Terms and Conditions

1) THE PARTIES, ACCEPTANCE, AND EFFECTIVE DATE

This Master Services Agreement (the "Agreement" or "MSA") is a binding legal contract between Elliptic Systems Corporation, a Washington corporation and Managed Security Service Provider with its principal place of business at 9019 Evergreen Way, Everett, WA 98204 ("MSP," "Elliptic Systems," "we," "us," or "our"), and the individual or legal entity that accepts this Agreement and purchases, accesses, or uses any of MSP's Services ("Client," "you," or "your"). MSP and Client are each a "Party" and together the "Parties."

a) Acceptance of Terms. BY (i) CHECKING THE "I AGREE," "I ACCEPT," OR SIMILAR BOX ON ANY MSP PURCHASE, CHECKOUT, OR REGISTRATION PAGE; (ii) CLICKING ANY BUTTON INDICATING ACCEPTANCE (INCLUDING "PURCHASE," "BUY NOW," "SUBSCRIBE," "SUBMIT," "CONTINUE," OR SIMILAR); (iii) COMPLETING PAYMENT FOR ANY MSP PRODUCT OR SERVICE; (iv) ELECTRONICALLY SIGNING THIS AGREEMENT OR ANY STATEMENT OF WORK; OR (v) OTHERWISE ACCESSING, INSTALLING, OR USING THE SERVICES, YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY ALL TERMS AND CONDITIONS OF THIS AGREEMENT, INCLUDING ALL APPLICABLE STATEMENTS OF WORK ("SOWs"), RISK ACCEPTANCE FORMS, EXHIBITS, AND POLICIES INCORPORATED BY REFERENCE. IF YOU DO NOT AGREE TO THESE TERMS, DO NOT CHECK THE ACCEPTANCE BOX, DO NOT COMPLETE PAYMENT, AND DO NOT ACCESS OR USE THE SERVICES.

b) Effective Date. The "Effective Date" of this Agreement is the earliest of (i) the date you check the acceptance box, (ii) the date you complete payment for any Service, or (iii) the date you first access or use any Service.

c) Client Identification. For purposes of this Agreement, "Client" means the individual or legal entity identified in the registration, checkout, billing, and/or payment information submitted to MSP at the time of acceptance — including, where applicable, the business name, business type or entity form, billing address, and authorized contact information. That information is incorporated into this Agreement by reference and constitutes the Parties' identifying information for all purposes hereunder, with the same force and effect as if manually written into this Section 1.

d) Authority to Bind. If you are accepting this Agreement on behalf of a company, organization, or other legal entity, you represent and warrant that (i) you are at least eighteen (18) years of age and legally able to enter into binding contracts; (ii) you have full legal authority to bind that entity to this Agreement; (iii) you have read and understand this Agreement in its entirety; and (iv) you accept this Agreement on behalf of that entity. In such case, "Client," "you," and "your" refer to that entity, and the individual accepting on its behalf personally represents that he or she holds such authority. If you do not have such authority, or if you (or the entity you represent) do not agree to these terms, you must not accept this Agreement and must not access or use the Services.

e) Electronic Signatures and Records. You agree that your electronic acceptance of this Agreement — including by checking a box, clicking a button, completing payment, or applying an electronic signature — has the same legal force and effect as a handwritten signature on a paper contract, and constitutes your signature, acceptance, and agreement to this Agreement, in accordance with the federal Electronic Signatures in Global and National Commerce Act (15 U.S.C. § 7001 et seq.) and the Washington Uniform Electronic Transactions Act (RCW 1.80). You consent to receive all communications, notices, agreements, disclosures, and records relating to this Agreement in electronic form, and you agree that MSP's records of your acceptance (including timestamp, IP address, transaction ID, and payment confirmation) are conclusive evidence of your assent.

f) Updates to this Agreement. MSP may update this Agreement from time to time to reflect changes in law, technology, services, or business practices. The current version will be posted at www.EllipticSystems.com. Material changes will be communicated by email to the address Client provided at registration, or by in-product notice, at least thirty (30) days before they take effect. Client's continued use of the Services after the effective date of any update constitutes acceptance of the updated Agreement.

