This Services Guide contains provisions that define, clarify, and govern the scope of the services described in the quote that has been provided to you (the “Quote”), as well as the policies and procedures that we follow (and to which you agree) when we provide a service to you or facilitate a service for you. If you do not agree with the terms of this Services Guide, you should not sign the Quote and you must contact us for more information.
This Services Guide is our “owner’s manual” that generally describes all managed services provided or facilitated by Stepping Forward Technology (“SFT,”, “Stepping Forward”, “we,” “us,” or “our”); however, only those services specifically described in the Quote will be facilitated and/or provided to you (collectively, the “Services”).
This Services Guide is governed under our Master Services Agreement (“MSA”). You may locate our MSA through the link in your Quote or, if you want, we will send you a copy of the MSA by email upon request. Capitalized terms in this Services Guide will have the same meaning as the capitalized terms in the MSA, unless otherwise indicated below.
Activities or items that are not specifically described in the Quote will be out of scope and will not be included unless otherwise agreed to by us in writing.
This Services Guide contains important provisions pertaining to the auto-renewal of the Services in the Quote, as well as fee increases that may occur from time-to-time. Please read this Services Guide carefully and keep a copy for your records.
Table of Contents
Onboarding Services
In the Onboarding phase of our services, we will prepare your IT environment for the monthly managed services described in the Quote. During this phase, we will work with your Authorized Contact(s) to review the information we need to prepare the targeted environment, and we may also:
- Uninstall any monitoring tools or other software installed by previous IT service providers.
- Compile a full inventory of all protected servers, workstations, and laptops.
- Uninstall any previous endpoint protection and install our managed security solutions (as indicated in the Quote).
- Install remote support access agents (i.e., software agents) on each managed device to enable remote support.
- Configure Windows® and application patch management agent(s) and check for missing security updates.
- Uninstall unsafe applications or applications that are no longer necessary.
- Optimize device performance including disk cleanup and endpoint protection scans.
- Review firewall configuration and other network infrastructure devices.
- Review status of battery backup protection on all mission critical devices.
- Stabilize network and assure that all devices can securely access the file server.
- Review and document current server configuration and status.
- Determine existing business continuity strategy and status; prepare backup file recovery and incident response option for consideration.
- Review password policies and update user and device passwords.
- As applicable, make recommendations for changes that should be considered to the managed environment.
- Review current security posture and identify potential gaps in coverage
- Review technology status and configurations to identify potential high risk findings which will be reviewed with our primary contact at your office.
This list is subject to change if we determine, in our discretion, that different or additional onboarding activities are required.
If deficiencies are discovered during the onboarding process, we will bring those issues to your attention and discuss the impact of the deficiencies on our provision of our monthly managed services. Please note, unless otherwise expressly stated in the Quote, onboarding-related services do not include the remediation of any issues, errors, or deficiencies (“Issues”), and we cannot guarantee that all Issues will be detected during the onboarding process.
The duration of the onboarding process depends on many factors, many of which may be outside of our control—such as product availability/shortages, required third party vendor input, etc. As such, we can estimate, but cannot guarantee, the timing and duration of the onboarding process. We will keep you updated as the onboarding process progresses.
Initial Audit / Diagnostic Services
In the Initial Audit/Diagnostic phase of our services, we audit your managed information technology environment (the “Environment”) to determine the readiness for, and compatibility with, ongoing managed services. Our auditing services may be comprised of some or all of the following:
- Audit to determine general Environment readiness and functional capability
- Review of hardware and software configurations
- Review of current vendor service / warranty agreements for Environment hardware and software
- Basic security vulnerability check
- Basic backup and file recovery solution audit
- Speed test and ISP audit
- Print output audit
- Office telephone vendor service audit
- Asset inventory
- Email and website hosting audit
- IT support process audit
If deficiencies are discovered during the auditing process (such as outdated equipment or unlicensed software), we will bring those issues to your attention and discuss the impact of the deficiencies on our provision of the Services and provide you with options to correct the deficiencies. Please note, unless otherwise expressly agreed by us in writing, auditing services do not include the remediation of any issues, errors, or deficiencies (“Issues”), and we cannot guarantee that all Issues will be detected during the auditing process. Issues that are discovered in the Environment after the auditing process is completed may be addressed in one or more subsequent quotes and discussed with you.
Ongoing / Recurring Services
Ongoing/recurring services are services that are provided to you on an ongoing basis and, unless otherwise indicated in a Quote, are billed to you monthly. Some ongoing/recurring services will begin with the commencement of onboarding services; others will begin when the onboarding process is completed. Please direct any questions about start or “go live” dates to your account manager.
