MASTER SERVICES AGREEMENT This Master Services Agreement (the “Agreement”) is entered into as of the date on which it is accepted by the Purchaser (the “Effective Date”), by and between:
Kearns Technology Inc.
1655 Dupont Street, Suite 101
Toronto, ON M6P 3T1, Canada
(“KTI”) and
[PURCHASER NAME]
[PURCHASER ADDRESS]
(the “Purchaser”)
The Purchaser acknowledges and agrees that acceptance of a KTI-issued quote, proposal, Statement of Work (“SOW”), Resource Agreement (“RA”), Service Level Agreement (“SLA”), or other engagement document constitutes acceptance of this Agreement. This Agreement establishes the overarching legal, commercial, service, and governance framework under which KTI will provide managed IT, cyber resilience, intelligence, compliance, and related professional services to the Purchaser. All subsequent SOWs, RAs, SLAs, Change Orders, or other engagement documents executed or accepted by the Purchaser are hereby incorporated by reference and governed by the terms of this Agreement. For good and valuable consideration, the sufficiency of which is acknowledged, the Parties agree as follows:
1. DEFINITIONS
1.1 “Agreement” means this Master Services Agreement (“MSA”), together with all Schedules, Statements of Work (“SOWs”), Change Orders, and any other documents expressly incorporated by reference.
1.2 “Backup Services” means any data backup, archival, business continuity, disaster recovery, replication, or redundancy services expressly purchased by the Client under an SOW. Backup Services do not include any backup related activity not specifically defined in an SOW.
1.3 “Client” means the entity identified in the SOW that is receiving the Services provided by KTI.
1.4 “Client Environment” means all networks, systems, devices, software, data, cloud platforms, and infrastructure owned, managed, or controlled by the Client or its third party vendors, excluding KTI’s internal systems.
1.5 “Compliance Services” means advisory, monitoring, documentation, evidence support, and governance services purchased under an SOW to support the Client’s compliance programs, including but not limited to: PHIPA, PIPEDA, HIPAA, SOC 2, ISO 27001, NIST, PCI DSS, and other regulatory or standards based frameworks. Compliance Services do not constitute legal or audit advice.
1.6 “Deliverables” means any work product, reports, configurations, dashboards, software, documentation, or materials developed by KTI for Client under an SOW.
1.7 “Incident” means any actual or suspected cybersecurity compromise, outage, degradation, data loss, unauthorized access, malware event, or similar cyber related occurrence impacting the Client Environment.
1.8 “KTI” means Kearns Technology Inc., including its employees, contractors, agents, and authorized representatives.
1.9 “Managed Intelligence Services” means KTI’s analytics, threat intelligence, automation insights, AI driven recommendations, security telemetry interpretation, predictive insights, and operational intelligence services, as identified in the applicable SOW.
1.10 “Quotation” means a written or electronic pricing or service offer issued by KTI and accepted by the Client, including via electronic or click through acceptance, which forms a binding engagement under this Agreement.
1.11 “Services” means all Managed IT, Managed Intelligence, Cyber Resilience, Backup/BCDR, Compliance, advisory, or professional services provided by KTI under this Agreement or any SOW.
1.12 “Shared Responsibility Model (SRM)” means the allocation of roles, duties, and responsibilities between KTI and the Client regarding cybersecurity, compliance, data protection, AI/automation, and operational outcomes, as defined in this Agreement and any applicable SOW.
1.13 “SOW” or “Statement of Work” means a mutually executed document describing the specific Services, Deliverables, pricing, SLAs, assumptions, and responsibilities applicable to the engagement.
1.14 “ThirdParty Services” means any hardware, software, cloud service, licensing, or support provided by any external vendor or provider not controlled by KTI, including but not limited to Kaseya, Datto, Microsoft, and any SaaS provider.
Party Services”
1.15 “Unsupported Systems” means any legacy, endoflife, unpatched, or vendorunsupported hardware or software; any systems excluded from monitoring or management under an SOW; or any systems where required access, permissions, or telemetry are unavailable.
of life, unpatched, or vendor unsupported hardware or software; any systems excluded from monitoring or management under an SOW; or any systems where required access, permissions, or telemetry are unavailable.
2. STRUCTURE OF THE AGREEMENT
2.1 Master Agreement. This Agreement establishes the overarching legal framework under which KTI will provide Services to the Client. Specific Services, Deliverables, service levels, and commercial terms will be defined in one or more engagement documents, including but not limited to: (a) Statements of Work (“SOWs”); (b) Resource Agreements (“RAs”); (c) Service Level Agreements (“SLAs”); and (d) any Change Orders or amendments. Each such document is governed by and subject to this Agreement.
2.2 Statements of Work (SOWs). An SOW describes project-based, outcome-based, advisory, or managed service deliverables. Each SOW must be mutually executed and shall specify, at minimum:(a) the applicable Services and Deliverables;(b) project timelines, responsibilities, and assumptions;(c) pricing, payment terms, and billing frequency;(d) acceptance criteria; and (e) any service-specific obligations or exclusions.
2.3 Resource Agreements (RAs). A Resource Agreement defines the provision of dedicated or fractional personnel resources, including but not limited to: Fractional AI Officer, vCIO, vCISO, or Compliance Officers Technical resources (onsite or remote) Analysts, engineers, or project personnel Advisory or governance roles. Each RA will specify the resource type, allocation model, responsibilities, duration, availability expectations, and commercial terms. RAs do not include project deliverables unless expressly stated.
2.4 Service Level Agreements (SLAs). An SLA defines service commitments applicable to Managed Services, Managed Intelligence Services, Cyber Resilience Services, and/or Compliance Services, including: Response and resolution targets Escalation processes Coverage windows and availability Exclusions and service boundaries If an SLA is provided for a service, it will be referenced in the applicable SOW or RA.
2.5 Order of Precedence If there is any conflict between the Agreement documents, the following order shall apply unless expressly stated otherwise: An executed Change Order The applicable SOW, RA, or SLA (as relevant to the conflict) This Master Services Agreement Any incorporated schedules, matrices, or appendices Client purchase orders, procurement documents, or terms attached to payment instruments shall have no effect unless expressly accepted by KTI in writing.
2.6 Change Orders. No changes to an SOW, RA, SLA, or the scope of Services will be binding unless documented in a mutually executed Change Order. KTI has no obligation to perform out-of-scope work until such Change Order is executed.
2.7 Independent Contractor Status. KTI is an independent contractor and will remain so throughout the term of this Agreement. Nothing herein creates a partnership, joint venture, fiduciary relationship, or employment relationship.
2.8 No Exclusivity. Unless explicitly stated in an SOW or RA, this Agreement does not create exclusivity. KTI may provide similar services to other clients, provided it continues to comply with its confidentiality obligations.
3. SCOPE OF SERVICES
3.1 Overview of Services. KTI will provide the Services described in the applicable SOW, Resource Agreement (“RA”), Service Level Agreement (“SLA”), or Change Order. Services may include, without limitation: (a) Managed IT Services; (b) Managed Intelligence Services (analytics, insights, automation, AI-assisted operations); (c) Cyber Resilience Services (monitoring, detection, response assistance, threat management); (d) Compliance Services (advisory, documentation support, evidence preparation, governance); (e) Backup, Business Continuity, and Disaster Recovery (“BCDR”) Services; (f) Project and Professional Services; (g) Resource-based staffing assignments, including fractional or dedicated personnel; and (h) Any other services expressly defined in an SOW or RA.
3.2 Service Limitations. KTI will provide Services on a commercially reasonable efforts basis. Unless explicitly stated in an SOW, RA, or SLA, Services do not include: (a) legal, financial, or regulatory representation; (b) penetration testing or digital forensics; (c) hardware procurement or licensing costs; (d) unsupported system remediation; (e) third-party vendor management beyond reasonable coordination; (f) facilities management or physical security; (g) custom software development; or (h) any task requiring elevated privileges not granted by the Client. Any excluded Services may be provided at KTI’s discretion through a separate SOW or Change Order.
3.3 Adjustments to Services. KTI may modify tools, methods, vendors, or processes used to deliver the Services, provided such modifications do not materially reduce the functionality of the Services. KTI may also discontinue or replace third-party integrations if necessary due to vendor changes, product discontinuation, or security considerations.
3.4 Shared Responsibility Model Service delivery is governed by the Shared Responsibility Model (“SRM”) incorporated into this Agreement. Each SOW or RA may further clarify specific responsibilities. The Client acknowledges and agrees that, for each Service: (a) KTI is responsible for the duties explicitly assigned to it; (b) the Client is responsible for its own internal controls, decisions, and actions; and (c) third-party vendors are responsible for the functionality and security of their products and platforms. Where responsibilities are not expressly assigned to KTI, they are assumed to be the responsibility of the Client.
3.5 Service Dependencies. Certain Services require the Client to provide or maintain: (a) administrative access to systems, applications, or cloud services; (b) appropriate licensing or subscriptions; (c) functional hardware, software, and network infrastructure; (d) accurate information, documentation, and timely cooperation; (e) environment readiness and required configurations; (f) compliance with security recommendations issued by KTI; and (g) telemetry or log data necessary for monitoring, analytics, or automation. KTI is not responsible for delays, failures, or limitations caused by unavailable or inaccurate client information, missing access, misconfigurations, third-party vendor outages, or unsupported technologies.
