Service Level Agreement

(5) DESCRIPTION OF SERVICES

(5)(1) Remote Monitoring and Management - Software agents installed on Covered Equipment (as defined below) continuously monitor status and events 24/7, with alerts generated and addressed in accordance with the Service Levels outlined below.

(5)(2) Remote Helpdesk - Remote support is available during normal business hours for managed devices and covered software. Our tiered-level support structure ensures a seamless escalation process, enabling us to provide efficient and effective solutions tailored to your needs.

(5)(3) Remote Infrastructure Maintenance/ Onsite Support - Configuration, monitoring, and preventative maintenance services are provided for the managed IT infrastructure. If remote troubleshooting efforts are unsuccessful, HERO will dispatch a technician to the Client's premises to address covered incidents. Onsite support is subject to technician availability and scheduling.

(5)(4) Backup and Disaster Recovery - The backup system, including offsite backup, offsite replication, and an onsite Backup Appliance, is monitored 24/7. Services include troubleshooting and remediation of failed backup disks, preventive maintenance and management of imaging software, firmware and software updates for the Backup Appliance, and problem analysis by the network operations team. Backup successes and failures are continuously monitored, and backups are performed daily.

(5)(4)(A) Backup Data Security - All backed-up data is secured using 256-bit AES encryption, both in transit and at rest. The facilities housing the backed-up data are equipped with robust physical security measures, including security cameras and access logs. Additionally, these facilities feature multiple internet connections with failover capabilities to ensure reliability and continuity.

(5)(4)(B) Backup Retention - Backed-up data will be retained for 90 days unless a longer retention period is specified in the Statement of Work.

(5)(4)(C) Backup Alerts - Managed servers will be configured to notify of any backup failures or missed jobs.

(5)(4)(D) Recovery of Data - If you need to recover any of your backed-up data, requests can be made during our normal business hours, which are currently 7:00 AM to 7:00 PM. To request a data restoration, you can contact us by email at [email protected] or by telephone at 855-511-HERO. We will make every effort to restore your data as quickly as possible upon receiving your request; however, all data restoration services are subject to availability and other factors such as bandwidth and amount of data being restored.

(5)(5) Patch Management - We deploy updates, including version changes (e.g., x.1 to x.2), bug fixes, minor enhancements, and security patches, as deemed necessary for all managed hardware. Additionally, we perform minor hardware and software installations and upgrades, as well as remote installations that typically take less than thirty (30) minutes to complete. We also deploy, manage, and monitor the installation of approved service packs, security updates, and firmware updates as necessary for all applicable managed hardware.

(5)(6) Firewall Solution - Our services help prevent unauthorized access to internal networks by blocking external threats while ensuring secure and encrypted remote network access. They also include antivirus scanning for all traffic entering and leaving the managed network, as well as website content filtering functionality for enhanced security.

(5)(7) Email Threat Protection - Our managed email protection services safeguard against phishing, business email compromise (BEC), SPAM, and email-based malware. Additionally, we provide managed DMARC, DKIM, and SPF implementation to enhance email security and prevent spoofing.

(5)(8) End User Security Awareness Training - Our services provide online, on-demand training and quizzes to measure and reinforce employee understanding of cybersecurity concepts. Baseline testing is conducted to identify the phish-prone percentage of users, and simulated phishing email campaigns are implemented to educate employees on recognizing and mitigating security threats.

(5)(9) Two Factor Authentication - Advanced two-factor authentication with enhanced administrative features provides security for both on-premises and cloud-based applications. It allows for the creation of custom access policies based on role, device, and location while identifying and verifying device health to detect and mitigate "risky" devices.

(5)(10) Security Operation Center (SOC) - Is a centralized facility where an organization's information security team monitors, detects, analyzes, and responds to cybersecurity threats and incidents in real time. The SOC is staffed by security professionals who use advanced tools, processes, and technologies to proactively safeguard the organization's digital infrastructure, data, and assets. Key functions of the SOC include threat detection, incident response, vulnerability management, log analysis, and compliance monitoring. By operating 24/7, the SOC ensures continuous protection against evolving cyber threats, minimizing risks and mitigating potential impacts to the organization.