Technology Success Managed Services
“Covered Users and Hardware”: See quote for supported Users, Email Accounts and Endpoints (Servers/Workstations) | |
CENTRALIZED SERVICES | |
SERVICES (for endpoints) | DESCRIPTION |
Remote Monitoring and Management
| SFT’s Remote Monitoring and Maintenance (RMM) service operates on a 24×7 basis, constantly monitoring managed equipment for errors, alerts, and pre-defined events. Our RMM service also permits us to remotely execute network-related management activities, such as modify network configurations, install updates, and run scripts to test the overall health of your managed network. Should an error, alert, or event occur, then our technicians will be notified, and we will handle the situation(s) in accordance with our service levels, defined below. |
Updates & Patching |
|
Advanced Software Management | Regular software updates and removal of unnecessary applications are essential for security, compliance, and performance in your IT environment. The following restrictions apply:
|
| (NGAV) Endpoint Antivirus & Antimalware Protection | Next-Gen Antivirus software will be installed across all managed endpoints. These systems will be monitored 24/7 and definition updates are deployed a as they are available from the manufacturer. |
| (EDR) Endpoint Detection & Response | Endpoint Detection and Response (EDR) is an endpoint security solution that continuously monitors end-user devices to detect and respond to cyber threats like ransomware and malware. It can record and store endpoint-system-level behaviors, uses various data analytics techniques to detect suspicious system behavior, provides contextual information, blocks malicious activity, and provides remediation suggestions to restore affected systems. |
| (SOC) Security Operations Center | Our Security Operations Center (SOC) provides security monitor and response services to the Endpoints, Network and Cloud (Microsoft 365). It includes SIEM log retention for 1-year across all managed devices.
|
| SaaS Security & Automated Response | We centralize security monitoring across core cloud apps (like Microsoft 365, Google Workspace, Salesforce, Slack, and more) to detect risky behavior in real time and remediate it automatically. It correlates user and device activity, applies best-practice configurations at scale, and provides clear alerts and reporting. |
SERVICES (for accounts) | DESCRIPTION |
Mailbox Protection | Mailbox Protection uses machine learning pattern detection to identify breaches, create instant alerts, and lock affected accounts, allowing you to quickly respond to SaaS security incidents. |
Email Threat Protection |
NOTE: Email must be hosted on Microsoft 365 or G-Suite to receive this service. |
Multifactor Authentication (MFA) | Multi-factor authentication (MFA) is an access security product used to verify a user’s identity at login. It adds two or more identity-checking steps to user logins. It works with devices like servers and workstations as well as services like Microsoft 365. MFA can optionally be applied to servers, desktops, and VPNs. |
End User Security Awareness Training |
|
Ongoing Phishing Simulation with Training | Regular Phishing simulations help employees recognize, avoid, and report potential threats that can compromise critical business data and systems, including phishing, malware, ransomware, and spyware. Real-time, in-the-flow coaching: When a user clicks a simulated phish, a pop-up appears immediately to explain what they missed and how to spot it next time. There’s no shaming, just guidance at the moment of need. |
REMOTE HELP DESK SUPPORT | |
SERVICE | DESCRIPTION |
REMOTE HELPDESK SUPPORT | Help Desk support is available during our business hours from 7:30am – 5:00pm MT for all covered applications, devices and users. This includes user training. |
ONSITE HELP DESK SUPPORT | |
SERVICE | DESCRIPTION |
ONSITE HELP DESK SUPPORT | Onsite Help Desk support is available after remote diagnostics during our business hours from 8:00am – 5:00pm MT for all covered applications, devices and users within 45 minutes of our Colorado Springs Office |
| |
TECHNOLOGY ALIGNMENT | |
Proactive Technology Alignment | Technology Alignment is our process through which we help mitigate risk and prevent technical issues. It includes the following:
NOTE: We schedule time every month to the technology alignment process which includes an onsite visit for visual inspection and communication with the primary technical contact at your office. |
| |
STRATEGIC VIRTUAL CIO SERVICES (vCIO) | |
Strategic Business Reviews (SBRs) | Quarterly SBRs are meeting between our Virtual CIO and you to get strategic with making sure your technology will support your business goals. We focus on the following:
Note: These services require quarterly collaborative meetings (SBRs) and input with a decision maker at your company. |
What’s not Included in any Managed Service Agreement | |
Project Work (one-time initiatives) | One-time Project work, also known as Professional Services is not included in this Statement or Work. A project is one of the following:
|
Term; Termination
The Services will commence, and billing will begin, on the date indicated in the Quote (“Commencement Date”) and will continue through the initial term listed in the Quote (“Initial Term”). We reserve the right to delay the Commencement Date until all onboarding/transition services (if any) are completed, and all deficiencies / revisions identified in the onboarding process (if any) are addressed or remediated to Stepping Forward’s satisfaction.