3.6 Tools and Platforms. The Services may involve the use of tools, scripts, AI systems, automation, monitoring agents, or third-party platforms selected by KTI. Unless otherwise stated: (a) KTI grants the Client a limited, non-exclusive right to use such tools solely for the term of the Services; (b) such tools are not sold, assigned, or transferred to the Client; and (c) upon termination, all such tools must be removed from Client systems at KTI’s direction.
3.7 Client-Owned Systems. KTI is not responsible for: (a) the performance, security, configuration, or integrity of systems not under its management; (b) data stored outside of monitored systems; (c) unauthorized changes made by Client staff or third parties; or (d) unsupported, end-of-life, or unpatched technologies. Additional effort to work with or around such environments may require a Change Order.
3.8 No Guarantee of Outcomes. Unless expressly stated in writing:
(a) KTI does not guarantee the prevention of cybersecurity incidents;
(b) KTI does not guarantee regulatory compliance or audit outcomes;
(c) KTI does not guarantee uninterrupted system availability; and
(d) AI-assisted or intelligence-based outputs are advisory and rely on the accuracy of available data.
4. TERM, TERMINATION, AND SUSPENSION OF SERVICES
4.1 Term of the Agreement. This Agreement begins on the Effective Date and continues until terminated in accordance with this Section 4. Individual SOWs, RAs, and SLAs may have their own defined terms, which will control solely with respect to the applicable engagement.
4.2 Term of SOWs, RAs, and SLAs. Each SOW, RA, or SLA shall specify its own start date, end date, renewal terms, and termination rights. Where no term is stated, the default term shall be twelve (12) months, renewing automatically for additional one-year periods unless either Party provides written notice of non-renewal at least sixty (60) days prior to the renewal date.
4.3 Termination for Convenience. Unless expressly restricted by an SOW, RA, or SLA, either Party may terminate this Agreement or any engagement document for convenience by providing ninety (90) days’ prior written notice. If the Client terminates for convenience, all fees for Services provided up to the date of termination shall remain payable, including any: (a) minimum monthly service fees; (b) committed resource allocations; (c) prepaid licensing or subscription costs; and (d) non-cancelable third-party charges.
4.4 Termination for Cause. Either Party may terminate this Agreement or any engagement document immediately upon written notice if the other Party: (a) materially breaches this Agreement and fails to remedy the breach within thirty (30) days of receiving written notice; (b) engages in unlawful conduct that materially impacts performance or security; (c) becomes insolvent, ceases operations, or enters bankruptcy proceedings; or (d) engages in conduct posing a threat to KTI personnel, systems, or operations.
4.5 Suspension of Services. KTI may suspend Services, without liability, upon written notice to the Client if: (a) the Client fails to pay any undisputed amount within fifteen (15) days after receiving a late-payment notice; (b) the Client’s environment poses a security, compliance, or operational risk to KTI or other clients; (c) required access, information, or cooperation is withheld; (d) the Client engages in abusive, threatening, or unsafe behavior toward KTI personnel; (e) the Client materially violates the Shared Responsibility Model; or (f) third-party licensing or vendor dependencies required for delivery of Services lapse due to Client inaction. Services will resume once the issue is resolved, subject to reasonable reinstatement timelines.
4.6 Effect of Termination. Upon termination or expiration of this Agreement or any engagement document: (a) all fees accrued or incurred up to the termination date become immediately due; (b) KTI will cease all Services; (c) the Client must remove all KTI-provided tools, agents, integrations, scripts, and automation components from the Client Environment; (d) Client access to dashboards, service portals, automations, and intelligence platforms will be revoked; (e) KTI will have no obligation to maintain or store data beyond thirty (30) days, unless required by law or expressly stated otherwise in an SOW; (f) KTI will provide a transition assistance period upon request, billable at its then-current hourly rates.
4.7 Transition Assistance. If the Client requires offboarding support, KTI may provide reasonable transition services, including documentation transfer, vendor coordination, and data export (if applicable). All transition support is billable unless expressly included in the governing SOW or RA.
4.8 Survival of Provisions. The following survive termination or expiration of the Agreement: Confidentiality Intellectual Property Payment obligations Limitation of liability Indemnities SRM and regulatory disclaimers Any other term that by its nature should survive
5. CLIENT RESPONSIBILITIES
5.1 General Responsibilities. The Client shall cooperate fully with KTI in the delivery of the Services. At a minimum, the Client shall: (a) provide timely access to personnel, systems, applications, and documentation; (b) supply accurate, complete, and up-to-date information; (c) maintain necessary Internet connectivity, power, and environmental conditions; (d) ensure authorized KTI personnel have required privileges to perform the Services; (e) notify KTI promptly of security incidents, outages, anomalies, or suspected misuse; (f) follow all reasonable instructions, recommendations, and security guidance issued by KTI; and (g) engage in timely decision-making and approvals to avoid service delays.
5.2 Technology, Licensing, and Infrastructure Obligations. Unless expressly stated in an SOW or RA, the Client is responsible for: (a) acquiring and maintaining all third-party licenses, subscriptions, and renewals; (b) maintaining warranty and support contracts for Client-owned devices and systems; (c) ensuring all hardware and software meet minimum performance and security standards; (d) applying vendor-required updates where KTI does not have administrative control; and (e) maintaining physical access and security to facilities, network closets, and equipment. KTI is not responsible for delays or failures caused by expired licenses, unsupported hardware, or misconfigured environments.
5.3 Designated Contacts. The Client shall appoint: (a) a primary point of contact with decision-making authority; (b) a backup contact; and (c) technical stakeholders, as needed. KTI may rely on directives issued by these designated individuals unless written notice of a change is provided.
5.4 Security Responsibilities. The Client is responsible for: (a) enforcing internal security policies and acceptable use protocols; (b) ensuring employees use strong authentication (e.g., MFA) where available; (c) preventing unauthorized access to systems, credentials, and sensitive data; (d) securing all remote access mechanisms; (e) maintaining timely user onboarding/offboarding processes; and (f) reporting any suspicious activity promptly to KTI. Failure to implement or maintain security controls may impact the effectiveness of the Services and limit KTI’s obligations. .
5.5 Compliance and Regulatory Responsibilities unless expressly stated in an SOW: (a) the Client remains solely responsible for regulatory compliance, including filings, attestations, certifications, and audits; (b) the Client must validate the accuracy of all evidence, documentation, or reports before submitting them to regulators, auditors, or governing bodies; (c) KTI’s Compliance Services are advisory only and support—not replace—Client compliance obligations; and (d) the Client is responsible for engaging legal counsel or compliance specialists where mandatory.
5.6 Data Responsibilities. The Client is solely responsible for: (a) the accuracy, integrity, and classification of all Client data; (b) compliance with all data privacy laws applicable to its operations; (c) ensuring data is stored and used lawfully within the Client Environment; and (d) maintaining data retention practices that align with legal and business needs. Unless Backup Services are expressly purchased, KTI has no responsibility for data loss, corruption, or recovery.
5.7 Third-Party Vendors and Integrations. The Client is responsible for: (a) contracts with all third-party software, SaaS, cloud, and hardware vendors; (b) maintaining required support subscriptions; (c) coordinating access for KTI as reasonably required; and (d) resolving disputes or failures related to third-party products. KTI’s role, unless explicitly defined in an SOW, is limited to reasonable coordination and advisory support.
5.8 Unauthorized Modifications. The Client agrees not to modify, disable, or interfere with any monitoring tools, agents, scripts, or automations deployed by KTI. Any such interference may: (a) suspend or degrade Services; (b) void applicable SLAs; or (c) result in additional fees to remediate the environment.
5.9 Timely Payment Obligations. Continued delivery of Services depends on the Client’s timely payment of all invoices. Non-payment may result in suspension under Section 4.5.
5.10 Assumption of Responsibilities Not Assigned to KTI. Any responsibility not expressly assigned to KTI under this Agreement, an SOW, RA, SLA, or the SRM is the responsibility of the Client.
6. WARRANTIES AND DISCLAIMERS
6.1 KTI Warranty. KTI warrants that the Services will be performed in a professional and workmanlike manner, consistent with generally accepted industry standards for managed IT, cyber resilience, and compliance advisory services. KTI will re-perform any non-conforming Services at no additional charge if notified within thirty (30) days of delivery.
6.2 No Warranty of Error-Free Operation. KTI does not warrant that the Services, tools, systems, automations, software, monitoring agents, intelligence platforms, or recommendations will be error-free, uninterrupted, secure from all threats, or capable of preventing all cybersecurity or operational incidents.
6.3 Third-Party Products and Services. KTI makes no warranty regarding: (a) third-party software, hardware, services, cloud platforms, APIs, or dependencies; (b) vendor response times, product behaviour, or availability; (c) vendor-specific accuracy, latency, or service disruptions; or (d) any defect, misconfiguration, or failure resulting from third-party systems not under the direct control of KTI. Any warranty for third-party products is provided exclusively by the applicable vendor.
