This Master Services Agreement ("Agreement" or "MSA") sets forth the terms and conditions under which eSudo Technology Solutions, Inc., a California corporation ("eSudo," "we," "us," or "Consultant") agrees to provide technology products and services to you, the Client ("you," "your," "Company," or "Client"). eSudo and Client may be referred to individually as a "Party" and collectively as the "Parties."

This Agreement governs the overall relationship between the Parties. The specific services, pricing, and scope of work are defined in one or more Statements of Work, Quotes, or similar documents ("Service Orders") issued by eSudo and accepted by Client.

Client acknowledges that it has not relied on any representation, statement, or promise not expressly set forth in this Agreement.

1. Term and Termination

1.1 Term

This Agreement begins on the earlier of: (a) the date eSudo first provides services to Client, or (b) the date Client accepts a Quote or Service Order. Unless otherwise specified in the applicable Service Order, the Agreement remains in effect for the initial term stated therein and automatically renews for successive one (1) year terms unless either Party provides at least ninety (90) days' written notice of non-renewal before the end of the then-current term.

1.2 90-Day Happiness Guarantee

Client may terminate managed services within the first ninety (90) days of service without an early termination penalty if Client determines the services are not a good fit. This guarantee excludes hardware, software licenses, third-party subscriptions, and onboarding or project work already commenced. Client remains responsible for all costs incurred prior to termination.

1.3 Termination for Cause

Either Party may terminate this Agreement or any Service Order upon written notice if the other Party commits a material breach that remains uncured for thirty (30) days after written notice describing the breach in reasonable detail. Before invoking termination, eSudo will make a good-faith effort to resolve confirmed service failures and communicate status to Client's designated administrator within one (1) business day of the failure being confirmed. Non-payment by Client constitutes a material breach.

1.4 Early Termination by Client

If Client terminates this Agreement or any Service Order before the expiration of the agreed term for reasons other than eSudo's material breach, Client shall pay eSudo an early termination fee equal to: (a) all unpaid monthly recurring charges (MRC) for the remainder of the term; and (b) any non-recurring charges, hardware, software, subscriptions, or third-party costs incurred by eSudo on Client's behalf; less any direct costs reasonably avoided by eSudo as a result of the early termination. This fee represents a reasonable estimate of damages, not a penalty.

1.5 Effect of Termination

Termination of this Agreement does not automatically terminate any outstanding Service Orders, which remain in effect until completed or separately terminated. Provisions regarding limitation of liability, indemnification, confidentiality, payment obligations, and dispute resolution survive termination.

1.6 Offboarding and Safe Exit

Upon termination or expiration of this Agreement or any Service Order, eSudo will provide commercially reasonable transition assistance limited to systems and services actively managed by eSudo during the term. Transition assistance includes:

• return of administrative credentials and system access, where technically permitted;
• documentation maintained in the ordinary course of service delivery;
• available backup data or exports in standard formats; and
• reasonable coordination with Client or a successor provider.

All transition assistance is billable at eSudo's then-current professional services rates unless otherwise agreed in writing. Transition assistance does not include remediation, redesign, or rebuilding of systems. Client must request retrieval of data, credentials, and documentation within fifteen (15) days of termination. After this period, eSudo may remove access and delete retained data in accordance with its data retention policies, except where retention is required by law.

1.7 Independent Contractor

eSudo operates as an independent contractor. Nothing in this Agreement creates an employment, partnership, joint venture, or agency relationship. eSudo retains discretion over scheduling, task performance, and staffing, and may engage other clients without restriction.

2. Services and Service Orders

2.1 Scope of Services

All services provided by eSudo shall be described in written Service Orders, Quotes, Statements of Work, or similar documents. Services not expressly included in a Service Order are outside the scope of eSudo's obligations. eSudo's service commitments — including response time standards, escalation paths, and uptime targets — are defined in the applicable Service Order.