After the Initial Term, services will continue monthly until terminated in writing as provided in the Agreement, the Quote, or as indicated in this section (the “Service Term”).
Per Seat / Per Device Licensing: Regardless of the reason for the termination of the Services, you will be required to pay for all per seat licenses or per device licenses that we acquire on your behalf. Please see “Access Licensing” in the Fees section below for more details.
Removal of Software Agents; Return of Firewall & Backup Appliances: Unless we expressly direct you to do so, you will not remove or disable, or attempt to remove or disable, any software agents that we installed in the managed environment or any of the devices on which we installed software agents. Doing so without our guidance may make it difficult or impracticable to remove the software agents, which could result in network vulnerabilities and/or the continuation of license fees for the software agents for which you will be responsible, and/or the requirement that we remediate the situation at our then-current hourly rates, for which you will also be responsible. Depending on the particular software agent and the costs of removal, we may elect to keep the software agent in the managed environment but in a dormant and/or unused state.
Within ten (10) days after being directed to do so, Client will remove, package and ship, at Client’s expense and in a commercially reasonable manner, all hardware, equipment, and accessories provided to Client by PSH that were used in the provision of the Services. If you fail to timely return all equipment to us, or if the equipment is returned to us damaged (normal wear and tear excepted), then we will have the right to charge you, and you hereby agree to pay, the replacement value of all such unreturned or damaged equipment.
Microsoft NCE Licensing: Regardless of the reason for the termination of the Services, you will be required to pay for all Microsoft NCE Licenses that we acquire on your behalf. Please see “Microsoft Licensing Fees” in the Fees section below for more details.
Additional Terms
Service Levels & Response Times
Automated monitoring is provided on an ongoing (i.e., 24x7x365) basis; response, repair, and/or remediation services (as applicable) will be provided only during business hours unless otherwise specifically stated in this SOW. We will respond to problems, errors, or interruptions in the provision of the Services in the timeframe(s) described below. Severity levels will be determined by SFT in our discretion after consulting with the Client. All remediation services will initially be attempted remotely; SFT will provide onsite service only if remote remediation is ineffective and, under all circumstances, only if covered under the Service plan selected by Client.
Response Time1 | Normal Business Hours Monday – Friday, 7:30 AM to 5 PM | Extended Hours2 Holidays, Monday – Friday, 7:00 AM to 7 PM | |
Chat | Live Chat | A technician will respond, on average, in less than 10 minutes of initiating a chat session or phone call during SFT’s normal business hours. For contact initiated during the normal business hours, a technician will begin working on the issue immediately subject to technician availability. If an issue is not resolved during normal business hours, it will be logged and continued the following day. For contact initiated outside of normal business hours, a ticket will be logged, and work will begin on the next business day. For non-critical issues where a person is required onsite, we will schedule an engineer for an onsite visit in accordance with the severity of the problem and, at all times, subject to technician availability. | A representative will respond, on average, in less than 60 minutes of initiating a phone call during the extended hours any day of week. A technician will begin working on the issue immediately subject to technician availability. For non-critical issues where a person is required onsite, we will schedule an engineer for an onsite visit in accordance with the severity of the problem and, at all times, subject to technician availability.4
For clients that have opt out of paying the for the Extended Hours monthly retainer, support requests will be addressed during our normal business hours. See below for details about purchasing a monthly retainer for Extended Hours support. |
Phone | Live Answer | ||
4-48 Hours | Email support is for non-critical requests. Response time will vary from 1 hours to 48 hours depending on technician availability. Examples of non-critical requests are:
| ||
1 Response time is calculated from the time that the request for help is received by us though our ticket system. Requests received in any other manner (e.g. direct phone calls to an engineer, or text) may result in delayed or non-responses. 2 Extended Hours are not included. Support access to a technician during extended hours (hours outside of SFT’s business hours.) requires a pre-purchased $250 monthly retainer which includes one (1) hour of support. If Extended Hours support exceeds one hour, Client will be billed for such support at one and a half times (1.5x) our then-current hourly rates. All partial hours after the first hour are billed in fifteen (15) minute increments, with partial increments billed to the next higher increment. | |||
Covered Hardware / Supported Software
The Services will be applied to the equipment listed in this SOW (“Covered Users and Hardware”).