6.4 Compliance Services Disclaimer. Unless expressly stated in an SOW: (a) Compliance Services are advisory only (b) KTI does not guarantee audit results, certification outcomes, regulatory conformity, or legal sufficiency; (c) the Client is solely responsible for decisions, filings, evidence accuracy, and final submission of materials to auditors or regulators; and (d) KTI does not act as legal counsel, auditor, or accountant. The Client is encouraged to consult qualified professionals for legal or regulatory interpretation.
6.5 Cybersecurity Disclaimer. Cybersecurity threats evolve rapidly and cannot be fully eliminated. Accordingly: (a) KTI does not guarantee the prevention of cyberattacks, breaches, malware infections, unauthorized access, or data loss; (b) no monitoring or detection technology can identify all threats; (c) cybersecurity recommendations are based on available data and may be incomplete if telemetry is missing or restricted; and (d) the Client acknowledges that residual risk will always exist, regardless of Services purchased.
6.6 AI, Intelligence, and Automation Disclaimer. Where Services involve AI outputs, predictive analytics, automated remediations, or intelligence assessments: (a) all AI-generated or analytics-driven outputs are advisory; (b) KTI does not warrant the accuracy, completeness, or interpretation of data sources, logs, or telemetry; (c) automated actions may be delayed, blocked, or superseded by third-party limitations; (d) model drift, vendor updates, and data inaccuracies may impact results; and (e) Client decisions remain solely the responsibility of the Client.
6.7 Backup, Recovery, and BCDR Disclaimer. Unless the Client purchases Backup or BCDR Services under an SOW, KTI: (a) has no responsibility for backup creation, testing, verification, success, or restoration; (b) is not liable for data loss, corruption, or inaccessibility; (c) makes no guarantees regarding recovery point objectives (RPO) or recovery time objectives (RTO); and (d) is not responsible for failures caused by third-party storage, cloud providers, encryption, ransomware, corruption, or unsupported systems. Where Backup or BCDR Services are purchased, deliverables and guarantees are limited strictly to those stated in the SOW.
6.8 Unsupported, Legacy, or Client-Managed Systems. KTI provides no warranties for systems that are: (a) end-of-life or vendor-unsupported; (b) unpatched or misconfigured by the Client or third parties; (c) outside the scope of monitoring or management; (d) lacking required telemetry or access; or (e) modified without KTI authorization. Work required to remediate such systems may require a Change Order.
6.9 Exclusive Warranties. The warranties in this Section are the sole and exclusive warranties provided by KTI. All other warranties—express, implied, statutory, or otherwise—are disclaimed, including implied warranties of merchantability, fitness for a particular purpose, non-infringement, and uninterrupted service.
7. FEES, BILLING, AND PAYMENT TERMS
7.1 Fees. All fees for the Services will be specified in the applicable SOW, RA, SLA, or Change Order. Fees may include, without limitation: (a) recurring monthly service fees; (b) resource-based hourly or daily rates; (c) fixed-fee project pricing; (d) subscription or licensing passthrough fees; (e) usage- or consumption-based charges; (f) onboarding or transition fees; and (g) non-standard customization or development charges.
7.2 Invoicing. Unless otherwise stated: (a) recurring Services are invoiced monthly in advance; (b) time-and-materials Services are invoiced in arrears; (c) third-party passthrough costs may be invoiced at the time KTI incurs them; and (d) project milestones may be invoiced as set out in the applicable SOW.
7.3 Payment Terms. All undisputed invoices are due within thirty (30) days of the invoice date. Payments not received by the due date will be considered late.
7.4 Late Payments. Late payments may result in: (a) interest at the rate of 1.5% per month (or the highest amount allowed by law); (b) suspension of Services under Section 4.5; (c) withholding of Deliverables until payment is received; and (d) requirement of prepayment or security deposit for future work.
7.5 Licensing and Third-Party Costs. Where KTI procures third-party licensing, subscriptions, hardware, cloud services, or other vendor products on the Client’s behalf: (a) such costs are non-refundable and non-cancelable once provisioned; (b) the Client is responsible for the full committed term, even if Services are terminated early; (c) pricing is subject to vendor increases and currency fluctuations; and (d) KTI is not liable for vendor-imposed penalties, minimums, or term commitments.
7.6 Taxes. All fees are exclusive of applicable taxes, including HST, VAT, sales tax, import duties, levies, and other governmental charges. The Client is responsible for all such taxes, except taxes based on KTI’s net income.
7.7 Expenses. Reasonable travel, lodging, meals, mileage, parking, shipping, and other out-of-pocket expenses incurred in connection with the Services will be billed to the Client at cost, unless otherwise agreed. 7.8 True-Up Adjustments. If pricing is based on metrics such as user count, devices, servers, workloads, endpoints, cloud resources, data volume, or other utilization factors: (a) the Client must provide accurate and updated metrics monthly; (b) KTI may adjust billing to reflect actual usage (c) discrepancies may result in a true-up charge; and (d) underreported metrics may incur retroactive charges.
7.9 Annual Increases. Unless otherwise stated in an SOW or RA, KTI may increase recurring fees annually up to 5% or the local CPI index, whichever is greater. Vendor licensing increases pass directly through to the Client.
7.10 Disputed Invoices. If the Client disputes an invoice: (a) the Client must notify KTI in writing within fifteen (15) days of the invoice date; (b) undisputed portions must still be paid on time; (c) both Parties will work in good faith to resolve the dispute within thirty (30) days.
7.11 No Withholding or Setoff. The Client may not withhold payment, apply setoff, or delay payment based on pending claims, disputes, credits, or allegations against KTI.
7.12 Fees for Out-of-Scope Work. Any work performed outside the agreed scope of an SOW, RA, or SLA—whether requested explicitly or required due to Client inaction, environment issues, misconfigurations, or third-party failures—will be billed at KTI’s then-current time-and-materials rates.
7.13 Non-Refundable Fees. Unless expressly stated otherwise: (a) all fees paid are non-refundable; (b) prepaid amounts for recurring services, licensing, or subscriptions are non-cancellable; and (c) early termination by the Client does not relieve payment obligations for committed terms.
8. CONFIDENTIALITY
8.1 Definition of Confidential Information. “Confidential Information” means all non-public information disclosed by either Party (“Disclosing Party”) to the other (“Receiving Party”), whether orally, visually, electronically, or in writing, including but not limited to: (a) business plans, processes, strategies, and financial information; (b) security assessments, vulnerabilities, incident data, system logs, threat intelligence, and monitoring outputs; (c) client lists, pricing, service methodologies, and operational procedures; (d) technical information, system diagrams, configurations, scripts, code, dashboards, and reports; (e) regulatory, compliance, or audit-related information; (f) personally identifiable, health, sensitive, or regulated information; and (g) the terms of this Agreement, all SOWs, RAs, SLAs, and pricing. Confidential Information does not include information that: is or becomes publicly known through no breach of this Agreement; was independently developed without use of the Disclosing Party’s information; is rightfully obtained from a third party without breach of confidentiality; or the Disclosing Party agrees in writing is not confidential.
8.2 Confidentiality Obligations. The Receiving Party shall: (a) protect Confidential Information using the same degree of care used to protect its own confidential information, but no less than a reasonable standard of care; (b) use Confidential Information solely for purposes of performing or receiving the Services; (c) restrict disclosure to its employees, contractors, advisors, and affiliates who have a legitimate need to know and who are bound by confidentiality obligations no less protective than those in this Agreement; (d) not disclose Confidential Information to any third party without prior written consent; and (e) immediately notify the Disclosing Party of any unauthorized disclosure or breach.
8.3 Mandatory Disclosure. If the Receiving Party is legally compelled to disclose Confidential Information (e.g., subpoena, court order, regulator demand), it shall: (a) provide prompt written notice to the Disclosing Party (unless prohibited); (b) disclose only the minimum information required; and (c) reasonably cooperate with efforts to seek protective orders or limit disclosure.
8.4 Use of Client Data for Service Delivery. KTI may use Client data, telemetry, logs, analytics, threat data, or performance insights solely for: (a) delivering the Services; (b) improving service quality, automation, and intelligence capabilities; (c) enhancing cybersecurity effectiveness; and (d) aggregated, anonymized analytics for benchmarking—provided no Client-identifiable information remains. KTI will not sell or share Client data with third parties except as required to deliver the Services or comply with legal obligations.
8.5 Third-Party Tools, Platforms, and Integrations. To provide the Services, KTI may use third-party platforms, automation tools, cloud systems, monitoring agents, AI systems, or analytics engines. The Client acknowledges that: (a) such platforms may process or store Confidential Information; (b) vendor privacy and security controls apply; and (c) KTI is not responsible for vendor actions but will use reputable and industry-recognized tools.
8.6 Return or Destruction of Confidential Information. Upon written request or upon termination of this Agreement: (a) each Party shall return or securely destroy the other Party’s Confidential Information; (b) KTI may retain archival copies as required by law, regulation, or internal compliance; (c) securely retained archival copies remain subject to confidentiality obligations.