2.2 Acceptance of Service Orders

A Service Order is deemed accepted upon the earliest of: (a) written or electronic approval; (b) email confirmation from an authorized representative; (c) approval through eSudo's quoting or billing system; (d) payment; or (e) a request to proceed. Client-issued purchase orders or vendor onboarding documents do not modify the terms of this Agreement or any Service Order unless eSudo expressly agrees in a written amendment signed by an authorized officer.

2.3 Document Hierarchy

In the event of any conflict among the documents governing the services, this MSA governs the overall relationship. A Service Order governs service-specific details — including scope, pricing, deliverables, timelines, and service-level metrics — solely as they relate to that engagement. No Service Order may modify provisions of this MSA relating to limitation of liability, indemnification, warranties, intellectual property, dispute resolution, or governing law, unless the Service Order expressly identifies the specific MSA section being amended and is signed by authorized officers of both Parties.

2.4 Service Boundaries and Fair Use

eSudo's managed services are designed to support Client's normal business operations within the systems and devices specified in the applicable Service Order. Services are not intended to cover unsupported systems, remediation of client-caused issues, or non-standard work arising from Client's failure to follow eSudo's recommendations. eSudo may require a separate Service Order or additional fees for work outside the standard service scope.

2.5 Subcontractors

eSudo may engage qualified subcontractors or third-party vendors to assist in delivering services under this Agreement. All such subcontractors are bound by confidentiality obligations at least as protective as those set forth in Section 8 of this Agreement. eSudo remains responsible for the performance of services delivered through subcontractors as if performed directly by eSudo.

2.6 Authorized Contacts

Only individuals designated in the Service Order may direct eSudo's service delivery. Client must notify eSudo in writing of any changes to authorized contacts. eSudo may rely on instructions from the last known authorized contact.

2.7 Version Control

The applicable version of this MSA for each Service Order is identified by the "Last Updated" date on this document. By accepting a Service Order, Client agrees to the version of the MSA in effect at the time of acceptance.

3. Pricing and Billing

3.1 Fees

All fees are defined in the applicable Service Order. Monthly recurring charges (MRC) are invoiced in advance and due by the 10th of each month. Payment is preferred via Zelle, ACH, or wire transfer. Non-recurring charges — including hardware, out-of-scope work, and shipping — are invoiced separately.

3.2 Shipping and Logistics

Client is responsible for all shipping, handling, insurance, and logistics charges associated with hardware delivery, including shipment to employee residences. Such charges are billed at actual cost. Hardware will not be released for delivery until a confirmed delivery address and approved shipping estimate are on file.

3.3 Late Payment

Invoices unpaid after fifteen (15) days are subject to a late fee of 1.5% per month, or the maximum rate permitted by California law. eSudo may suspend services after notice of non-payment. eSudo is not liable for losses arising during a period of suspension due to Client's non-payment.

3.4 Annual Fee Adjustments

eSudo may adjust the MRC annually to reflect changes in vendor licensing costs, cybersecurity platform costs, insurance premiums, labor, and general economic conditions. eSudo will provide at least ninety (90) days' written notice of any adjustment. Annual adjustments will typically fall within a range of 4–7%. If a vendor-driven increase materially exceeds this range, eSudo will notify Client and work in good faith to review scope or adjust the Service Order accordingly. Pricing adjustments do not affect the term of any Service Order.

3.5 Taxes

Client is responsible for all applicable federal, state, and local taxes, duties, and assessments arising from services provided under this Agreement, excluding taxes on eSudo's income.

3.6 Invoice Disputes

Client must notify eSudo of any invoice dispute in writing, with supporting documentation, within thirty (30) days of the invoice date. Failure to dispute within this period constitutes acceptance of the invoice. Client must pay all undisputed amounts by their due date regardless of any pending dispute.

3.7 Non-Refundability

All fees are non-refundable once services have commenced, except as expressly provided in Section 1.2 (90-Day Happiness Guarantee).

3.8 Acceptance by Payment

Payment of any invoice constitutes Client's acknowledgment and acceptance of the terms of this Agreement, including all applicable Service Orders and the Client Handbook.