The Services will apply to the software on the Covered Hardware; however, all Supported Software must, at all times, be properly licensed, and under a maintenance and support agreement from the Supported Software’s manufacturer. In this SOW, Covered Hardware and Supported Software are referred to as the “Environment.”
Physical Locations Covered by Managed Services
Services will be provided remotely unless, in our discretion, we determine that an onsite visit is required. SFT’s visits will be scheduled in accordance with the priority assigned to the issue (below) and are subject to technician availability. Unless we agree otherwise, all onsite Services will be provided at Client’s primary office location listed in this SOW. Additional fees may apply for onsite visits: Please review the Service Level section below for more details.
Offboarding
Subject to the requirements in the MSA, Stepping Forward will off-board Client from its services by performing one or more of the following:
- Removal / disabling of monitoring agents in the Environment.
- Removal / disabling of endpoint software from the Environment.
- Removal / disabling of Microsoft 365 from the Environment (unless the licenses for Microsoft 365 are being transferred to your incoming provider; please speak to your technician for details.)
- Termination of SQL or Remote Desktop licenses provided by PSH.
- Removal of credentials from the Environment.
- Removal of backup software from the Environment.
Assumptions / Minimum Requirements / Exclusions
The scheduling, fees and provision of the Services are based upon the following assumptions and minimum requirements:
- Server hardware must be under current warranty coverage.
- All equipment with Microsoft Windows® operating systems must be running then-currently supported versions of such software and have all the latest Microsoft service packs and critical updates installed.
- All software must be genuine, licensed, and vendor-supported under a then-current OEM- or vendor-support agreement.
- Server file systems, workstations, and email systems (if applicable) must be protected by licensed and up-to-date virus protection software. (Licenses are included in this SOW)
- The Environment must have a currently licensed, vendor-supported server-based backup solution that can be monitored.
- All servers must be connected to working UPS devices.
- Recovery coverage assumes data integrity of the backups, or the data stored on the backup devices. We do not guarantee the integrity of the backups, or the data stored on the backup devices. Server restoration will be to the point of the last successful backup.
- Client must provide all software installation media and key codes in the event of a failure.
- Any costs required to bring the Environment up to these minimum standards are not included in this SOW any may require project hours or additional hardware.
- Client must provide us with exclusive administrative privileges to the Environment.
- Client must not affix or install any accessory, addition, upgrade, equipment, or device on to the firewall, server, or NAS appliances (other than electronic data) unless expressly approved in writing by us.
Exclusions
Services that are not expressly described in this SOW are out of scope and will not be provided to Client unless otherwise agreed, in writing, by SFT. Without limiting the foregoing, the following services are expressly excluded, and if required to be performed, must be agreed upon by SFT in writing:
- Customization of third-party applications, or programming of any kind.
- Support for operating systems, applications, or hardware no longer supported by the manufacturer.
- Data/voice wiring or cabling services of any kind.
- Battery backup replacement.
- Equipment relocation.
- The cost to bring the Environment up to the Minimum Requirements (unless otherwise noted in “Scope of Services” above).
- The cost of repairs to hardware or any supported equipment or software, or the costs to acquire parts or equipment, or shipping charges of any kind.
Changes to Environment
Initially, you will be charged the monthly fees indicated above. Thereafter, if the managed environment changes, or if the number of authorized users accessing the managed environment changes, then you agree that the fees will be automatically and immediately modified to accommodate those changes.
Minimum Monthly Fees
The initial Fees indicated in the SOW or Quote are the minimum monthly fees (“MMF”) that will be charged to you during the term. You agree that the MMF will not decrease, regardless of the number of users or devices to which the Services are directed or applied, unless we agree to a reduction. All modifications to the amount of hardware, devices, or authorized users under this SOW (as applicable) must be in writing and accepted by both parties.
Increases
In addition, we reserve the right to increase our monthly recurring and data recovery fees; provided, however, if an increase is more than five percent (5%) of the fees charged for the Services in the prior calendar year, then you will be provided with a sixty (60) day opportunity to terminate the Services by providing us with written notice of termination. You will be responsible for the payment of all fees that accrue up to the termination date and all pre-approved, non-mitigatable expenses that we incurred in our provision of the Services through the date of termination. Your continued acceptance or use of the Services after this sixty (60) day period will indicate your acceptance of the increased fees.
Travel Time
If onsite services are provided, we will travel up to 45 minutes from our office to your location at no charge. Time spent traveling beyond 45 minutes (e.g., locations that are beyond 45 minutes from our office, occasions on which traffic conditions extend our drive time beyond 45 minutes one-way, etc.) will be billed to you at our then current hourly rates. In addition, you will be billed for all tolls, parking fees, and related expenses that we incur if we provide onsite services to you.