8.7 Confidentiality in Cyber Incidents. If a security incident, breach, or forensic analysis reveals Confidential Information: (a) both Parties shall maintain confidentiality to the maximum extent allowed by law; (b) disclosure to insurers, regulators, or law enforcement will be limited to what is necessary; (c) incident details, reports, and forensic outputs are Confidential Information.
8.8 Duration of Confidentiality. Confidentiality obligations survive for five (5) years after termination of this Agreement, except with respect to trade secrets, cybersecurity data, AI training data, or regulated information, which shall remain confidential indefinitely.
9. DATA PROTECTION AND CYBERSECURITY
9.1 Data Protection Standards. Each Party shall comply with all applicable data protection, privacy, and information security laws relevant to its role under this Agreement, including PHIPA, PIPEDA, GDPR (where applicable), and any industry-specific obligations governing the Client’s operations. KTI will implement administrative, technical, and physical safeguards designed to protect Client data within KTI’s control.
9.2 KTI’s Security Obligations. KTI shall: (a) maintain industry-recognized security controls appropriate for a managed service provider delivering IT, cyber resilience, and intelligence services; (b) implement reasonable measures designed to prevent unauthorized access to KTI-managed systems; (c) maintain employee background screening appropriate to job role; (d) ensure personnel accessing Client data are bound by confidentiality obligations; and (e) maintain security policies covering access control, incident response, vulnerability management, and acceptable use.
9.3 Client’s Security Obligations. The Client shall: (a) maintain internal security safeguards that meet or exceed KTI’s minimum requirements; (b) enforce MFA and least-privilege access across all systems where available; (c) ensure all user accounts, applications, and systems are provisioned, maintained, and deprovisioned promptly; (d) maintain secure backups (unless contracted to KTI under an SOW); (e) ensure all equipment and systems under the Client’s control remain physically secure; (f) follow all KTI-issued security recommendations in a timely manner; and (g) implement policies governing acceptable use, password hygiene, remote access, and mobile device security. KTI is not responsible for breaches or incidents resulting from the Client’s failure to meet these obligations.
9.4 Data Classification and Ownership. All Client data accessed, transmitted, processed, or stored in connection with the Services remains the exclusive property of the Client. The Client is solely responsible for classifying, labeling, and determining the sensitivity of all data in its environment.
9.5 Data Handling and Processing. KTI may store, process, or transmit Client data only as required to deliver the Services. KTI shall not: (a) access Client data except as necessary; (b) use Client data for any purpose other than service delivery, analytics, or internal quality improvement; or (c) transfer Client identifiable information outside Canada unless permitted by law, required for service delivery, or approved by the Client.
9.6 Use of AI, Analytics, and Automation Systems. By receiving Managed Intelligence Services, the Client authorizes KTI to process telemetry, logs, metadata, and operational insights using: (a) AI-driven analytics; (b) automation frameworks; (c) third-party intelligence platforms; and (d) behavior-, anomaly-, or risk-based detection models. AI or analytics outputs do not constitute legal, regulatory, or business decisions. All decisions remain the Client’s responsibility.
9.7 Data Integrity and Availability. Unless Backup/BCDR Services are expressly purchased: (a) the Client is solely responsible for data integrity, retention, and recoverability; (b) KTI has no obligation to maintain archival copies of Client data; (c) KTI is not responsible for corrupt, missing, or improperly maintained data; and (d) KTI shall not be liable for data loss arising from Client mismanagement, inaction, configuration issues, ransomware, or third-party outages.
9.8 Security Incidents and Notification. Each Party will notify the other without unreasonable delay upon confirming a breach affecting the other Party’s data or systems. The notification will include, to the extent known: (a) a description of the incident; (b) the categories of data affected; (c) potential impact on operations; and (d) corrective or containment measures taken. KTI is not responsible for regulatory notification requirements, legal filings, or breach communications unless expressly included in an SOW.
9.9 Incident Response Limitations. KTI will provide reasonable assistance in responding to cybersecurity incidents if the Client has purchased applicable Cyber Resilience or Incident Services. However, unless explicitly contracted: (a) KTI does not provide digital forensics or breach counsel; (b) KTI is not responsible for regulatory reporting or notifications; (c) incident response assistance is advisory only; (d) forensic-grade evidence preservation is not guaranteed; and (e) KTI has no obligation to take unilateral emergency actions without Client approval.
9.10 Prohibition on High-Risk Activities. The Client shall not use the Services for: (a) illegal or unethical activities; (b) hosting malware, command-and-control infrastructure, or harmful content; (c) activities that violate vendor licensing terms; or (d) bypassing regulatory or security controls. KTI may immediately suspend Services if such activity is detected.
9.11 Residual Risk. The Client acknowledges that no cybersecurity program, managed service, intelligence platform, or compliance system can fully eliminate risk. Residual risk will always exist regardless of the Services purchased, and the Client accepts this as part of the nature of modern IT operations.
10. INTELLECTUAL PROPERTY RIGHTS
10.1 Pre-Existing IP. Each Party retains all rights, title, and interest in any intellectual property (“Pre-Existing IP”) that it owned or developed prior to the Effective Date of this Agreement, including any enhancements or modifications made outside the scope of this Agreement. Nothing in this Agreement transfers ownership of either Party’s Pre-Existing IP.
10.2 KTI Tools, Materials, and Platforms. KTI retains all intellectual property rights in and to: (a) monitoring agents, scripts, automations, workflows, connectors, and integrations; (b) AI-driven analytics, models, rulesets, detection logic, or intelligence engines; (c) templates, frameworks, policies, methodologies, and best practices; (d) dashboards, reports, data visualizations, and proprietary formats; (e) code, utilities, software, or internal tools used to deliver the Services; (f) cybersecurity playbooks, compliance frameworks, and evidence-mapping artifacts; (g) threat intelligence, risk scoring, and analytics algorithms; and (h) any modifications or derivative works developed during the performance of Services. No rights to KTI Tools are granted to the Client except as necessary to receive the Services. All KTI Tools must be removed from Client systems upon termination.
10.3 Deliverables. Unless otherwise stated in an SOW: (a) Deliverables created specifically for the Client under an SOW, and paid for in full, are licensed to the Client on a non-exclusive, perpetual basis for internal business use; (b) Deliverables do not include any KTI Tools, Pre-Existing IP, or reusable components that form part of KTI’s broader service delivery platform; (c) KTI retains ownership of all underlying components used to create Deliverables; (d) Deliverables may not be shared, sublicensed, distributed, or used for commercial purposes without prior written consent from KTI.
10.4 License to KTI Tools for Service Delivery. KTI grants the Client a limited, revocable, non-exclusive, non-transferable license to use KTI Tools solely to receive the Services during the term of the Agreement. This license: (a) does not transfer any ownership; (b) terminates automatically upon termination of Services; (c) prohibits reverse engineering, modification, or redistribution; and (d) requires removal of all agents, software, and scripts upon termination.
10.5 License to Client Materials. The Client grants KTI a non-exclusive, royalty-free license to use Client data, systems, documentation, and materials as necessary to perform the Services and improve quality, reliability, automation, and intelligence.
10.6 Residual Knowledge. KTI may use any general skills, ideas, concepts, know-how, best practices, or methodologies acquired during delivery of the Services for any purpose, provided such use does not disclose Client Confidential Information.
10.7 Third-Party Intellectual Property. Where Deliverables or Services include or rely upon third-party software or content: (a) ownership and licensing terms are governed by the applicable third-party agreements; (b) KTI makes no representation or warranty regarding such third-party IP; and (c) the Client is responsible for complying with those third-party licensing terms.
10.8 Joint Development. If the Parties jointly develop any materials, tools, or deliverables, ownership shall be allocated as follows unless expressly agreed otherwise: (a) KTI retains ownership of all technical IP, automations, analytics, code, tools, and methodologies; (b) the Client retains rights to its business processes, data models, and internal documentation; (c) each Party receives a perpetual internal-use license to the jointly created materials.
10.9 Protection of KTI IP. The Client shall not, and shall not permit any third party to: (a) reverse engineer, decompile, copy, modify, or create derivative works of KTI Tools; (b) access the Services to build competitive products or services; (c) resell, sublicense, or disclose KTI Tools to third parties; (d) remove proprietary notices; or (e) use KTI Tools after termination.
10.10 Injunctive Relief. A breach of this Section would cause irreparable harm to KTI for which monetary damages may be insufficient. KTI is entitled to seek injunctive or equitable relief in addition to any other available remedies.
11. SERVICE LEVELS AND INCIDENT MANAGEMENT
11.1 Application of SLAs. Service Levels (“SLAs”) apply only if expressly referenced in an SOW, Resource Agreement (RA), or separate Service Level Agreement document. If no SLA is referenced, all Services are provided on a commercially reasonable efforts basis.
11.2 Response Times vs. Resolution Times. Unless expressly defined in an SLA: (a) response times represent the time until KTI acknowledges an incident; (b) resolution times are not guaranteed; (c) any target timelines are estimates only; (d) SLAs do not apply to issues caused by Client actions, third-party failures, or unsupported systems.
11.3 Severity Classification. KTI may classify incidents based on severity, including: Critical: business-stopping outages, ransomware, major security compromises High: material service degradation or significant operational impact Medium: standard support issues impacting specific users or systems Low: informational requests or non-urgent matters If an SLA is provided, severity categories will align with that SLA.