4. Client Responsibilities

4.1 General Obligations

Client agrees to:

• provide accurate and current information necessary for eSudo to perform the services;
• maintain designated authorized contacts and notify eSudo promptly of any changes;
• refrain from unauthorized access to, or modification of, systems supported by eSudo;
• obtain eSudo's prior written approval before introducing unapproved hardware, software, or third-party services into the managed environment;
• maintain secure remote access as required by eSudo; and
• permit installation and operation of monitoring, management, and security tools on covered systems. Disabling or removing these tools limits eSudo's ability to deliver services and reduces eSudo's obligations accordingly.

4.2 Following Security Recommendations

Client is responsible for implementing security measures recommended by eSudo in writing. If Client declines or delays implementing a recommended control, Client assumes the associated risk, and eSudo's liability for incidents attributable to the absence of that control is reduced accordingly. eSudo will document all material security recommendations in writing to Client's authorized contact.

4.3 Third-Party Products and Agreements

Client is responsible for reviewing and complying with all third-party agreements — including end-user license agreements (EULAs), terms of service, and acceptable use policies — associated with products and platforms supported by eSudo. Third-party agreements may change without notice to eSudo. eSudo disclaims all liability for the performance, security, availability, or compliance of any third-party product or platform.

4.4 Power of Attorney for Software License Acceptance

If Client requests eSudo to procure, install, or configure software or cloud services on Client's behalf, Client grants eSudo a limited power of attorney solely for the purpose of accepting EULAs and terms of service required for the proper installation and use of such software. Client acknowledges that it is bound by such agreements, and eSudo has no liability beyond the terms of those agreements.

4.5 Client Handbook

By executing this Agreement, Client agrees to read and comply with eSudo's Client Handbook ("Handbook"), which is incorporated into this Agreement by reference and is available at esudo.com/client-handbook. Client is responsible for reviewing the Handbook prior to or concurrent with execution of this Agreement. The version of the Handbook published at esudo.com/client-handbook on the date of Client's signature constitutes the applicable Handbook for purposes of this Agreement, even if the Handbook is subsequently updated.

eSudo may update the Handbook to reflect changes in technology, industry best practices, or operational requirements. Updates that materially affect Client's legal obligations or fees will be provided in writing to Client's designated contact and will not take effect until at least fifteen (15) days after such notice, unless otherwise agreed by the Parties. eSudo will maintain archived versions of the Handbook; the version applicable to each Client engagement is available upon request.

Operational guidelines set forth in the Client Handbook, including any service response or resolution timeframes, reflect eSudo's service objectives and are not contractual guarantees. eSudo's binding service commitments are governed exclusively by this Agreement and the applicable Service Order.

The Client Handbook is eSudo's confidential and proprietary material and may not be shared with third parties without eSudo's prior written consent.

4.6 Non-Solicitation

During the term of this Agreement and for twelve (12) months following its expiration or termination, Client will not directly solicit or hire any eSudo employee or contractor who provided services under this Agreement. If Client violates this provision, Client shall pay eSudo liquidated damages equal to fifty percent (50%) of the hired individual's first-year compensation, which the Parties agree is a reasonable estimate of eSudo's recruitment and training costs.

5. Warranties and Limitation of Liability

5.1 Limited Warranty

eSudo warrants that its services will be performed in a professional and workmanlike manner consistent with industry standards. If Client notifies eSudo of a deficiency in services within thirty (30) days of performance, eSudo will re-perform the deficient services at no additional charge as Client's sole and exclusive remedy for breach of this warranty.

5.2 Disclaimer of Other Warranties

EXCEPT AS EXPRESSLY SET FORTH IN SECTION 5.1, ESUDO PROVIDES ALL SERVICES AND PRODUCTS "AS IS" AND DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.