Appointment Cancellations
You may cancel or reschedule any onsite appointment with us at no charge by providing us with notice of cancellation at least one business day in advance. If we do not receive timely notice of cancellation/re-scheduling, or if you are not present at the scheduled time or if we are otherwise denied access to your premises at a pre-scheduled appointment time, then you agree to pay us a cancellation fee equal to one (1) hour of our normal consulting time (or non-business hours consulting time, whichever is appropriate), calculated at our then-current hourly rates.
Automated Payment
You may pay your invoices by credit card and/or by ACH, as described below. If you authorize payment by credit card and ACH, then the ACH payment method will be attempted first. If that attempt fails for any reason, then we will process payment using your designated credit card.
- When enrolled in an ACH payment processing method, you authorize us to electronically debit your designated checking or savings account, as defined and configured by you in our payment portal, for any payments due under this SOW. This authorization will continue until otherwise terminated in writing by you. We will apply a $35.00 service charge to your account for any electronic debit that is returned unpaid due to insufficient funds or due to your bank’s electronic draft restrictions.
- Credit Card. When enrolled in a credit card payment processing method, you authorize us to charge your credit card, as designated by you in our payment portal, for any payments due under this SOW. Note: Credit card payments include a 2% processing fee to help offset our card-processing costs.
Microsoft Licensing Fees
The Services require that we purchase certain “per seat” licenses from Microsoft (which Microsoft refers to as New Commerce Experience or “NCE Licenses”) in order to provide you with one or more of the following applications: Microsoft 365, Dynamics 365, Windows 365, and Microsoft Power Platform (each, an “NCE Application”). To leverage the discounts offered by Microsoft for these applications and to pass those discounts through to you, we will purchase NCE Licenses for one (1) year terms for the NCE Applications provided to you under this SOW. As per Microsoft’s requirements, NCE Licenses cannot be canceled once they are purchased and cannot be transferred to any other customer. For that reason, you understand and agree that regardless of the reason for termination of the Services, you are required to pay for all applicable NCE Licenses in full for the entire term of those licenses. Provided that you have paid for the NCE Licenses in full, you will be permitted to use the applicable NCE Applications until the expiration of their license terms, even if you move to a different managed service provider.
Additional Terms
Monitoring Services; Alert Services
Unless otherwise indicated in this SOW, all monitoring and alert-type services are limited to detection and notification functionalities only. These functionalities are guided by Client-designated policies, which may be modified by Client as necessary or desired from time to time. Initially, the policies will be set to a baseline standard as determined by SFT ; however, Client is advised to establish and/or modify the policies that correspond to Client’s specific monitoring and notification needs.
Remediation
Unless otherwise provided in this SOW, remediation services will be provided in accordance with the recommended practices of the managed services industry. Client understands and agrees that remediation services are not intended to be, and will not be, a warranty or guarantee of the functionality of the Environment, or a service plan for the repair of any particular piece of managed hardware or software.
Configuration of Third-Party Services
Certain third-party services provided to you under this SOW may provide you with administrative access through which you could modify the configurations, features, and/or functions (“Configurations”) of those services. However, any modifications of Configurations made by you without our knowledge or authorization could disrupt the Services and/or or cause a significant increase in the fees charged for those third-party services. For that reason, we strongly advise you to refrain from changing the Configurations unless we authorize those changes. You will be responsible for paying any increased fees or costs arising from or related to changes to the Configurations.
Dark Web Monitoring
Our dark web monitoring services utilize the resources of third-party solution providers. Dark web monitoring can be a highly effective tool to reduce the risk of certain types of cybercrime; however, we do not guarantee that the dark web monitoring service will detect all actual or potential uses of your designated credentials or information.
Modification of Environment
Changes made to the Environment without our prior authorization or knowledge may have a substantial, negative impact on the provision and effectiveness of the Services, and may impact the fees charged under this SOW. You agree to refrain from moving, modifying, or otherwise altering any portion of the Environment without our prior knowledge or consent. For example, you agree to refrain from adding or removing hardware from the Environment, installing applications on the Environment, or modifying the configuration or log files of the Environment without our prior knowledge or consent.