11.4 Exclusions to SLAs. SLAs do not apply in any of the following situations: (a) outages caused by third-party vendors, ISPs, cloud platforms, or utilities; (b) issues arising from Client misconfigurations, unauthorized changes, or unsupported hardware/software; (c) incidents related to cybersecurity threats, malware, zero-day vulnerabilities, or active compromises; (d) delays caused by lack of required access, approvals, or information from the Client; (e) force majeure events; (f) any environment where KTI’s tools or agents have been removed or disabled.
11.5 Managed Intelligence & Monitoring Limitations. For AI-assisted monitoring, analytics, intelligence, or automation: (a) detection is dependent on available telemetry; (b) gaps in logging, signal coverage, or data quality may impact accuracy; (c) alerts may require Client validation or action; (d) automation steps may be delayed due to vendor or API limitations; (e) KTI is not responsible for missed detections resulting from insufficient Client telemetry or unsupported platforms.
11.6 Incident Response Support. If the Client has purchased Cyber Resilience or Incident Response services: (a) KTI will provide assistance in triage, containment, and mitigation; (b) KTI does not guarantee forensic-grade evidence preservation; (c) KTI does not provide forensic analysis unless explicitly contracted; (d) any regulatory reporting, breach notifications, or legal advisory work is excluded unless specified in an SOW; (e) KTI may require temporary control of systems, endpoints, or network components to respond to an incident.
11.7 Cooperation Requirements. The Client shall: (a) promptly notify KTI of incidents or suspected issues; (b) provide access to systems, logs, and personnel as required; (c) cease unauthorized changes to impacted systems until remediation is complete; (d) follow KTI recommendations for containment or corrective action; (e) maintain updated contact information for escalation. Failure to cooperate may extend timelines or void applicable SLAs.
11.8 After-Hours Support. Unless otherwise stated in an SOW or SLA: (a) standard support hours are Monday–Friday during KTI’s business hours; (b) after-hours support is billable at enhanced rates; (c) emergency response outside business hours is not guaranteed unless the Client has a 24/7 coverage agreement.
11.9 Service Credits (If Applicable). If an SLA provides for service credits: (a) credits are the Client’s sole and exclusive remedy for missed SLAs; (b) credits may not be exchanged for cash; (c) credits do not roll over beyond the next billing cycle; (d) credits do not apply during suspension of services due to non-payment or Client-caused issues; (e) multiple SLA failures in a single period do not compound.
11.10 No SLA Guarantees Without Written Agreement. No verbal commitments, emails, or informal statements create SLA obligations. Only SLAs attached to, or referenced in, a signed SOW/RA constitute enforceable service levels.
12. LIMITATION OF LIABILITY
12.1 Maximum Liability. To the fullest extent permitted by law, KTI’s total aggregate liability for all claims arising out of or related to this Agreement, any SOW, RA, SLA, or Change Order, whether in contract, tort, negligence, strict liability, or otherwise, shall not exceed the greater of: (a) the total fees paid by the Client to KTI under the applicable SOW/RA during the twelve (12) months preceding the event giving rise to the claim; or (b) $100,000 CAD. This limitation applies regardless of the number of claims, incidents, or theories asserted.
12.2 Exclusion of Damages. To the fullest extent permitted by law, in no event shall KTI be liable for any: (a) lost profits, lost revenue, loss of business or opportunity; (b) loss, corruption, destruction, disclosure, or unauthorized access to data; (c) business interruption or downtime; (d) consequential, indirect, special, exemplary, punitive, or incidental damages; (e) costs associated with breach notifications, forensic services, or regulatory penalties; (f) third-party vendor failures or outages; (g) reputational harm or related consequences; or (h) damages arising from or relating to cybersecurity events, even if KTI’s Services include monitoring, detection, remediation, or advisory support. These exclusions apply whether the claim is based on contract, negligence, tort, strict liability, statute, or otherwise—even if KTI has been advised of the possibility of such damages.
12.3 No Liability for Unpurchased or Unsupported Services. KTI shall not be liable, directly or indirectly, for any losses or damages arising from: (a) the Client’s failure to purchase Backup, BCDR, Monitoring, Cyber Resilience, Compliance, or Managed Intelligence Services; (b) any system, application, or environment not expressly under KTI management; (c) unsupported, obsolete, or end-of-life systems; (d) missed detections or incidents caused by insufficient telemetry, logging, or access; or (e) failures, vulnerabilities, or misconfigurations introduced by the Client or third parties.
12.4 Allocation of Risk. The Parties acknowledge that: (a) KTI’s pricing reflects this limitation of liability; (b) KTI does not control the Client’s environment, personnel, actions, or third-party vendors; (c) cybersecurity, AI-assisted intelligence, and compliance inherently involve risk that cannot be fully eliminated; and (d) this section is fundamental to the relationship and forms the basis of the bargain.
12.5 Liability for Third-Party Actions. KTI shall not be responsible for: (a) acts or omissions of third-party vendors; (b) zero-day vulnerabilities not yet addressed by vendors; (c) ISP outages, cloud outages, platform failures, or SaaS disruptions; (d) hardware or software defects not caused by KTI; or (e) actions of Client employees, contractors, or any unauthorized user.
12.6 Client Responsibility for Decision-Making. All decisions based on: (a) intelligence insights, (b) analytics outputs, (c) AI-generated recommendations, (d) cybersecurity assessments, or (e) compliance documentation remain solely the Client’s responsibility. KTI shall have no liability for outcomes resulting from Client decisions, judgment, policies, or actions.
12.7 No Liability for Regulatory Outcomes. Unless expressly contracted under a dedicated Compliance SOW: (a) KTI is not responsible for audit failures, certification gaps, regulatory findings, or penalties; (b) KTI does not guarantee compliance with any legal, regulatory, or industry standard; (c) evidence mapping, documentation support, or advisory outputs do not constitute legal advice; and (d) KTI shall not be responsible for the Client’s misinterpretation of regulatory requirements.
12.8 Apportionment of Damages. If multiple parties contribute to a loss—including vendors, employees, consultants, or attackers—KTI’s liability shall be limited to its proportionate share, not joint and several liability.
12.9 Exceptions. Nothing in this Agreement limits liability for: (a) fraud or intentional misconduct; (b) personal injury or death caused directly by KTI’s negligence; (c) amounts owed by the Client to KTI for Services rendered; or (d) any liability that cannot legally be limited.
12.10 Survival. This Section survives termination or expiration of this Agreement for any reason.
13. INDEMNIFICATION
13.1 Definitions. For purposes of this Section, a “Claim” means any third-party action, demand, suit, regulatory inquiry, investigation, or proceeding (including by a government authority or auditor) and all related losses, liabilities, damages, penalties, fines, settlements, costs, and expenses (including reasonable legal fees).
13.2 KTI IP Indemnity. KTI shall defend, indemnify, and hold harmless the Client from and against any Claim alleging that the KTI Tools or Deliverables (as furnished by KTI and used by the Client in accordance with this Agreement and the applicable SOW) infringe any patent, copyright, trade secret, or trademark of a third party. KTI shall have no obligation under this Section to the extent the Claim arises from: (a) Client Materials, data, or instructions; (b) combinations with products, software, data, or services not provided or expressly authorized by KTI; (c) use other than in accordance with this Agreement, the SRM, or applicable documentation; (d) modifications not made by KTI; or (e) use of a version that has been superseded, if the infringement would have been avoided by use of the current, non-infringing version made available by KTI.
13.3 KTI IP Remedies. If KTI reasonably believes the KTI Tools or Deliverables may infringe, KTI may, at its option and expense: (a) procure for the Client the right to continue using the affected item; (b) modify or replace it with a functionally equivalent, non-infringing item; or (c) if (a) and (b) are not commercially reasonable, terminate the affected Service or license and refund to the Client any prepaid, unused fees for the terminated portion of the applicable term. THIS SECTION
13.3 SETS FORTH THE CLIENT’S SOLE AND EXCLUSIVE REMEDY FOR ANY IP INFRINGEMENT CLAIM REGARDING THE KTI TOOLS OR DELIVERABLES.
13.4 Client Indemnity — Data, Use, and Regulatory Matters. The Client shall defend, indemnify, and hold harmless KTI, its affiliates, and their respective officers, directors, employees, agents, and subcontractors from and against any Claim arising out of or related to: (a) Client data, instructions, or materials (including alleged infringement, privacy, or data-protection violations); (b) the Client’s breach of the SRM, security obligations, or failure to implement KTI’s reasonable security recommendations; (c) use of unsupported, end-of-life, unlicensed, or misconfigured technologies within the Client Environment; (d) any cyber incident, data loss, or outage occurring in systems not under KTI’s explicit management or where required telemetry/access was not provided; (e) the Client’s failure to purchase or maintain Backup/BCDR, Monitoring, Cyber Resilience, Compliance, or other risk-mitigating Services; (f) violations of law or third-party terms (including vendor licensing terms) by the Client or its users; (g) employment, contractor, or end-user claims arising from Client policies, actions, or omissions; and (h) regulatory fines, penalties, assessments, or audit findings attributable to the Client’s actions, decisions, data, or failure to meet regulatory requirements.