(5)(11) Security Information Event Management (SIEM) - Combines real-time monitoring, event logging, and advanced analytics to provide a comprehensive view of an organization's cybersecurity posture. SIEM systems collect and aggregate data from various sources, such as network devices, servers, firewalls, and applications, to identify anomalies, detect threats, and generate actionable security alerts. By correlating events across the IT environment and applying predefined rules or AI-driven insights, SIEM enables faster threat detection, incident response, and compliance reporting. Additionally, we retain 90 days of log data to support thorough investigations, compliance audits, and ongoing security analysis.

(5)(12) Advance Information Protection - Encompasses technologies, policies, and practices designed to safeguard sensitive data from unauthorized access, modification, or exfiltration. AIP includes features such as data classification, encryption, and rights management to ensure that information remains secure both at rest and in transit. It enables organizations to define and enforce policies for data access based on user roles, devices, or locations. Advanced analytics and monitoring capabilities help detect unusual activities or potential threats, providing actionable insights for swift incident response. By securing critical information assets, AIP supports compliance with regulatory requirements and minimizes risks associated with data breaches or loss.

(6) COVERED EQUIPMENT (HARDWARE AND SOFTWARE)

The Services will be applied exclusively to the equipment, hardware, and software specified in the "Managed Environment" schedule (collectively referred to as the "Environment"). A copy of this schedule accompanies this Service Statement. Any items not listed within the Environment will not be eligible for or covered by the Services.

(7) PHYSICAL LOCATIONS COVERED BY SERVICES

Services will be provided remotely unless we determine, at our discretion, that an onsite visit is necessary. Onsite visits will be scheduled based on the priority assigned to the issue and are subject to technician availability. Unless otherwise agreed, all onsite services will be performed at the Client's primary office location as listed in the Quote. Additional fees may apply for onsite visits. For further details, please refer to the Service Level section below.

(8) PER SEAT LICENSING

Regardless of the reason for terminating the Services, you will be responsible for paying all per-seat license fees (e.g., Microsoft NCE licenses, if applicable) that we have procured on your behalf. For further information, please refer to the "Per Seat License Fees" section in the Fees section below.

(9) CLOUD LICENSES RESALE

The pricing for cloud software licenses that we resell is determined by the respective software vendors. If the vendor adjusts their pricing—whether through an increase or decrease—during the term of your agreement, the price we charge for those licenses will be adjusted by the same percentage. This ensures that any changes in vendor pricing are consistently reflected in your billing. Any such adjustments will take effect as dictated by the vendor’s implementation timeline.

(10) ASSUMPTIONS, AND MINIMUM REQUIREMENTS

The scheduling, fees, and delivery of the Services are based on the following assumptions and minimum requirements.

(10)(A) Server hardware must be covered by a current warranty.

(10)(B) All equipment running Microsoft Windows® operating systems must use a supported version and have the latest Microsoft service packs and critical updates installed.

(10)(C) All software must be genuine, licensed, and supported by the vendor.

(10)(D) Server file systems and email systems (if applicable) must be protected with licensed and up-to-date antivirus software.

(10)(E) The Environment must include a currently licensed, vendor-supported server-based backup solution that can be monitored.

(10)(F) Wireless data traffic in the Environment must be securely encrypted.

(10)(G) All servers must be connected to functioning UPS devices.

(10)(H) Recovery coverage assumes the integrity of the backups or the data stored on backup devices. The integrity of backups or stored data is not guaranteed. Server restoration will only cover the point of the last successful backup.

(10)(I) The Client must provide all software installation media and key codes in the event of a failure.

(10)(J) Any costs required to bring the Environment up to these minimum standards are not included in this Service Statement.

(10)(K) The Client must grant us administrative privileges to the Environment.

(10)(L) The Client must not attach or install any accessory, addition, upgrade, equipment, or device onto the firewall, server, or NAS appliances (other than electronic data) without our prior written approval.

(11) EXCLUSIONS

Services not explicitly described in the Quote are considered out of scope and will not be provided to the Client unless otherwise agreed upon in writing by HERO Managed Services. Additionally, the following services are expressly excluded and, if required, must be approved in writing by HERO:

(11)(A) Customization of third-party applications or any form of programming.

(11)(B) Support for operating systems, applications, or hardware no longer supported by the manufacturer.

(11)(C) Data/voice wiring or cabling services of any kind.