2. SCOPE OF AGREEMENT

a) This Master Services Agreement ("Agreement" or "MSA") governs all equipment, hardware, software, materials ("Products"), professional services, artificial intelligence solutions, AI consulting and implementation, cybersecurity services, maintenance, subscription services, and data security consulting ("Services") provided to Client by MSP, as set forth in any quote, addendum, or statement of work (individually and collectively referred to as "SOW") referencing this MSA. This MSA shall be supplemented by SOWs and written or electronic accepted quote/order document, a purchase order from client or other mutually acceptable order documentation, each of which must be executed by both parties and thereupon shall be deemed incorporated in this MSA for all purposes. SOWs will be substantially in the form of the attached Exhibit A. The parties may execute multiple SOWs under this MSA. In the event of any conflict between the terms of an SOW and those of this MSA, the terms of this MSA shall prevail except where the SOW explicitly states "This provision supersedes the MSA" for specific sections relating to Section 5(e)

b) Service Tiers and Statement of Work Requirements. MSP offers multiple service tiers and optional add-on services designed to address different levels of cybersecurity risk, compliance obligations, and operational requirements, including but not limited to:

- IT Foundation (basic IT services)

- Advanced IT Security (cybersecurity services)

- CyberWatchTM (penetration testing and vulnerability management)

- Cyber Liability Essentials (Cyber Liability Insurance compliance)

- vCSO (virtual Chief Security Officer services)

- Artificial Intelligence (AI) Services (consulting, implementation, training, etc.)

Each service tier has unique features, capabilities, limitations, monitoring scope, response procedures, and service level commitments detailed in the applicable Statement of Work (SOW). Client is ONLY entitled to the services, protections, support, and monitoring specified in the executed SOW(s). Services not included in a signed SOW are not provided and create no obligations or liabilities for MSP.

Following MSP's assessment of Client's environment, infrastructure, threat landscape, compliance obligations, and risk profile, MSP may recommend specific services to mitigate identified vulnerabilities, address security gaps, meet regulatory requirements, or reduce operational risks. Client is not obligated to purchase any recommended services. However, declining recommended services has significant implications as detailed below.

If Client declines to purchase any services recommended by MSP (including but not limited to CyberWatchTM, CyberGuardTM (Compliance-as-a-Service), vCSO, or other advanced security services), Client expressly acknowledges, understands, and agrees to the following: (i) Risk Awareness: Client has been informed by MSP of specific cybersecurity risks, vulnerabilities, compliance gaps, or operational deficiencies that the declined services were designed to address, mitigate, or remediate; (ii) Voluntary Decision: Client's decision to decline recommended services is made knowingly, voluntarily, and with full understanding of the potential consequences, including but not limited to: increased risk of cyberattacks, data breaches, ransomware incidents, regulatory non-compliance, undetected vulnerabilities, inadequate incident response capabilities, and business disruption; (iii) Assumption of Risk: Client voluntarily assumes all risk, liability, and responsibility for any and all damages, losses, costs, fines, penalties, legal fees, notification expenses, remediation costs, business interruption, reputational harm, or other consequences that arise from, relate to, or result from cybersecurity incidents, compliance violations, or operational failures that the declined services may have prevented, detected, mitigated, or addressed; (iv) MSP Holds Harmless: Client releases, discharges, and holds MSP completely harmless from any and all claims, demands, causes of action, damages, losses, liabilities, costs, or expenses (including attorney fees) arising from or related to risks that declined services were designed to address; (v) No Monitoring or Protection: Client understands that MSP has NO obligation to monitor, detect, alert, respond to, or protect against threats, vulnerabilities, or incidents outside the scope of purchased services specified in executed SOWs; (vi) Limited Liability Scope: MSP's liability (if any) is strictly limited to services actually purchased and shall NOT extend to declined services, regardless of the severity of consequences resulting from Client's decision not to purchase recommended services.

Risk Acceptance Forms - Required Documentation. For services that MSP recommends but Client declines to purchase, Client shall execute separate Risk Acceptance Forms as attachments to this MSA, which provide additional details regarding specific risks associated with each declined service category. Risk Acceptance Forms are available for the following service categories:

- Advanced IT Security Risk Acceptance Form (for clients declining the cybersecurity layer of services)

- CyberWatchTM Risk Acceptance Form (for clients declining quarterly penetration testing and vulnerability management)

- Cyber Liability Essentials (Cyber Liability Insurance compliance)

- CyberGuardTM Risk (Cyber Liability Guard - Compliance-as-a-Service) Acceptance Form (for clients in regulated industries declining compliance program management and declining advanced threat protection and security operations)

- vCSO Risk Acceptance Form (for clients declining virtual Chief Security Officer services, incident response planning, and disaster recovery planning)