5.3 No Security Guarantee

eSudo implements commercially reasonable security measures consistent with current industry standards. However, eSudo does not warrant or guarantee that Client's systems will be free from unauthorized access, cyberattacks, ransomware, data breaches, or data loss. The implementation of eSudo's recommended security controls reduces risk but does not eliminate it. Cybersecurity incidents may occur despite eSudo's best efforts, and the occurrence of such an incident does not, by itself, constitute a breach of this Agreement.

5.4 No Data or Performance Guarantee

eSudo does not warrant uninterrupted or error-free operation of any system, network, or service. Unless a data backup service is expressly included in a Service Order, eSudo is not responsible for data backups or recovery. Client is solely responsible for maintaining its own data backup strategy.

5.5 Limitation of Liability

To the fullest extent permitted by law, eSudo's total cumulative liability to Client for any and all claims arising under or related to this Agreement — whether in contract, tort, negligence, or otherwise — shall not exceed the total fees paid by Client to eSudo in the three (3) calendar months immediately preceding the event giving rise to the claim.

In no event shall eSudo be liable for any indirect, incidental, special, consequential, punitive, or exemplary damages, including but not limited to lost profits, lost revenue, loss of business, loss of data, or cost of substitute services, even if eSudo has been advised of the possibility of such damages.

5.6 Cybersecurity Insurance Disclaimer

eSudo's services are not a substitute for cybersecurity liability insurance. Client is encouraged to maintain cyber liability insurance appropriate to its business size and data exposure. eSudo's services reduce risk; they do not transfer it.

5.7 Supply Chain and Vendor Risk

eSudo is not responsible for failures, outages, security incidents, or changes in service caused by third-party vendors, cloud platform providers, software publishers, or telecommunications carriers. Client assumes the risk of relying on third-party products and platforms, including those procured or managed by eSudo on Client's behalf.

6. Insurance and Risk Allocation

6.1 eSudo's Insurance

eSudo maintains professional liability (errors and omissions) and cyber liability insurance appropriate to the nature and scope of its services. eSudo's insurance is maintained to protect eSudo's own business operations. It does not extend to Client, Client's systems, or Client's data, and does not serve as a substitute for Client's own insurance.

6.2 Client's Insurance

Client is responsible for maintaining commercially reasonable insurance coverage appropriate to its own business operations, including general liability and property insurance. Client is strongly encouraged to maintain cyber liability insurance. eSudo may request proof of insurance upon reasonable notice. Each Party is responsible for its own losses to the extent not covered by the other Party's obligations under this Agreement.

6.3 Mutual Waiver of Subrogation

To the extent permitted by applicable law, each Party waives any right of recovery against the other Party for losses covered by its own insurance policies, including workers' compensation, professional liability, general liability, property, and cyber liability insurance. The intent of this provision is to ensure that insurance — rather than litigation between the Parties — is the primary mechanism for addressing covered losses.

7. Indemnification

7.1 Mutual Indemnification

Each Party shall defend, indemnify, and hold harmless the other Party and its officers, directors, employees, and agents from and against any third-party claims, losses, damages, liabilities, and reasonable attorneys' fees arising from the indemnifying Party's gross negligence, willful misconduct, or material breach of this Agreement, subject to the limitations in Section 5.5. For example, if eSudo's own gross negligence directly causes a security breach, eSudo will indemnify Client for resulting third-party claims. If Client's failure to implement eSudo's recommendations enables an attack, Client will indemnify eSudo for resulting claims.

7.2 Client Indemnification of eSudo

In addition to Section 7.1, Client shall defend, indemnify, and hold harmless eSudo from and against third-party claims arising from:

• Client's failure to implement or maintain security controls recommended in writing by eSudo;
• system misconfigurations or changes made by Client or third parties not authorized by eSudo;
• unauthorized third-party access to Client's systems caused by Client's acts or omissions;
• Client's misuse of AI services or third-party platforms managed by eSudo;
• Client's failure to comply with applicable laws, regulations, or professional rules; or
• inaccurate or incomplete information provided by Client to eSudo.