(11)(D) Costs associated with bringing the Environment up to the Minimum Requirements (unless specifically noted in the "Scope of Services" section).

(11)(E) Costs for hardware or supported equipment repairs, parts or equipment acquisition, or any related shipping charges.

(12) SERVICE LEVELS, RESPONSE TIME

Automated monitoring is provided continuously, 24x7x365. However, response, repair, and remediation services (as applicable) will only be performed during HERO’s business hours unless otherwise specified in the Quote. Problems, errors, or interruptions in service will be addressed within the timeframes outlined below, with severity levels determined at HERO’s discretion following consultation with the Client. All remediation efforts will begin with remote services. Onsite service will only be provided if remote remediation is unsuccessful and if it is included in the Client’s selected Service plan. All time frames are calculated from the moment HERO is notified of the issue or problem, either through HERO’s monitoring tools or via the Client using HERO’s designated support portal, help desk, or the telephone number listed in the Quote. Notifications submitted through any other methods may result in delays in initiating remediation efforts.

(12)(A) Normal Business Hours - Normal business hours are Monday through Friday, 7:00 AM to 7:00 PM Eastern Standard Time. During these hours, a technician will begin addressing any issues immediately, subject to technician availability. If an issue is not resolved within normal business hours, it will be logged and addressed the following business day. For non-critical issues requiring an onsite visit, a technician will be scheduled based on the severity of the problem and technician availability.

(12)(B) Outside Normal Business Hours - On-call hours are any time outside of normal business hours. During these hours, support is available for emergency services, including critical issues such as server downtime, internet outages, or Line of Business system failures.

(12)(C) Response Time - Response time is calculated from the moment a request for assistance is received through our designated support channels. Requests submitted through alternative methods may experience delays or may not receive a response.

(12)(C)(A) Critical: A situation where the service is completely unavailable (e.g., all users and functions are affected). During normal business hours, we will respond within one (1) business hour of notification. If the issue occurs outside of normal business hours, the response time will be within two (2) hours.

(12)(C)(B) Significant Degradation: This refers to situations where a large number of users or critical business functions are impacted. During normal business hours, we will respond within two (2) business hours of notification. If the issue occurs outside of normal business hours, the response time will be within four (4) hours.

(12)(C)(C) Limited Degradation: This occurs when a limited number of users or functions are affected, but business processes can continue. During normal business hours, we will respond within four (4) business hours of notification. If the issue is reported outside of normal business hours, the response will occur on the next business day.

(12)(C)(D) Small Service Degradation: This applies when a single user is affected, but business processes can continue without significant impact. We will respond within one (1) business day of receiving notification.

(13) MICROSOFT LICENSING FEES

HERO may purchase Microsoft New Commerce Experience (NCE) licenses to provide you with applications such as Microsoft 365, Dynamics 365, Windows 365, and Microsoft Power Platform (collectively referred to as "NCE Applications"). To take advantage of the discounts offered by Microsoft for these applications and to pass those savings on to you, HERO will purchase NCE Licenses for one (1) year terms, as required under the Quote. As mandated by Microsoft, NCE Licenses cannot be canceled after purchase and are non-transferable to other customers. Each license may require a one (1) or three (3) year term. Therefore, you acknowledge and agree that, regardless of the reason for termination of the Services, you are responsible for paying the full cost of all applicable NCE Licenses for their entire term. Once you have paid for the NCE Licenses in full, you will retain the right to use those licenses until their expiration, even if you transition to a different managed service provider.

(14) ADDITIONAL TERMS

(14)(1) Authenticity - All components within the managed environment, including hardware and software, must be genuine and properly licensed. If we request proof of authenticity or licensing, you are required to provide it. Additionally, all minimum hardware and software requirements outlined in the Quote or this Service Statement ("Minimum Requirements") must be implemented and consistently maintained as a condition of our continued provision of Services to you.

(14)(2) Monitoring Services; Alert Services - Unless otherwise specified in the Quote, all monitoring and alert-related services are limited to detection and notification functions only. These functions operate based on policies designated by the Client, which can be modified by the Client as needed or desired over time. Initially, the policies will be set to a baseline standard determined by HERO; however, the Client is encouraged to review and adjust these policies to align with their specific monitoring and notification requirements.