Anti-Virus; Anti-Malware
Our anti-virus / anti-malware solution will generally protect the Environment from becoming infected with new viruses and malware (“Viruses”); however, Viruses that exist in the Environment at the time that the security solution is implemented may not be capable of being removed without additional services, for which a charge may be incurred. We do not warrant or guarantee that all Viruses and malware will be capable of being detected, avoided, or removed, or that any data erased, corrupted, or encrypted by malware will be recoverable. In SOW to improve security awareness, you agree that SFT or its designated third party affiliate may transfer information about the results of processed files, information used for URL reputation determination, security risk tracking, and statistics for protection against spam and malware. Any information obtained in this manner does not and will not contain any personal or confidential information.
Breach/Cyber Security Incident Recovery
Unless otherwise expressly stated in this SOW, the scope of the Services does not include the remediation and/or recovery from a Security Incident (defined below). Such services, if requested by you, will be provided on a time and materials basis under our then-current hourly labor rates. Given the varied number of possible Security Incidents, we cannot and do not warrant or guarantee (i) the amount of time required to remediate the effects of a Security Incident (or that recovery will be possible under all circumstances), or (ii) that all data impacted by the incident will be recoverable. For the purposes of this paragraph, a Security Incident means any unauthorized or impermissible access to, modification, or use of the Environment or any data contained in the Environment (such as in a ransomware attack), or any unauthorized or impermissible disclosure of Client’s confidential information (such as user names, passwords, etc.), that (i) compromises the security or privacy of the information or applications in, or the structure or integrity of, the Environment, or (ii) prevents normal access to or use of the Environment or any data stored in or accessible through the Environment, or (iii) prevents, impedes, or disrupts any of the normal functions of the Environment.
Environmental Factors
The effectiveness of any audio or video equipment that we install (such as security cameras and security recording equipment) is limited by the features and functions of the installed devices. Exposure to environmental factors, such as water, heat, cold, dust, or varying lighting conditions, may cause installed equipment to malfunction. Given the number of environmental variables involved when recording security-related events, we do not and cannot guarantee that any video or audio equipment will clearly capture and/or record the details of events occurring at or near the installed equipment.
Patch Management
We will keep all managed hardware and managed software current with critical patches and updates (“Patches”) as those Patches are released generally by the applicable manufacturers. Patches are developed by third party vendors and, on rare occasions, may make the Environment, or portions of the Environment, unstable or cause the managed equipment or software to fail to function properly even when the Patches are installed correctly. We will not be responsible for any downtime or losses arising from or related to the installation or use of any Patch. We reserve the right, but not the obligation, to refrain from installing a Patch if we are aware of technical problems caused by a Patch, or we believe that a Patch may render the Environment, or any portion of the Environment, unstable.
IT Strategic Planning
Suggestions and advice rendered to Client are provided in accordance with relevant industry practices, based on Client’s specific needs and Stepping Forward’s opinion and knowledge of the relevant facts and circumstances. By rendering advice, or by suggesting a particular service or solution, Stepping Forward is not endorsing any particular manufacturer or service provider.
VCTO OR VCIO SERVICES
The advice and suggestions provided us in our capacity as a virtual chief technology or information officer will be for your informational and/or educational purposes only. SFT will not hold an actual director or officer position in Client’s company, and we will neither hold nor maintain any fiduciary relationship with Client. Under no circumstances shall Client list or place the SFT on Client’s corporate records or accounts.
No Third-Party Scanning
Unless we authorize such activity in writing, you will not conduct any test, nor request or allow any third party to conduct any test (diagnostic or otherwise), of the security system, protocols, processes, or solutions that we implement in the managed environment (“Testing Activity”). Any services required to diagnose or remediate errors, issues, or problems arising from unauthorized Testing Activity is not covered under this SOW, and if you request us (and we elect) to perform those services, those services will be billed to you at our then-current hourly rates.
Obsolescence
If at any time any portion of the managed environment becomes outdated, obsolete, reaches the end of its useful life, or acquires “end of support” status from the applicable device’s or software’s manufacturer (“Obsolete Element”), then we may designate the device or software as “unsupported” or “non-standard” and require you to update the Obsolete Element within a reasonable time period. If you do not replace the Obsolete Element reasonably promptly, then in our discretion we may (i) continue to provide the Services to the Obsolete Element using our “best efforts” only with no warranty or requirement of remediation whatsoever regarding the operability or functionality of the Obsolete Element, or (ii) eliminate the Obsolete Element from the scope of the Services by providing written notice to you (email is sufficient for this purpose). In any event, we make no representation or warranty whatsoever regarding any Obsolete Element or the deployment, service level guarantees, or remediation activities for any Obsolete Element.
Licenses
If we are required to re-install or replicate any software provided by you as part of the Services, then it is your responsibility to verify that all such software is properly licensed. We reserve the right, but not the obligation, to require proof of licensing before installing, re-installing, or replicating software into the managed environment. The cost of acquiring licenses is not included in the scope of this SOW unless otherwise expressly stated therein.