13.5 Procedure. A Party seeking indemnification (“Indemnified Party”) shall: (a) provide the other Party (“Indemnifying Party”) prompt written notice of the Claim (a delay will not relieve obligations except to the extent prejudicial); (b) grant the Indemnifying Party sole control of the defense and settlement (provided no settlement admits liability of, imposes non-monetary obligations on, or requires public statements by the Indemnified Party without its prior written consent); and (c) provide reasonable cooperation at the Indemnifying Party’s expense. The Indemnified Party may participate with its own counsel at its own expense.
13.6 Apportionment and Mitigation. If a Claim results from multiple causes, each Party’s indemnity extends only to its proportionate share. Each Party shall use commercially reasonable efforts to mitigate losses subject to indemnity.
13.7 No Implied Expansion. Nothing in this Section shall expand KTI’s warranties or obligations beyond those expressly set forth in this Agreement, nor limit KTI’s rights and defenses under Section 12 (Limitation of Liability), except that indemnity payment obligations shall not be limited by Section 12 to the extent such limitation is prohibited by applicable law.
13.8 Survival. This Section 13 survives termination or expiration of the Agreement.
14. INSURANCE & RISK TRANSFER
14.1 KTI Insurance. During the term of this Agreement, KTI shall maintain, at its own expense, insurance coverage with reputable insurers, including: (a) Commercial General Liability (CGL): not less than CAD $2,000,000 per occurrence, including bodily injury, property damage, personal/advertising injury, and contractual liability; (b) Technology Errors & Omissions (Tech E&O): not less than CAD $2,000,000 per claim covering professional services, network operations, and failure of service; (c) Cyber Liability/Privacy & Security: not less than CAD $2,000,000 per claim covering privacy breach, network security failure, data loss, incident response costs, regulatory defense, and media liability; and (d) Employers’ Liability/WSIB (or equivalent): as required by applicable law.
14.2 Client Insurance. The Client shall maintain insurance appropriate to its operations and risk profile, including at minimum: (a) Cyber Liability/Privacy & Security sufficient to cover data breach response, business interruption, and regulatory exposures inherent in the Client’s environment; and (b) any industry-specific insurance (e.g., errors & omissions, directors’ & officers’, crime/fidelity) as necessary given the Client’s regulatory and operational risks. KTI’s Services are not a substitute for insurance. Failure to maintain adequate insurance does not shift risk to KTI.
14.3 Certificates of Insurance. Upon written request, each Party will provide the other with a certificate of insurance evidencing required coverage and will use commercially reasonable efforts to provide thirty (30) days’ notice of cancellation or material reduction in coverage (other than for non-payment).
14.4 Subcontractors. KTI will ensure that material subcontractors engaged to deliver the Services maintain commercially reasonable insurance appropriate to the scope of their work.
14.5 No Waiver of Limits. Insurance limits are not a cap on liability. Liability is governed by Section 12 (Limitation of Liability). Availability of insurance does not expand any Party’s obligations.
14.6 Primary and Non-Contributory. KTI’s insurance will be primary and non-contributory solely with respect to claims that are directly attributable to KTI’s acts or omissions in delivering the Services. In all other cases, the Client’s policies apply to losses within the Client Environment.
14.7 Waiver of Subrogation. To the extent permitted by law, each Party waives, and shall require its insurers to waive, rights of subrogation against the other Party for covered losses, except in cases of fraud or willful misconduct.
14.8 No Third-Party Beneficiaries. Nothing in this Section creates rights in any third party, including insurers, except to the extent required to recognize a waiver of subrogation or additional insured status where expressly agreed in an SOW.
15. DISPUTE RESOLUTION
15.1 Good Faith Resolution. If any dispute, controversy, or claim arises out of or relates to this Agreement, the Parties shall first attempt to resolve the matter through good-faith negotiations between their designated senior representatives. Each Party shall escalate the matter internally before initiating any formal proceeding.
15.2 Executive Escalation. If the dispute is not resolved within fifteen (15) days of written notice, the issue shall be escalated to: (a) the Client’s executive sponsor or equivalent; and (b) KTI senior management (e.g., CEO or designated executive). The Parties shall meet (in person or via video conference) to attempt resolution within ten (10) business days of escalation.
15.3 Mediation (Optional but Encouraged). If the dispute remains unresolved, the Parties may mutually agree to participate in confidential non-binding mediation, administered by a recognized mediation service. Unless otherwise agreed: (a) mediation shall occur in Ontario, Canada; (b) each Party shall bear its own costs; and (c) mediator fees shall be shared equally.
15.4 No Litigation Until Process Completed. Except for claims involving: (a) non-payment, (b) breach of confidentiality, (c) infringement of intellectual property rights, or (d) the need for injunctive relief, neither Party may initiate litigation until the escalation steps in Sections 15.1 and 15.2 are completed.
15.5 Jurisdiction and Venue. This Agreement shall be governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein. Any legal action arising out of this Agreement shall be brought exclusively in the courts of Toronto, Ontario, and the Parties submit to those courts’ non-exclusive jurisdiction.
15.6 Time Limit to Bring Claims. No action (other than non-payment) may be brought more than twelve (12) months after the event giving rise to the claim. This limitation overrides any statutory limitation period to the maximum extent permitted by law.
15.7 Continued Performance. During any dispute, both Parties shall continue performing their obligations under the Agreement, except where the nature of the dispute makes continued performance commercially unreasonable.
15.8 Alternative Remedies. Nothing in this Section prevents either Party from seeking interim, emergency, or injunctive relief from a court of competent jurisdiction to prevent: (a) misuse or disclosure of Confidential Information; (b) infringement of intellectual property; (c) unauthorized access to systems; or (d) irreparable harm.
15.9 Class Action Waiver. To the fullest extent permitted by law, the Parties waive any right to bring or participate in class, collective, or representative actions against each other. All disputes must be brought individually.
15.10 Arbitration (If Mutually Agreed). The Parties may agree in writing to resolve specific disputes by binding arbitration. Unless otherwise agreed: (a) arbitration shall follow the ADR Institute of Canada rules; (b) arbitration shall occur in Toronto, Ontario; (c) the arbitrator shall have authority only to award compensatory damages consistent with this Agreement’s limitations; and (d) arbitration decisions shall be final and binding.
16. FORCE MAJEURE
16.1 Definition. Neither Party shall be liable for any delay or failure to perform its obligations (other than payment obligations) if such delay or failure results from events beyond the reasonable control of the affected Party (“Force Majeure Event”). Force Majeure Events may include, but are not limited to: (a) natural disasters, fires, floods, severe weather, or other acts of God; (b) acts of government, war, terrorism, civil unrest, embargoes, or sanctions; (c) pandemics, epidemics, public health emergencies, quarantine restrictions, or government shutdowns; (d) labour disputes, strikes, lockouts, or shortages of critical personnel; (e) utility failures, power outages, network disruptions, ISP failures, cloud service outages, or telecommunications failures; (f) supply chain disruptions or shortage of materials; (g) zero-day vulnerabilities, widespread malware, or large-scale cyberattacks (including ransomware, DDoS, supply-chain compromises, or critical vendor breaches); (h) failures of third-party data centres, SaaS platforms, public cloud services, or security vendors; or (i) any other event that is unforeseeable, unavoidable, and outside the affected Party’s reasonable control.
16.2 Notice and Mitigation. The affected Party shall: (a) notify the other Party of the Force Majeure Event as soon as reasonably practicable; (b) use commercially reasonable efforts to mitigate the impact of the event; and (c) resume performance as soon as the event is resolved.
16.3 Excused Performance. During a Force Majeure Event: (a) the affected Party’s obligations shall be suspended to the extent and for the duration impacted; (b) timelines, SLAs, milestones, and deliverables shall be extended automatically; and (c) KTI shall not be liable for delays, failures, or service degradation resulting from the event.
16.4 Extended Force Majeure. If a Force Majeure Event continues for more than thirty (30) consecutive days, either Party may terminate the affected SOW/RA/SLA upon ten (10) days’ written notice, without liability other than fees owed for Services rendered up to the date of termination.
16.5 No Excuse for Payment Obligations. Force Majeure does not relieve the Client of its obligation to pay for Services already performed or for non-cancelable third-party commitments incurred on its behalf.
16.6 Vendor and Third-Party Failures. To avoid doubt, KTI shall not be liable for service delays, degradations, or failures caused by: (a) Microsoft 365, Azure, AWS, Google Cloud, SentinelOne, CrowdStrike, or any SaaS or cloud platform; (b) telecommunications carriers or ISPs; (c) power utilities or data centre providers; or (d) other vendors not under KTI’s direct control. Such vendor failures shall be treated as Force Majeure Events to the extent they materially impact KTI’s performance.
17. GENERAL PROVISIONS
17.1 Entire Agreement. This Agreement, together with all SOWs, RAs, SLAs, schedules, exhibits, and Change Orders, constitutes the entire agreement between the Parties regarding the Services and supersedes all prior or contemporaneous proposals, negotiations, agreements, representations, or understandings, whether written or oral.