(14)(3) Remediation - Unless otherwise specified in the Quote, remediation services will be performed in accordance with recommended practices within the managed services industry. The Client acknowledges and agrees that these remediation services are not intended to serve as a warranty or guarantee of the functionality of the Environment, nor are they a service plan for the repair of any specific piece of managed hardware or software.

(14)(4) Configuration of Third Party Services - Certain third-party services provided under this Service Statement may include administrative access, allowing you to modify configurations, features, or functions ("Configurations") of those services. However, any modifications made by you without our knowledge or authorization could disrupt the Services and/or result in a significant increase in fees for those third-party services. Therefore, we strongly recommend that you avoid making changes to the Configurations unless expressly authorized by us. You will be responsible for any increased fees or costs that result from unauthorized changes to the Configurations.

(14)(5) Dark Web Monitoring - Our dark web monitoring services are powered by third-party solution providers. While dark web monitoring is a valuable tool to help reduce the risk of certain types of cybercrime, it is not guaranteed to detect all actual or potential instances of unauthorized use of your designated credentials or information.

(14)(6) Modification of Environment - Unauthorized changes to the Environment may significantly impact the provision and effectiveness of the Services, as well as the fees outlined in the Quote. You agree not to move, modify, or alter any part of the Environment without our prior knowledge and consent. This includes, but is not limited to, adding or removing hardware, installing applications, or changing configurations or log files within the Environment.

(14)(7) Co-Managed Environment - In co-managed situations—where other vendors or personnel ("Co-managed Providers") are designated to provide services that may overlap or conflict with the Services we provide—we will make every effort to deliver the Services efficiently and effectively. However, (a) we are not responsible for the actions or omissions of Co-managed Providers, nor for remediating any issues, errors, or downtime resulting from those actions or omissions, and (b) if a Co-managed Provider's determination on a Service-related issue conflicts with our position, we will defer to the Co-managed Provider's determination and inform you of the situation.

(14)(8) Anti-Virus; Anti-Malware; EDR - Our antivirus, anti-malware, and EDR solution is designed to provide robust protection against new viruses and malware ("Viruses") in the Environment. However, Viruses that already exist in the Environment at the time the security solution is deployed may require additional services for removal, which could incur additional charges. While we strive to provide comprehensive protection, we do not warrant or guarantee that all Viruses and malware will be detected, prevented, or removed, nor can we guarantee the recovery of data that has been erased, corrupted, or encrypted by malware. To enhance security awareness, you acknowledge and agree that HERO or its designated third-party affiliates may collect and use data regarding processed files, URL reputation, security risk tracking, and statistics related to spam and malware protection. This information is strictly for improving security measures and does not contain any personal or confidential data.

(14)(9) Breach/Cyber Security Incident Recovery - Unless expressly stated in the Quote, the scope of the Services does not include remediation or recovery from a Security Incident, as defined below. If such services are requested, they will be provided on a time-and-materials basis at our then-current hourly labor rates. Due to the varied nature of potential Security Incidents, we cannot guarantee the amount of time required to remediate the effects or ensure that recovery will be possible in all circumstances. Additionally, we cannot guarantee that all data affected by the incident will be recoverable. A Security Incident is defined as any unauthorized or impermissible access to or use of the Environment, or any unauthorized or impermissible disclosure of the Client's confidential information, such as usernames or passwords, that compromises the security, privacy, or integrity of the information or applications in the Environment; affects the structure or integrity of the Environment; prevents normal access to the Environment; or impedes or disrupts its normal functions.

(14)(10) Environmental Factors - Exposure to environmental factors, such as water, heat, cold, or varying lighting conditions, may cause installed equipment to malfunction. Unless expressly stated in the Quote, we do not warrant or guarantee that installed equipment will operate without errors or interruptions. Additionally, we do not guarantee that any video or audio equipment will clearly capture or record the details of events occurring at or near such equipment under all circumstances.

