues, or problems arising from unauthorized Testing Activity are not covered under the Quote, and if you request us (and we elect) to perform those services, those services will be billed to you at our then-current hourly rates. 

  

Obsolescence 

If at any time any portion of the managed environment becomes outdated, obsolete, reaches the end of its useful life, or acquires “end of support” status from the applicable device’s or software’s manufacturer (“Obsolete Element”), then we may designate the device or software as “unsupported” or “non-standard” and require you to update the Obsolete Element within a reasonable time period.  If you do not replace the Obsolete Element reasonably promptly, then in our discretion we may (i) continue to provide the Services to the Obsolete Element using our “best efforts” only with no warranty or requirement of remediation whatsoever regarding the operability or functionality of the Obsolete Element, or (ii) eliminate the Obsolete Element from the scope of the Services by providing written notice to you (email is sufficient for this purpose).  In any event, we make no representation or warranty whatsoever regarding any Obsolete Element or the deployment, service level guarantees, or remediation activities for any Obsolete Element.  

  

Licenses 

If we are required to re-install or replicate any software provided by you as part of the Services, then it is your responsibility to verify that all such software is properly licensed. We reserve the right, but not the obligation, to require proof of licensing before installing, re-installing, or replicating software into the managed environment. The cost of acquiring licenses is not included in the scope of the Quote unless otherwise expressly stated therein. 

  

VOIP – Dialing 911 (Emergency) Services 

The following terms and conditions apply to your use of any VoIP service that we facilitate for you or that is provided to you by a third-party provider of such service. Please note, by using VoIP services you agree to the provisions of the waiver at the end of this section. If you do not understand or do not agree with any of the terms below, you must not subscribe to, use, or rely upon any VoIP service and, instead, you must contact us immediately. 

There is an important difference in how 9-1-1 (i.e., emergency) services can be dialed using a VoIP service as compared to a traditional telephone line. Calling emergency services using a VoIP service is referred to as “E911.” 

Registration: You are responsible for activating the E911 dialing feature by registering the address where you will use the VoIP service. This will not be done for you, and you must take this step on your own initiative. To do this, you must log into your VoIP control panel and provide a valid physical address. If you do not take this step, then E911 services may not work correctly, or at all, using the VoIP service. Emergency service dispatchers will only send emergency personnel to a properly registered E911 service address. 

Location: The address you provide in the control panel is the location to which emergency services (such as the fire department, the police department, etc.) will respond. For this reason, it is important that you correctly enter the location at which you are using the VoIP services. PO boxes are not proper addresses for registration and must not be used as your registered address. Please note, even if your account is properly registered with a correct physical address, (i) there may be a problem automatically transmitting a caller's physical location to the emergency responders, even if the caller can reach the 911 call center, and (ii) a VoIP 911 call may go to an unstaffed call center administrative line or be routed to a call center in the wrong location. These issues are inherent to all VoIP systems and services. We will not be responsible for, and you agree to hold us harmless from, any issues, problems, incidents, damages (both bodily- and property-related), costs, expenses, and fees arising from or related to your failure to register timely and correctly your physical location information into the control panel. 

Address Change(s): If you change the address used for E911 calling, the E911 services may not be available and/or may operate differently than expected. Moreover, if you do not properly and promptly register a change of address, then emergency services may be directed to the location where your services are registered and not where the emergency may be occurring. For that reason, you must register a change of address with us through the VoIP control panel no less than three (3) business days prior to your anticipated move/address change. Address changes that are provided to us with less than three (3) business days notice may cause incorrect/outdated information to be conveyed to emergency service personnel.  If you are unable to provide us with at least three (3) business days notice of an address change, then you should not rely on the E911 service to provide correct physical location information to emergency service personnel.  Under those circumstances, you must provide your correct physical location to emergency service dispatchers if you call them using the VoIP services. 

If you do not register the VoIP service at your location and you dial 9-1-1, that call will be categorized as a “rogue 911 call.” If you are responsible for dialing a rogue 911 call, you will be charged a non-refundable and non-disputable fee of $250/call.  

Power Loss: If you lose power or there is a disruption to power at the location where the VoIP services are used, then the E911 calling service will not function until power is restored. You should also be aware that after a power failure or disruption, you may need to reset or reconfigure the device prior to utilizing the service, including E911 dialing. 

Internet Disruption: If your internet connection or broadband service is lost, suspended, terminated or disrupted, E911 calling will not function until the internet connection and/or broadband service is restored. 

Account Suspension: If your account is suspended or terminated, then all E911 dialing services will not function.  

Network Congestion: There may be a greater possibility of network congestion and/or reduced speed in the routing of E911 calls as compared to 911 dialing over traditional public telephone networks. 

WAIVER:  You hereby agree to release, indemnify, defend, and hold us and our officers, directors, representatives, agents, and any third party service provider that furnishes VoIP-related services to you, harmless from any and all claims, damages, losses, suits or actions, fines, penalties, costs and expenses (including, but not limited to, attorneys’ fees), whether suffered, made, instituted or asserted by you or by any other party or person (collectively, “Claims”) arising from or related to the VoIP services, including but not limited to any failure or outage of the VoIP services, incorrect routing or use of, or any inability to use, E911 dialing features. The foregoing waiver and release shall not apply to Claims arising from our gross negligence, recklessness, or willful misconduct.  

Acceptable Use Policy 

The following policy applies to all hosted services provided to you, including but not limited to (and as applicable) hosted applications, hosted websites, hosted email services, and hosted infrastructure services (“Hosted Services”). 