8. Confidentiality and Data Protection

8.1 Mutual Confidentiality

Each Party agrees to hold the other Party's Confidential Information in strict confidence and not to disclose it to any third party without prior written consent, except as required by law. "Confidential Information" includes proprietary business information, technical data, pricing, trade secrets, and any information designated as confidential. This obligation survives termination of this Agreement.

8.2 Permitted Disclosures

Confidential Information may be shared with employees, contractors, or agents on a need-to-know basis, provided they are bound by confidentiality obligations at least as protective as those in this Agreement. Each Party is responsible for the compliance of its personnel and authorized subcontractors.

8.3 Data Protection

eSudo shall handle Client data solely for the purpose of providing the services under this Agreement and shall not use Client data for any other purpose. eSudo shall implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Client data against unauthorized access, use, or disclosure.

8.4 California Privacy Law

To the extent eSudo processes personal information of California residents on Client's behalf, eSudo agrees to do so only as necessary to provide the services under this Agreement, and shall not sell or share such personal information except as required to perform those services or as permitted by applicable law. The Parties acknowledge that engagements involving material processing of personal information subject to the California Consumer Privacy Act (CCPA) or California Privacy Rights Act (CPRA) may require a separate Data Processing Addendum (DPA). eSudo and Client agree to negotiate such an addendum in good faith if required for Client's compliance obligations.

9. Intellectual Property

9.1 eSudo Work Product

eSudo retains all rights, title, and interest in and to any work product, tools, methodologies, scripts, configurations, templates, or processes developed by eSudo in connection with the services, including any improvements to eSudo's pre-existing intellectual property. Upon full payment of all fees due, Client receives a limited, non-exclusive, non-transferable license to use such work product solely for Client's internal business purposes during the term of this Agreement.

9.2 Client Data

Client retains all rights to its own data. eSudo's access to and use of Client data is limited strictly to what is necessary to provide the services under this Agreement.

10. Artificial Intelligence Services

10.1 Scope

When eSudo provides, configures, or supports artificial intelligence tools, platforms, or AI-assisted features ("AI Services") on behalf of Client, those services are governed by this Section in addition to the applicable Service Order. AI Services may include AI-assisted productivity tools, AI security monitoring, AI-powered automation, and the configuration of AI features within third-party platforms such as Microsoft 365 Copilot.

10.2 Inherent Limitations

Client acknowledges that AI tools involve inherent limitations and may produce inaccurate, incomplete, or unexpected outputs. eSudo does not warrant the accuracy, reliability, or fitness of any AI-generated result for any particular purpose. eSudo's role is to configure and support AI tools in accordance with the Service Order. eSudo is not responsible for decisions Client makes based on AI-generated outputs.

10.3 Data and Privacy Risks

AI platforms may process, store, or transmit Client data through third-party infrastructure beyond eSudo's control. Client is solely responsible for:

• reviewing and accepting the applicable AI vendor's terms of service and privacy policy;
• determining whether use of AI tools is consistent with Client's confidentiality obligations, professional responsibility rules, or applicable regulations; and
• ensuring that sensitive client data is not submitted to AI platforms in violation of applicable law or professional rules.

10.4 No Compliance Guarantee

eSudo's configuration or support of AI tools does not constitute a representation that such tools comply with any applicable law, professional rule, or regulatory requirement, including the CCPA, HIPAA, or ABA Model Rules of Professional Conduct.

10.5 Acceptable Use

Client agrees to use AI Services only for lawful purposes and in accordance with the applicable vendor's acceptable use policy. Client shall not use AI tools to process data in a manner that violates applicable law or causes harm to third parties. Client shall indemnify eSudo for any claims arising from Client's misuse of AI Services.

10.6 Vendor Changes

AI platforms and features are subject to change, discontinuation, or repricing by the underlying vendor without advance notice to eSudo. eSudo will make reasonable efforts to notify Client of material changes but is not liable for disruptions caused by vendor-side modifications to AI platforms.