Critical Fallback Provision. Notwithstanding the existence of separate Risk Acceptance Forms, the risk acceptance provisions in this Section 1(b) are binding upon Client immediately upon execution of this MSA. Client's execution of this MSA, with or without accompanying Risk Acceptance Forms, constitutes Client's acknowledgment and acceptance of all risks associated with any and all services that MSP recommends but Client does not purchase. If Client fails to execute, or refuses to execute, any Risk Acceptance Form for services recommended by MSP but not purchased by Client: (i) The provisions of this Section 1(b) shall remain in full force and effect and constitute Client's binding acknowledgment and acceptance of all risks associated with declined services; (ii) Client's execution of this MSA shall be deemed to constitute Client's acknowledgment that Client has been informed of the risks of declining such services and voluntarily accepts those risks; (iii) Client shall be deemed to have waived any claims against MSP arising from or related to the declined services; (iv) MSP may, at its sole discretion, refuse to provide any services to Client until appropriate Risk Acceptance Forms are executed, or may proceed with providing only the services specified in executed SOWs while treating all non-purchased services as declined with full risk acceptance per this Section 1(b).

Industry-Specific Risk Acceptance. Client further acknowledges that certain industries, business types, or operational environments face heightened cybersecurity risks, regulatory scrutiny, or compliance obligations that may make certain services essential rather than optional. Such industries include but are not limited to:

- Financial services (GLBA, SOC 2, PCI-DSS requirements)

- Legal services (attorney-client privilege protection)

- Government contractors (NIST, CMMC, FedRAMP requirements)

- Organizations handling sensitive personal information

If Client operates in a regulated industry or high-risk environment and declines services that MSP identifies as necessary for compliance or risk mitigation, Client acknowledges that: (i) Client assumes all risk of regulatory non-compliance, fines, penalties, enforcement actions, loss of certifications, or loss of business relationships; (ii) MSP has informed Client that certain services may be necessary (not merely recommended) for Client's industry or risk profile; (iii) Client's decision to proceed without such services is made against MSP's professional recommendation and with full understanding of potential compliance and operational consequences.

Service Definition and Limitations. Specific service limitations, monitoring scope, detection capabilities, response procedures, escalation protocols, incident response timeframes, and service level agreements (SLAs) are defined in each SOW, not in this MSA. Client acknowledges that services not specified in a signed SOW are not provided, and that: (i) MSP monitors, detects, alerts, and responds ONLY to threats, incidents, and issues within the scope of purchased services; (ii) Cybersecurity threats or incidents outside the monitoring scope of purchased services may occur without MSP's knowledge or involvement; (iii) The absence of certain services (such as CyberWatchTM penetration testing, CyberGuardTM advanced protection, or vCSO incident response planning) creates security gaps that MSP is not responsible for addressing; (iv) Client is responsible for understanding what is and is not included in each service tier before purchasing.

Future Service Additions. Client may elect to add any previously declined services at any time by executing an appropriate Statement of Work (SOW) for such services, subject to: (i) MSP's capacity and availability to provide such services; (ii) MSP's then-current pricing, which may differ from pricing quoted at the time services were initially recommended; (iii) Execution of a new SOW and, if applicable, amendment to this MSA; (iv) MSP's assessment of the Client's environment is suitable for the requested services (e.g., certain services may require foundational services to be in place first). Addition of previously declined services does NOT retroactively create liability for MSP for any incidents, breaches, or consequences that occurred during the period when such services were not purchased.

Client Acknowledgment. By executing this MSA, Client acknowledges that Client has read, understands, and agrees to all provisions of this Section 1(b), including the risk acceptance provisions, and that Client will execute appropriate Risk Acceptance Forms for any services MSP recommends but Client does not purchase. Client further acknowledges that this Section 1(b) is binding even in the absence of separate Risk Acceptance Forms. Specific service limitations, monitoring scope, incident response procedures, and service level agreements are defined in each SOW, not this MSA.

c) SERVICE TIERS AND STATEMENT OF WORK REQUIREMENTS

The following documents, when applicable, are incorporated into and made part of this MSA as Statement of Work (SOW) or Exhibits: Risk Acceptance Forms (as applicable):

- Advanced IT Security Risk Acceptance Form

- CyberWatchTM Risk Acceptance Form

- Cyber Liability Essentials (Cyber Liability Insurance compliance) Risk Acceptance Form

- CyberGuardTM (Cyber Liability Guard, Compliance-as-a-Service) Risk Acceptance Form

- vCSO Risk Acceptance Form

Client shall execute all applicable Risk Acceptance Forms for services recommended by MSP but not purchased by Client. Risk Acceptance Forms executed in connection with this MSA are incorporated by reference and constitute binding agreements between the parties.