Business Continuity & Disaster Recovery (BCDR)
All data transmitted over the Internet may be subject to malware and computer contaminants such as viruses, worms and trojan horses, as well as attempts by unauthorized users, such as hackers, to access or damage Client’s data. Neither SFT nor its designated affiliates will be responsible for the outcome or results of such activities.
BDR services require a reliable, always-connected internet solution. Data backup and recovery time will depend on the speed and reliability of your internet connection. Internet and telecommunications outages will prevent the BDR services from operating correctly. In addition, all computer hardware is prone to failure due to equipment malfunction, telecommunication-related issues, etc., for which we will be held harmless. Due to technology limitations, all computer hardware, including communications equipment, network servers and related equipment, has an error transaction rate that can be minimized, but not eliminated. SFT cannot and does not warrant that data corruption or loss will be avoided, and Client agrees that SFT shall be held harmless if such data corruption or loss occurs. Client is strongly advised to keep a local backup of all of stored data to mitigate against the unintentional loss of data.
Procurement
Equipment and software procured by SFT on Client’s behalf (“Procured Equipment”) may be covered by one or more manufacturer warranties, which will be passed through to Client to the greatest extent possible. By procuring equipment or software for Client, SFT does not make any warranties or representations regarding the quality, integrity, or usefulness of the Procured Equipment. Certain equipment or software, once purchased, may not be returnable or, in certain cases, may be subject to third party return policies and/or re-stocking fees, all of which shall be Client’s responsibility in the event that a return of the Procured Equipment is requested. SFT is not a warranty service or repair center. SFT will facilitate the return or warranty repair of Procured Equipment; however, Client understands and agrees that (i) the return or warranty repair of Procured Equipment is governed by the terms of the warranties (if any) governing the applicable Procured Equipment, for which SFT will be held harmless, and (ii) SFT is not responsible for the quantity, condition, or timely delivery of the Procured Equipment once the equipment has been tendered to the designated shipping or delivery courier.
Next Level Security and Compliance Services
Scope of Services
Stepping Forward Technology (“Provider”) will deliver its Next Level Security and Compliance Services (“Services”), which include access to a secure compliance platform for the centralized storage and management of the Client’s policies, procedures, and related documentation. The Provider will conduct strategic compliance and security meetings designed to assist the Client in understanding, planning for, and adhering to applicable laws, regulations, industry standards, and internal governance requirements.
Compliance Meetings
These meetings may include, but are not limited to, discussions and guidance regarding:
Policy and Procedure Implementation: Establishing and maintaining clear, written policies and procedures that outline how the Client will meet its regulatory and compliance obligations.
Training and Awareness: Educating employees on relevant laws, regulations, internal policies, and best practices to ensure understanding of roles and responsibilities.
Risk Assessment: Identifying and evaluating potential areas of non-compliance and the risks associated with those findings.
Monitoring and Auditing: Reviewing internal processes, performing periodic audits, and providing recommendations to ensure adherence to applicable standards.
Reporting: Advising on tracking, documentation, and escalation of compliance-related incidents to appropriate stakeholders or authorities.
Corrective Action: Offering guidance on investigating issues, identifying root causes, and developing action plans to prevent recurrence.
Oversight and Management: Supporting the Client in defining accountability structures, including the designation of a compliance officer or equivalent function.
Continuous Improvement: Reviewing and updating compliance practices in response to regulatory changes, operational feedback, audit outcomes, or evolving industry expectations.
Enhanced Security Services Offering
Endpoint Multi-Factor Authentication (MFA) Enforcement
Implementation and management of advanced MFA controls across all managed endpoints to ensure strong identity verification and access protection.Zero-Trust Application Control & Whitelisting
Enforcement of a Zero-Trust security model through managed application allow-listing, preventing unauthorized or malicious software from executing within the environment.Device Encryption Oversight & Key Management
Centralized management and verification of full-disk encryption across applicable devices, including oversight of encryption status and secure key management processes.Continuous Vulnerability Assessment & Reporting
Scheduled vulnerability scans with ongoing analysis, prioritization, and reporting of security gaps, along with recommendations aligned to relevant compliance frameworks.
Out-of-Scope Items
Implementation of technical controls; drafting or customizing company-specific policies or procedures; executing corrective actions; and performing hands-on remediation activities are not included within the scope of this agreement. Should the Client require such services, Stepping Forward Technology will prepare a separate estimate and, upon approval, the Stepping Forward’s Professional Services team will perform the work at the applicable rates.