11. Cybersecurity Incident Response Roles

11.1 Scope of This Section

This Section defines the respective roles and responsibilities of eSudo and Client in the event of a suspected or confirmed cybersecurity incident, including ransomware, unauthorized access, data breaches, or denial-of-service events affecting Client's IT environment. Unless explicitly stated in a separate Incident Response Service Order signed by both Parties, incident response is not included in eSudo's managed services. eSudo is a managed IT services provider — not a cybersecurity incident response firm.

11.2 Client's Responsibilities During an Incident

Upon discovery of a suspected or confirmed cybersecurity incident, Client is responsible for the following, in order:

• Notify Client's cyber liability insurer immediately and in accordance with the insurer's reporting requirements. Failure to provide timely notice to the insurer may void or limit coverage.
• Contact eSudo's support line to report the incident and initiate coordination.
• Engage a qualified incident response firm if required by the insurer or if the scope of the incident warrants forensic investigation. eSudo can provide referrals upon request.
• Preserve evidence: do not wipe, reimage, or restore systems without coordination with the incident response team and eSudo.

11.3 eSudo's Role During an Incident

Upon notification of a cybersecurity incident, eSudo will, within the scope of its managed services:

• assist in isolating affected systems where technically feasible;
• provide reasonable cooperation to Client's incident response team, insurer, or forensic investigators, including access to system logs, configuration data, and documentation; and
• work with Client and its designated response team to support recovery efforts.

eSudo's cooperation is provided on a best-efforts basis and does not constitute incident response services. Time spent by eSudo personnel supporting incident response activities beyond normal managed service scope is billable at eSudo's then-current professional services rate.

11.4 Clients Without Cyber Insurance

If Client does not maintain cyber liability insurance at the time of an incident, Client acknowledges and agrees that:

• Client must notify eSudo as soon as reasonably practicable, and no later than twenty-four (24) hours after discovery of a suspected incident;
• Client and eSudo will schedule a call within one (1) business day to assess the situation and establish a mutually agreed recovery plan;
• Client accepts sole financial responsibility for any incident response, forensic investigation, breach notification, legal counsel, or recovery costs; and
• work outside the scope of eSudo's managed services requires Client's written approval and a separate Service Order before commencement.

11.5 Breach Notification Responsibility

Client is solely responsible for determining whether a cybersecurity incident triggers any breach notification obligation under applicable law — including California Civil Code §1798.29 and §1798.82 — and for issuing required notifications. eSudo does not provide legal or compliance advice regarding breach notification obligations.

11.6 Limitation of Liability During Incidents

eSudo's liability in connection with any cybersecurity incident is governed by Section 5.5. eSudo is not liable for losses arising from Client's failure to maintain cyber insurance, Client's failure to follow eSudo's documented security recommendations, or actions taken by Client or third parties during or after an incident.

12. Client Employee and User Compliance

12.1 Shared Responsibility Model

Effective cybersecurity requires cooperation between eSudo and Client. eSudo provides the technical tools, platforms, and controls. Client's leadership and management team are responsible for championing security requirements within their organization and ensuring that staff comply with applicable policies. eSudo does not act as Client's internal compliance authority or HR function.

12.2 Client Management Obligations

Client's designated administrator or management representative agrees to:

• communicate eSudo's security requirements to all staff who access Client's IT systems;
• support and promote participation in security awareness training provided or facilitated by eSudo;
• promptly notify eSudo of personnel changes — including new hires, departures, and role changes — that affect system access; and
• take reasonable internal action when users fail to comply with security requirements.

12.3 Technical Enforcement by eSudo

Where eSudo manages Client's technology platforms — including Microsoft 365, identity management, and endpoint security — eSudo is authorized to enforce technical security controls as specified in the applicable Service Order. Such controls may include:

• multi-factor authentication (MFA) enforcement for all managed accounts and applications;
• conditional access policies restricting access from unmanaged or non-compliant devices;
• automatic session timeouts, password complexity requirements, and similar identity controls; and
• blocking or flagging access attempts that do not meet established security baselines.