3)TERM AND TERMINATION

This MSA will begin on the Effective Date and shall continue thereafter until each SOW expires unless sooner terminated. Either party may terminate, upon written notice of a non-breaching party (“Non-Defaulting Party”) to the breaching party (“Defaulting Party”) if Defaulting party:

a) Is in breach, which such breach is incapable of being cured, or if such breach can be cured (including nonpayment by Client) and such breach remains uncured for 30 days following written notice,

b) Is insolvent, subject to a bankruptcy or state law equivalent, makes an assignment for the benefit of creditors, has a receiver appointed by a court or admits to being unable to pay its obligations when due; and/or,

c) any other material breach of this Agreement and fails to cure such breach within thirty (30) days after receipt of written notice from the Non-Defaulting Party.

d) After the Term (or any extended term) of the SOW is fulfilled by providing sixty (60) days’ written notice prior to the end of the Term (or any extended term) of the SOW.

e) PAYMENT DEFAULT - ACCELERATED TERMINATION RIGHTS. If Client fails to make any payment to MSP pursuant to this MSA when such payment is due and does not fully cure such failure within five (5) business days after receipt of written notice thereof from MSP: (i) MSP may immediately suspend all Services without liability; (ii) MSP may, at its sole discretion, declare all remaining payments under all active SOWs immediately due and payable as accelerated payments; (iii) MSP may terminate this MSA and all SOWs; and (iv) Client remains obligated to pay all accelerated amounts per Section 2(j) below. Service suspension under this section does NOT relieve Client's obligation to pay Fees in accordance with all active SOWs and the remaining Term of this MSA.

f) MATERIAL BREACH - OTHER OBLIGATIONS. Subject to Section 2(e) above, if either party fails to perform any of its material obligations hereunder, other than failure to make payments to MSP, and does not fully cure such failure within fifteen (15) days after receipt of written notice from the non-defaulting party, the non-defaulting party may, in addition to any other rights it may have under this MSA, terminate this MSA subject to the early termination provisions of Section 2(i).

g) If, under the terms of this MSA, Client withdraws such quantity of Services and MSP, in its reasonable judgment, determines that is no longer economically feasible for MSP to continue to provide such Services based upon the then current pricing and contractual terms, then MSP may terminate this MSA upon thirty (30) days’ prior written notice.

h) SUB-TIER SERVICE PROVIDER OBLIGATIONS. Client acknowledges that portions of the SOW include sub-tier contracts between MSP and other sub-tier Service Providers. These sub-tier contracts include: (i) Non-disclosure language and confidential information MSP is not authorized to provide to Client; (ii) Minimum term commitments that cannot be terminated prior to expiration without financial penalty to MSP; (iii) Red asterisk identification in SOWs to denote sub-tier services. CRITICAL SUB-TIER PROVISION: If this MSA or any SOW is terminated for any reason other than MSP's material uncured breach, Client is financially responsible for paying all remaining term length obligations of said sub-tier contracts. Sub-tier Service Providers offer their services ONLY through authorized service entities such as MSP and not directly to end clients. At time of termination, MSP shall provide Client with: - Expiration dates of all sub-tier contracts - Total remaining financial obligations - Any disclosure information the sub-tier Service Providers authorize MSP to release to Client Sub-tier Service Provider services are identified in SOW with a Red asterisk.

i) Any equipment, software, materials which are the property of the MSP and are being utilized, leased, or rented to the Client as part of the Service MSA are the sole property of the MSP and in the event of a termination will be returned to the MSP immediately.

j) Early Termination Fees and Liquidated Damages. PURPOSE AND INTENT: The parties acknowledge and agree that: (i) MSP makes substantial upfront investments in onboarding, training, infrastructure, licensing, and resource allocation based on the committed Term of each SOW; (ii) Early termination causes MSP to incur actual damages including but not limited to lost profit margins, unrecovered setup costs, unutilized pre-purchased licenses, staff reallocation costs, and administrative expenses; (iii) Such damages would be extremely difficult to calculate with precision at the time of breach; (iv) The liquidated damages provisions below represent a reasonable pre-estimate of MSP's anticipated losses and are not penalties.