17.2 Amendments. No amendment, modification, or waiver of any provision of this Agreement is effective unless it is: (a) in writing; and (b) signed by authorized representatives of both Parties. Email communications do not constitute valid amendments unless expressly stated and mutually acknowledged.
17.3 Assignment. Neither Party may assign this Agreement or any rights or obligations hereunder without the prior written consent of the other Party, except that: (a) KTI may assign this Agreement to an affiliate, successor, or acquirer in connection with a merger, acquisition, corporate reorganization, or sale of substantially all assets; (b) consent shall not be unreasonably withheld, delayed, or conditioned. Any unauthorized assignment is void.
17.4 Subcontractors. KTI may use subcontractors, suppliers, or affiliated service providers in delivering the Services, provided that: (a) KTI remains responsible for their performance; and (b) subcontractors are bound by confidentiality and security obligations consistent with this Agreement. The Client shall not restrict KTI’s operational use of such resources.
17.5 Notices. All notices required under this Agreement must be in writing and delivered to the designated business addresses or emails provided by the Parties for legal notices. Notices are deemed received upon: (a) personal delivery; (b) email confirmation; (c) overnight courier with tracking; or (d) five (5) business days after mailing by certified or registered mail. Operational communications (e.g., ticketing, support, service updates) may occur via email or service portals.
17.6 Relationship of the Parties. The Parties are independent contractors. Nothing in this Agreement creates a partnership, franchise, joint venture, fiduciary relationship, or employment relationship. Neither Party has authority to bind the other.
17.7 Publicity. Neither Party may issue press releases, public announcements, or marketing statements referencing the other without prior written consent. KTI may list the Client’s name and logo internally or in non-public proposals unless the Client objects in writing.
17.8 No Third-Party Beneficiaries. Except as expressly stated (e.g., insurers in the context of subrogation waivers), this Agreement does not confer any rights or benefits on third parties.
17.9 Severability. If any provision of this Agreement is held invalid or unenforceable: (a) such provision shall be interpreted to the maximum enforceable extent; (b) the remaining provisions shall remain in full force and effect.
17.10 Waiver. A failure or delay by either Party to exercise any right or remedy does not constitute a waiver. A waiver is effective only if in writing and signed by the waiving Party.
17.11 Counterparts and Electronic Signatures. This Agreement and any SOW/RA/SLA may be executed in counterparts. Electronic signatures (including PDF, scanned signatures, and digital signature platforms) are deemed originals and fully enforceable.
17.12 Language. This Agreement is drafted in English at the request of both Parties. Le présent contrat est rédigé en anglais à la demande des deux parties.
17.13 Governing Law. This Agreement is governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein, without giving effect to conflict-of-law principles.
17.14 Continuity of Operations. The Client acknowledges that KTI may perform services from any location, including remote or international locations, provided that confidentiality and data-protection obligations are maintained.
17.15 Interpretation. Headings are for convenience only and do not affect interpretation. The terms “including,” “such as,” and “for example” are not limiting and mean “including without limitation.”
17.16 Electronic and Click Through Acceptance. The Parties agree that this Agreement may be accepted and become legally binding without physical signature. Acceptance of a KTI quotation, proposal, Statement of Work, or order form—whether by electronic signature, click through acceptance, checkbox acknowledgment, or other electronic confirmation—constitutes the Client’s binding agreement to this Master Services Agreement as of the date of such acceptance.
17.17 For purposes of this Agreement, references to documents being “executed,” “signed,” or “mutually executed” include acceptance by electronic means, including click through acceptance, electronic confirmation, or acceptance of a quotation that incorporates such document by reference.
18. SIGNATURES AND EXECUTION IN WITNESS WHEREOF, the Parties have executed this Master Services Agreement by their duly authorized representatives as of the Effective Date.
Execution of this signature page is not required where this Agreement is accepted through quotation acceptance or other electronic means as provided herein.
Kearns Technology Inc. (“KTI”)
By: _________________________________
Name: _______________________________
Title: ________________________________
Date: ________________________________
Client
By:_________________________________
Name: _______________________________
Title: ________________________________
Date: ________________________________
18.1 Electronic Signature. The Parties agree that this Agreement, including any SOW, RA, SLA, or Change Order, may be executed by electronic signature, including via PDF, scanned signature, or digital signature platform, and such signatures shall be deemed valid and binding as originals.
18.2 Counterparts. This Agreement may be executed in any number of counterparts, each of which is deemed an original, but all of which together constitute a single agreement.
18.3 Effective Date. The “Effective Date” of this Agreement shall be the date on which the Client first accepts a KTI quotation, proposal, Statement of Work, or other engagement document that incorporates this Agreement by reference, unless a later date is expressly stated in such document.
SCHEDULE A— SHARED RESPONSIBILITY MODEL (SRM) Applicable to all Managed Services, Managed Intelligence, Cyber Resilience, and Compliance Services delivered by Kearns Technology Inc. (“KTI”)
1. Purpose of the SRM This Shared Responsibility Model (“SRM”) defines the allocation of cybersecurity, compliance, data protection, operational, and governance responsibilities between KTI and the Client. The SRM ensures: clarity of duties prevention of assumption-based liability alignment with NIST CSF 2.0, CIS Controls, ISO 27001, and vendor shared-responsibility models reduction of risk for both Parties Where a responsibility is not explicitly assigned to KTI, it is deemed to remain with the Client.
2. Core Principles
2.1 Mutual Accountability. Both Parties play essential, distinct roles in maintaining a secure and compliant environment.
2.2 Scope-Driven Responsibilities. KTI’s responsibilities apply only to systems and services expressly included in a signed SOW/RA.
2.3 Client Ownership of Environment. The Client retains responsibility for decisions, approvals, data governance, access control, and regulatory obligations.
2.4 Vendor Dependencies. Cloud providers, SaaS vendors, and third-party applications maintain responsibility for their own platforms and security.
3. High-Level Responsibility Matrix
3.1 Cybersecurity Responsibility Overview
4. Detailed Responsibilities — KTI is responsible only for the items explicitly set out below or in an SOW.
4.1 Managed IT & Technical Operations(If purchased). Monitoring and management of covered endpoints, servers, and cloud workloads. Deploying and updating KTI monitoring agents. Applying patches and updates where KTI has control and access. Maintaining service documentation, runbooks, and support processes. Providing recommendations for modernization, cybersecurity improvements, and risk mitigation.
4.2 Managed Intelligence Services(If purchased). Processing telemetry, logs, analytic feeds, and behavioral data. Generating threat intelligence, risk scoring, automation insights, and AI-assisted advisories. Providing dashboards, reports, and decision-support information. Maintaining detection logic, mapping, and analytics engines.
4.3 Cyber Resilience Services (If purchased). Monitoring covered systems for alerts and anomalies. Triaging cybersecurity events and notifying Client contacts. Providing containment recommendations. Coordinating with vendors where KTI is an authorized partner. Supporting incident investigations on a best-efforts basis.
4.4 Compliance Support (If Purchased). Providing advisory guidance. Assisting with evidence mapping and internal readiness. Offering governance templates, recommendations, and assessments. Highlighting potential compliance gaps based on available data. KTI is not responsible for regulatory filings, audit results, or legal interpretations.
4.5 Backup & BCDR (If Purchased). Monitoring backup job status when expressly included. Managing backup solutions defined in an SOW. Initiating restores at Client request. Supporting DR testing if contracted.
4.6 Exclusions. KTI is not responsible for: systems outside its management scope, non-purchased services, unsupported/legacy systems, gaps caused by missing telemetry or restricted access, decisions or actions taken by the Client.
5. Detailed Responsibilities — CLIENT
5.1 Governance & Policy. Ownership of all security, compliance, and IT policies. Enforcement of acceptable use, remote work, data handling, and access controls. Maintaining appropriate insurance (cyber, E&O, etc.).
5.2 Identity & Access Management. Enforcing MFA across all systems. Managing user access, onboarding, and offboarding. Ensuring privileged access is controlled and logged.
5.3 Technology Environment. Maintaining physical security of locations and equipment. Ensuring all third-party and SaaS licensing remains valid. Ensuring KTI has required administrative access.
5.4 Data Responsibilities. Data classification, labeling, and retention. Ensuring sensitive data is handled in accordance with applicable laws. Validating accuracy of compliance evidence and regulatory filings.
5.5 Incident Response Obligations. Promptly notifying KTI of cyber incidents. Preserving logs and evidence. Taking recommended mitigation steps. Authorizing KTI actions when needed.
5.6 Backup & BCDR (Unless Purchased) Ensuring appropriate backup systems exist. Verifying that backups function and meet RPO/RTO. Managing restore requests when using non-KTI backup tools.
6. Detailed Responsibilities — THIRD-PARTY VENDORS. Vendors maintain full responsibility for: Platform availability Software security and patching Cloud infrastructure resilience SLA performance guarantees Log retention governed by their platform Vulnerability disclosures and remediation schedules Examples include: Microsoft 365, Azure, AWS, Google Cloud, SentinelOne, CrowdStrike, Cisco, Fortinet, or any SaaS application. KTI cannot be held responsible for failures originating in vendor platforms.