Technical enforcement applies only to systems and platforms actively managed by eSudo under an applicable Service Order. eSudo will notify Client's designated administrator before implementing material changes to access controls that may affect user workflows. Emergency controls required to contain an active security threat may be implemented immediately, with notification to Client as soon as practicable.

12.4 User Non-Compliance

If a user fails to complete required security training, enroll in MFA, or comply with other documented security requirements within a reasonable timeframe, eSudo may — with prior notice to Client's designated administrator — restrict or suspend the non-compliant user's access to managed systems until compliance is achieved. Client acknowledges that eSudo's liability for security incidents attributable to user non-compliance is reduced in proportion to Client's failure to enforce compliance within its organization.

12.5 Security Awareness Training

When cybersecurity awareness training is included in a Service Order, eSudo will provide or facilitate access to a training platform. Completion of training is the joint responsibility of Client's management and individual users. eSudo will provide completion reports to Client's administrator upon request and is not responsible for ensuring individual user participation beyond making training available and reporting completion status.

13. Regulatory Compliance Disclaimer

13.1 Technology Services Only

eSudo provides information technology services, cybersecurity tools, and managed IT support. eSudo does not provide legal advice, compliance consulting, regulatory guidance, or professional services of any kind outside the scope of information technology. Nothing in this Agreement, any Service Order, or any communication from eSudo constitutes legal, compliance, regulatory, or professional advice of any kind.

13.2 Client Remains Responsible for Compliance

Client is solely responsible for understanding and complying with all laws, regulations, professional rules, and industry standards applicable to its business, including but not limited to:

• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA);
• Health Insurance Portability and Accountability Act (HIPAA), where applicable;
• ABA Model Rules of Professional Conduct and applicable state bar rules, for law firm clients;
• FTC Safeguards Rule, for applicable financial services clients; and
• any other federal, state, or industry-specific data protection or privacy requirements.

13.3 How eSudo's Services Support Compliance

eSudo's services are designed to help Client maintain a secure, well-managed technology environment — which is the foundation every compliance framework is built on. While eSudo's services support compliance, they do not constitute a compliance program and should not be relied upon as one. Specifically, eSudo can:

• implement technical controls commonly required by regulatory frameworks, such as MFA, encryption, access logging, and endpoint protection;
• provide documentation of implemented controls upon request;
• assist in completing the technical portions of security assessments or audits; and
• refer Client to qualified compliance or legal resources when regulatory questions arise.

13.4 No Guarantee of Audit Readiness

eSudo does not guarantee that its services will result in Client passing any audit, examination, certification, or regulatory review. eSudo's services reduce risk and support best practices; they do not substitute for a complete compliance program.

14. Device Scope and Remote Worker Coverage

14.1 Managed Devices Only

eSudo's managed services apply exclusively to devices and systems that are: (a) company-owned or company-authorized; and (b) enrolled in eSudo's management platform under an applicable Service Order ("Managed Devices"). Coverage follows the device, not the user's physical location. A Managed Device used at a remote location — including an employee's home — remains within scope. A personal device used by the same employee is not covered, regardless of whether it is used to access company systems.

14.2 Devices Not Covered

The following are expressly outside the scope of eSudo's managed services unless separately specified in a Service Order:

• personal computers, laptops, tablets, or mobile devices owned by employees, contractors, or principals that are not enrolled in eSudo's management platform;
• home networking equipment, personal routers, or consumer-grade internet infrastructure;
• devices used to access company systems via personal accounts or unauthorized configurations; and
• any device removed from eSudo's management platform, whether intentionally or due to technical failure.

14.3 Multi-Location and Remote Work

eSudo's managed services extend to Managed Devices regardless of physical work location, including satellite offices, remote and hybrid work environments, and temporary locations, provided the device remains enrolled and connected to eSudo's management infrastructure. eSudo is not responsible for connectivity issues arising from Client's home or remote network infrastructure.