Sample Policies, Procedures
From time to time, we may provide you with sample (i.e., template) policies and procedures for use in connection with Client’s business (“Sample Policies”). The Sample Policies are for your informational use only, and do not constitute or comprise legal or professional advice, and the policies are not intended to be a substitute for the advice of competent counsel. You should seek the advice of competent legal counsel prior to using or distributing the Sample Policies, in part or in whole, in any transaction. We do not warrant or guarantee that the Sample Policies are complete, accurate, or suitable for your (or your customers’) specific needs, or that you will reduce or avoid liability by utilizing the Sample Policies in your (or your customers’) business operations.
Client Responsibilities
The Client retains responsibility for implementing recommendations, maintaining compliance with applicable requirements, and ensuring accurate and timely communication with Stepping Forward regarding operational changes, risks, or incidents relevant to the compliance program.
Hosting Services
You agree that you are responsible for the actions and behaviors of your users of the Services. In addition, you agree that neither Client, nor any of your employees or designated representatives, will use the Services in a manner that violates the laws, regulations, ordinances, or other such requirements of any jurisdiction.
In addition, Client agrees that neither it, nor any of its employees or designated representatives, will: transmit any unsolicited commercial or bulk email, will not engage in any activity known or considered to be “spamming” and carry out any “denial of service” attacks on any other website or Internet service; infringe on any copyright, trademark, patent, trade secret, or other proprietary rights of any third party; collect, attempt to collect, publicize, or otherwise disclose personally identifiable information of any person or entity without their express consent (which may be through the person or entity’s registration and/or subscription to Client’s services, in which case Client must provide a privacy policy which discloses any and all uses of information that you collect) or as otherwise required by law; or, undertake any action which is harmful or potentially harmful to SFT or its infrastructure.
Client is solely responsible for ensuring that its login information is utilized only by Client and Client’s authorized users and agents. Client’s responsibility includes ensuring the secrecy and strength of user identifications and passwords. SFT shall have no liability resulting from the unauthorized use of Client’s login information. If login information is lost, stolen, or used by unauthorized parties or if Client believes that any hosted applications or hosted data has been accessed by unauthorized parties, it is Client’s responsibility to notify SFT immediately to request the login information be reset or unauthorized access otherwise be prevented. SFT will use commercially reasonable efforts to implement such requests as soon as practicable after receipt of notice.
Fair Usage Policy
Our Fair Usage Policy (“FUP”) applies to all Services that are described or designated as “unlimited,” or any Service that is not expressly limited to a finite amount of time. An “unlimited” service designation means that, subject to the terms of this FUP, you may use the service as reasonably necessary for you to enjoy the use and benefit of the service without incurring additional time-based or usage-based costs. However, unless expressly stated otherwise in this SOW, all unlimited services are provided during our normal business hours only and are subject to our technicians’ availabilities, which cannot always be guaranteed. In addition, we reserve the right to assign our technicians as we deem necessary to handle issues that are more urgent, critical, or pressing than the request(s) or issue(s) reported by you. Consistent with this FUP, you agree to refrain from (i) creating urgent support tickets for non-urgent or non-critical issues, (ii) requesting excessive support services that are inconsistent with normal usage patterns in the industry (e.g., requesting support in lieu of training), (iii) requesting support or services that are intended to interfere, or may likely interfere, with our ability to provide our services to our other customers.
Hosted Email Policy
You are solely responsible for the proper use of any hosted email service provided to you (“Hosted Email”). Hosted Email solutions are subject to acceptable use policies (“AUPs”), and your use of Hosted Email must comply with those AUPs. In all cases, you agree to refrain from uploading, posting, transmitting or distributing (or permitting any of your authorized users of the Hosted Email to upload, post, transmit or distribute) any prohibited content, which is generally content that (i) is obscene, illegal, or intended to advocate or induce the violation of any law, rule or regulation, or (ii) violates the intellectual property rights or privacy rights of any third party, or (iii) mischaracterizes you, and/or is intended to create a false identity or to otherwise attempt to mislead any person as to the identity or origin of any communication, or (iv) interferes or disrupts the services provided by SFT or the services of any third party, or (v) contains Viruses, trojan horses or any other malicious code or programs. In addition, you must not use the Hosted Email for the purpose of sending unsolicited commercial electronic messages (“SPAM”) in violation of any federal or state law. SFT reserves the right, but not the obligation, to suspend Client’s access to the Hosted Email and/or all transactions occurring under Client’s Hosted Email account(s) if SFT believes, in its discretion, that Client’s email account(s) is/are being used in an improper or illegal manner.