Decypher does not routinely monitor the activity of hosted accounts except to measure service utilization and/or service uptime, security-related purposes and billing-related purposes, and as necessary for us to provide or facilitate our managed services to you; however, we reserve the right to monitor Hosted Services at any time to ensure your compliance with the terms of this Acceptable Use Policy (this “AUP”) and our master services agreement, and to help monitor and ensure the safety, integrity, reliability, or security of the Hosted Services. 

Similarly, we do not exercise editorial control over the content of any information or data created on or accessible over or through the Hosted Services. Instead, we prefer to advise our customers of inappropriate behavior and any necessary corrective action. If, however, Hosted Services are used in violation of this AUP, then we reserve the right to suspend your access to part or all of the Hosted Services without prior notice.  

Violations of this AUP: The following constitute violations of this AUP:  

• Harmful or illegal uses: Use of a Hosted Service for illegal purposes or in support of illegal activities, to cause harm to minors or attempt to contact minors for illicit purposes, to transmit any material that threatens or encourages bodily harm or destruction of property or to transmit any material that harasses another is prohibited. 

• Fraudulent activity: Use of a Hosted Service to conduct any fraudulent activity or to engage in any unfair or deceptive practices, including but not limited to fraudulent offers to sell or buy products, items, or services, or to advance any type of financial scam such as “pyramid schemes,” “Ponzi schemes,” and “chain letters” is prohibited. 

• Forgery or impersonation: Adding, removing, or modifying identifying network header information to deceive or mislead is prohibited. Attempting to impersonate any person by using forged headers or other identifying information is prohibited. The use of anonymous remailers or nicknames does not constitute impersonation. 

• SPAM: Decypher has a zero-tolerance policy for the sending of unsolicited commercial email (“SPAM”). Use of a Hosted Service to transmit any unsolicited commercial or unsolicited bulk e-mail is prohibited. You are not permitted to host, or permit the hosting of, sites or information that is advertised by SPAM from other networks. To prevent unnecessary blacklisting due to SPAM, we reserve the right to drop the section of IP space identified by SPAM or denial-of-service complaints if it is clear that the offending activity is causing harm to parties on the Internet, if open relays are on the hosted network, or if denial of service attacks are originated from the hosted network. 

• Internet Relay Chat (IRC): The use of IRC on a hosted server is prohibited. 

• Open or “anonymous” proxy: Use of open or anonymous proxy servers is prohibited. 

• Crypto mining: Using any portion of the Hosted Services for mining cryptocurrency or using any bandwidth or processing power made available by or through a Hosted Services for mining cryptocurrency, is prohibited.  

• Hosting spammers: The hosting of websites or services using a hosted server that supports spammers, or which causes (or is likely to cause) our IP space or any IP space allocated to us or our customers to be listed in any of the various SPAM databases, is prohibited. Customers violating this policy will have their server immediately removed from our network and the server will not be reconnected until such time that the customer agrees to remove all traces of the offending material immediately upon reconnection and agree to allow Decypher to access the server to confirm that all material has been completely removed. Any subscriber guilty of a second violation may be immediately and permanently removed from the hosted network for cause and without prior notice. 

• Email/message forging: Forging any email message header, in part or whole, is prohibited. 

• Unauthorized access: Use of the Hosted Services to access, or to attempt to access, the accounts of others or to penetrate, or attempt to penetrate, Decypher’s security measures or the security measures of another entity's network or electronic communications system, whether or not the intrusion results in the corruption or loss of data, is prohibited. This includes but is not limited to accessing data not intended for you, logging into or making use of a server or account you are not expressly authorized to access, or probing the security of other networks, as well as the use or distribution of tools designed for compromising security such as password guessing programs, cracking tools, or network probing tools.  

• IP infringement: Use of a Hosted Service to transmit any materials that infringe any copyright, trademark, patent, trade secret or other proprietary rights of any third party, is prohibited. 

• Collection of personal data: Use of a Hosted Service to collect, or attempt to collect, personal information about third parties without their knowledge or consent is prohibited. 

• Disruptive Activity: Use of the Hosted Services for any activity which affects the ability of other people or systems to use the Hosted Services, or the internet is prohibited. This includes “denial of service” (DOS) attacks against another network host or individual, “flooding” of networks, deliberate attempts to overload a service, and attempts to “crash” a host. 

• Distribution of malware: Intentional distribution of software or code that attempts to and/or causes damage, harassment, or annoyance to persons, data, and/or computer systems is prohibited. 

• Excessive use or abuse of shared resources: The Hosted Services depend on shared resources. Excessive use or abuse of these shared network resources by one customer may have a negative impact on all other customers. Misuse of network resources in a manner which impairs network performance is prohibited. You are prohibited from excessive consumption of resources, including CPU time, memory, and session time. You may not use resource-intensive programs which negatively impact other customers or the performance of our systems or networks. 

• Allowing the misuse of your account: You are responsible for any misuse of your account, even if the inappropriate activity was committed by an employee or independent contractor. You shall not permit your hosted network, through action or inaction, to be configured in such a way that gives a third party the capability to use your hosted network in an illegal or inappropriate manner. You must take adequate security measures to prevent or minimize unauthorized use of your account. It is your responsibility to keep your account credentials secure. 

To maintain the security and integrity of the hosted environment, we reserve the right, but not the obligation, to filter content, Decypher requests, or website access for any web requests made from within the hosted environment.       

Revisions to this AUP: We reserve the right to revise or modify this AUP at any time. Changes to this AUP shall not be grounds for early contract termination or non-payment provided that any revision shall not materially decrease the overall protection of Personal Data.  

Compliance Monitoring: We may implement automated monitoring for AUP violations and will maintain logs of any violations detected. Repeated violations may result in immediate suspension of services.