14.4 BYOD Environments

If Client operates a bring-your-own-device (BYOD) policy, Client acknowledges that personal devices not enrolled in eSudo's management platform represent an elevated security risk. eSudo may implement conditional access policies to restrict access to managed systems from unmanaged personal devices, where technically feasible. eSudo is not liable for security incidents originating from or facilitated by unmanaged personal devices.

14.5 New Locations and Devices

Client must notify eSudo in writing before adding new office locations, remote work arrangements requiring new infrastructure, or significant changes to device inventory. Onboarding new locations or devices may require an amended or new Service Order and may be subject to additional fees. eSudo is not responsible for coverage gaps resulting from Client's failure to notify eSudo of material changes to its environment.

15. Default

15.1 Client Default

Client is in default upon: (a) failure to pay any undisputed invoice within fifteen (15) days of the due date; (b) material breach of any provision of this Agreement that remains uncured for thirty (30) days after written notice; or (c) Client's insolvency, assignment for the benefit of creditors, or commencement of bankruptcy or receivership proceedings. Upon default, eSudo may suspend services, terminate this Agreement or any Service Order, and pursue all available remedies.

15.2 eSudo Default

eSudo is in default upon a material breach of this Agreement that remains uncured for thirty (30) days after written notice from Client describing the breach in reasonable detail. Upon eSudo's default, Client's sole remedy is termination of the affected Service Order and recovery of fees paid for services not performed, subject to Section 5.5.

16. Dispute Resolution and General Provisions

16.1 Good-Faith Resolution

Before initiating any formal legal proceeding, the Parties agree to attempt to resolve any dispute through direct good-faith negotiation between authorized representatives. Either Party may request a meeting within ten (10) business days of written notice of a dispute.

16.2 Mediation

If good-faith negotiation does not resolve the dispute within thirty (30) days, the Parties agree to participate in non-binding mediation in Santa Clara County, California, with costs shared equally. Either Party may seek emergency injunctive or equitable relief from a court of competent jurisdiction without first completing mediation.

16.3 Governing Law and Venue

This Agreement is governed by the laws of the State of California, without regard to its conflict-of-law provisions. The Parties consent to exclusive jurisdiction and venue in the state and federal courts located in Santa Clara County, California.

16.4 Attorney's Fees

The prevailing Party in any dispute arising out of or related to this Agreement is entitled to recover reasonable attorneys' fees and costs from the non-prevailing Party.

16.5 Notices

All notices must be in writing and are deemed delivered upon: (a) personal delivery; (b) confirmed email to the Party's designated contact; or (c) forty-eight (48) hours after deposit in U.S. certified mail, postage prepaid. Notices to eSudo must be sent to [email protected] in addition to any other designated contact.

16.6 Entire Agreement

This Agreement, together with all Service Orders and incorporated documents, constitutes the entire agreement between the Parties and supersedes all prior and contemporaneous agreements, representations, and understandings. Modifications require a written amendment signed by authorized representatives of both Parties.

16.7 Severability

If any provision of this Agreement is found to be unenforceable, it shall be modified to the minimum extent necessary to make it enforceable. All remaining provisions continue in full force and effect.

16.8 No Waiver

A Party's failure to enforce any provision of this Agreement does not constitute a waiver of its right to enforce that provision in the future.

16.9 Assignment

Client may not assign or transfer this Agreement or any rights hereunder without eSudo's prior written consent. eSudo may assign this Agreement in connection with a merger, acquisition, or transfer to an affiliate without Client's consent.

16.10 Force Majeure

Neither Party is liable for delays or failures in performance caused by events beyond its reasonable control, including natural disasters, acts of government, pandemics, power failures, or internet outages. If a force majeure event continues for more than thirty (30) days, either Party may terminate the affected Service Order upon ten (10) days' written notice without further obligation.

16.11 Counterparts and Electronic Signatures

This Agreement may be executed in counterparts, each of which constitutes an original. Electronic signatures are legally binding and have the same force and effect as original handwritten signatures under California Civil Code §1633.1 et seq.

16.12 Headings

Section headings are included for convenience only and do not affect the interpretation of this Agreement.

For legal notices: [email protected]