7. Shared Responsibilities Both Parties share responsibility for:
7.1 Cybersecurity Reducing attack surface Following industry best practices Investigating anomalies Maintaining updated contacts for escalations
7.2 Compliance Providing accurate information Responding to auditor inquiries Aligning controls and processes with standards
7.3 Operational Continuity Coordinating during outages Sharing relevant logs, alerts, and data Participating in business continuity efforts 8. Dependencies & Preconditions The effectiveness of KTI’s Services depends on the Client providing: Administrative access to systems Accurate and timely information Permissions to deploy tools, agents, and automations Required licensing A stable and supported technology environment Failure to meet dependencies may impair service quality and void SLAs.
8. SRM Conflicts & Clarifications If the SRM conflicts with an SOW/RA/SLA: The SOW/RA/SLA takes precedence, but only for the specific service in question. If a responsibility is not clearly assigned, it defaults to the Client.
9. Acceptance and Incorporation This SRM is incorporated into and forms part of the Master Services Agreement (MSA) between KTI and the Client. By executing the MSA or any SOW, the Client acknowledges and accepts the Shared Responsibility Model.
Schedule B — Cyber Resilience & Incident Response
1. Purpose. This Schedule defines the scope, boundaries, limitations, and shared responsibilities for Cyber Resilience and Incident Response (“CR/IR”) Services provided by KTI, where such services are purchased under an SOW.
2. Scope of Cyber Resilience Services. Where included in an SOW, KTI will provide: Continuous or periodic monitoring of covered systems and telemetry. Alert triage, threat classification, and severity assessment. Containment recommendations (not execution unless explicitly contracted). Coordination with vendors where KTI is an authorized partner. Advisory assistance during incident investigations on a best-effort basis. Communication to Client contacts during material events.
3. Incident Response Limitations. Unless explicitly purchased, KTI does not provide: Digital forensics or forensic-grade evidence preservation. Legal, audit, or regulatory reporting. Breach coaching or PR communications. Emergency response without Client approval. Guarantee of detection, containment, or prevention of threats. SLA-backed response timelines (unless provided in a dedicated SLA). CR/IR assistance is advisory, dependent on available telemetry, system access, and third-party platforms.
4. Client Responsibilities. The Client must: Provide timely notification of suspected incidents. Maintain accurate and accessible logs (unless log management is purchased). Preserve evidence and refrain from altering impacted systems. Approve recommended containment or remediation actions. Maintain cyber insurance appropriate to its environment. Ensure user lifecycle, MFA, and security policies are enforced. Failures in these obligations may increase response time or render full support impossible.
5. Dependencies & Preconditions. CR/IR effectiveness depends on: Active and functioning monitoring agents. Required administrative access and telemetry feeds. Supported, licensed, and vendor-updated platforms. No interference with KTI tools or automations.
6. Exclusions. KTI is not responsible for: Incidents occurring in systems not under management. Gaps caused by unsupported, end-of-life, or misconfigured environments. Losses arising from unpurchased Monitoring, Resilience, or BCDR services. Vendor outages, zero-day vulnerabilities, or SaaS failures.
7. Reporting & Post-Incident Support. KTI may provide post-incident summaries and recommendations; however: Reports are advisory only. No forensic, legal, or regulatory assertions are made. Follow-up remediation may require a separate SOW.
Schedule C — AI & Automation Limitations
1. Purpose. This Schedule defines the boundaries, disclaimers, and permitted uses of AI-assist, automation, intelligence engines, and analytics platforms delivered by KTI.
2. Nature of AI & Automation Services. KTI may use AI systems, predictive analytics, detection models, and automation tools to: Produce risk scores and behavioural insights. Optimize monitoring, triage, and operational workflows. Generate recommendations, advisories, or outputs. Automate low-risk remediation tasks (where permitted).
3. Limitations & Disclaimers. The Client acknowledges: AI outputs are advisory and may contain inaccuracies. Recommendations rely on available telemetry; gaps reduce accuracy. Vendor model drift, API limits, outages, or changes may impact results. Automated actions may be delayed, blocked, or superseded by platform limits. KTI does not guarantee: Perfect detection; Prevention of incidents; Accuracy of predictive insights; Compliance or audit readiness.
4. Responsibilities. KTI Responsibilities Maintain detection logic and analytics engines. Use reputable AI and automation platforms. Provide advisory outputs, dashboards, and intelligence summaries. Client Responsibilities Validate all AI-generated insights before using them for decisions. Maintain MFA, logging, identity governance, and environment hygiene. Ensure correct permissions for AI/automation tools to function. Accept sole liability for business, operational, or regulatory decisions.
5. Exclusions. AI Services do not include: Autonomous remediation unless explicitly contracted. Legal, regulatory, audit, or risk-management decisions. Guarantees regarding accuracy, model performance, or outcomes.
Schedule D — Compliance Boundaries
1. Purpose. This Schedule defines the limitations, scope, and shared responsibilities of Compliance Support Services.
2. Scope of Compliance. Support Where included in an SOW, KTI may provide: Advisory guidance aligned with frameworks such as PHIPA, PIPEDA, HIPAA, ISO 27001, SOC 2, NIST, PCI. Evidence mapping and readiness documentation. Governance templates and recommendations. Gap identification based on available data. Participation in internal preparation activities.
3. Boundaries & Disclaimers. KTI does not provide: Legal interpretation or regulatory advice. Auditor engagement or regulatory submissions. Guarantees of audit success or certification outcomes. Validation of Client-provided evidence. Decisions on risk acceptance, data governance, or compliance posture. All compliance decisions remain solely with the Client.
4. Client Obligations. The Client is solely responsible for: All regulatory filings, attestations, and certifications. Accuracy and completeness of all evidence submitted to auditors or regulators. Maintaining necessary data governance, retention, and classification. Engaging legal counsel for regulatory interpretation. Ensuring staff follow compliance policies and internal controls.
5. Dependencies. Compliance support requires: Accurate and timely information from the Client. Access to systems, documents, configurations, and stakeholders. Licensing and environment readiness. 6. Exclusions KTI is not liable for: Regulatory findings, penalties, or audit outcomes. Client misinterpretation of compliance requirements. Failures caused by unsupported, legacy, or unmanaged systems.
Schedule E — Backup & BCDR
1. Purpose. This Schedule defines the limitations, scope, and obligations relating to Backup Services and Business Continuity & Disaster Recovery (“BCDR”).
2. Scope (If Purchased in an SOW). KTI may provide: Backup monitoring for defined systems. Management of approved backup platforms. Restore initiation upon Client request. Support for scheduled DR testing. Reporting on backup status and health where included.
3. Limitations. Unless the Client explicitly purchases Backup/BCDR: KTI has no responsibility for data loss, corruption, or recoverability. KTI does not guarantee RPO, RTO, version retention, or backup success. KTI is not liable for failures related to: Vendor storage outages; Ransomware; Client-managed systems; Misconfigurations; Unsupported or unlicensed platforms.
4. Client Responsibilities. The Client must: Classify data and define retention needs. Ensure backup coverage for systems not included in an SOW. Maintain required licensing for backup platforms. Validate recovery requirements (RPO/RTO). Request restores with sufficient detail and authorization.
5. Dependencies. Backup/BCDR effectiveness requires: Reliable network, infrastructure, and storage access. Supported, licensed systems. Accurate policies and configurations. Required admin access for KTI.
6. Exclusions. KTI is not responsible for: Backups not included in an SOW. Third-party vendor failures. Backups on end-of-life or unsupported systems. Client-initiated changes affecting backup stability.
Schedule F — Legacy Systems & Unsupported Technologies
1. Purpose. This Schedule establishes risk boundaries and service limitations relating to Legacy, Unsupported, or Vendor-End-of-Life (“EOL”) systems.
2. Definition of Unsupported Systems. Unsupported systems include: End-of-life or vendor-retired hardware/software. Systems lacking security patches or vendor updates. Unlicensed or improperly licensed systems. Platforms that cannot support required telemetry or monitoring. Systems excluded from management in the SOW.
3. Service Limitations. KTI provides no warranty, SLA, or guarantee for unsupported systems, including: Stability, uptime, compatibility, or security. Backup reliability or recoverability. Incident detection or response effectiveness. Patch or update success. Integration with KTI tools or AI engines. Support may be limited to best-effort only.
4. Client Responsibilities. The Client is responsible for: All risks associated with maintaining unsupported systems. Replacing or upgrading such systems in a timely manner. Providing required access for remediation (if feasible). Understanding that unsupported systems may void SLAs. Costs associated with workarounds, escalations, or additional risk mitigation.
5. Additional Fees. Work involving unsupported systems may require: A separate SOW or Change Order. Additional hourly rates due to complexity or risk. Extended timelines given system instability.
6. Exclusions. KTI is not liable for: Data loss, corruption, or downtime caused by unsupported systems. Incidents or breaches involving unpatched, legacy, or misconfigured systems. Incompatibility with monitoring, backup, or automation tools. Gaps in detection or containment due to lack of telemetry.
To download and submit a change request form, please use the following link:
KTI-CHANGE REQUEST FORM