(14)(11) Fair Usage Policy - Our Fair Usage Policy ("FUP") applies to all Services described or designated as "unlimited." An "unlimited" service designation means that, subject to the terms of this FUP, you may use the service as reasonably necessary to enjoy its benefits without incurring additional time-based or usage-based costs. However, unless expressly stated otherwise in the Quote, all unlimited services are provided during normal business hours only and are subject to technician availability, which cannot always be guaranteed. We reserve the right to allocate our technicians as necessary to address issues that are more urgent, critical, or pressing than those reported by you. Under this FUP, you agree to refrain from (i) creating urgent support tickets for non-urgent or non-critical issues, (ii) requesting excessive support services inconsistent with normal industry usage patterns, such as using support in place of training, and (iii) requesting support or services intended to interfere with, or likely to interfere with, our ability to provide services to other customers.

(14)(12) Patch Management - We will ensure that all managed hardware and software are kept up to date with critical patches and updates ("Patches") as they are generally released by the respective manufacturers. However, because Patches are developed by third-party vendors, there is a rare possibility that their installation may render the Environment or portions of it unstable or cause managed equipment or software to malfunction, even when the Patches are applied correctly. We will not be held responsible for any downtime or losses resulting from the installation or use of any Patch. Additionally, we reserve the right, but not the obligation, to refrain from installing a Patch if we are aware of technical issues associated with it.

(14)(13) Backup (BDR) Services - All data transmitted over the Internet is susceptible to malware and other harmful computer contaminants, such as viruses, worms, and trojan horses, as well as unauthorized access or damage by hackers. HERO Managed Services and its designated affiliates are not responsible for any outcomes or damages resulting from such activities. Backup and Disaster Recovery (BDR) services rely on a stable and always-connected Internet connection. The speed and reliability of your Internet connection will directly impact the performance of data backups and recovery times. Interruptions in Internet or telecommunications services may prevent BDR services from functioning correctly. Additionally, all computer hardware is subject to potential failures due to equipment malfunctions, telecommunications issues, or other unforeseen circumstances, for which HERO cannot be held liable. Due to inherent technology limitations, all computer hardware—including communications equipment, network servers, and related devices—has an error transaction rate that can be minimized but not entirely eliminated. HERO does not warrant or guarantee that data corruption or loss can be entirely avoided, and you agree to hold HERO harmless in the event such data corruption or loss occurs. To mitigate against the unintentional loss of data, you are strongly advised to maintain a local backup of all stored data.

(14)(14) Procurement - Equipment and software procured by HERO Managed Services on the Client's behalf ("Procured Equipment") may be covered by manufacturer warranties, which will be passed through to the Client to the fullest extent possible. HERO makes no warranties or representations regarding the quality, integrity, or usefulness of the Procured Equipment. Some equipment or software, once purchased, may not be returnable or may be subject to third-party return policies and/or restocking fees. These costs will be the Client's responsibility if a return is requested. HERO is not a warranty service or repair center but will assist in facilitating the return or warranty repair of Procured Equipment. The Client understands and agrees that (i) the return or warranty repair of Procured Equipment is subject to the terms and conditions of the applicable manufacturer warranties, for which HERO will be held harmless, and (ii) HERO is not responsible for the quantity, condition, or timely delivery of Procured Equipment once it has been tendered to the designated shipping or delivery courier.

(14)(15) Quarterly Business Review: IT Strategic Planning - Suggestions and advice provided to the Client are offered in alignment with relevant industry practices, tailored to the Client's specific needs, and based on HERO Managed Services’ knowledge of the relevant facts and circumstances. By offering advice or recommending a particular service or solution, HERO does not endorse any specific manufacturer or service provider.

(14)(16) VCTO or VCIO Services - Advice and suggestions provided by HERO Managed Services in the capacity of a virtual Chief Technology Officer (CTO) or Chief Information Officer (CIO) are for informational and educational purposes only. HERO will not hold an actual director or officer position within the Client's company and will not establish or maintain any fiduciary relationship with the Client. Under no circumstances should the Client list HERO on its corporate records or accounts.

(14)(17) Penetration Testing; Vulnerability Assessment - You acknowledge and agree that during the penetration testing process, physical or virtual security devices, alarms, or other security measures may be triggered or activated despite our efforts to prevent such occurrences. It is your sole responsibility to notify any monitoring company and relevant law enforcement authorities of the possibility of "false alarms" resulting from penetration testing. You must take all necessary steps to ensure that false alarms are not treated as genuine threats or credible alarms involving any person, property, or location. Some alarms or advanced security measures, when activated, may result in the partial or complete shutdown of the Environment, potentially causing significant downtime or delays to your business operations. HERO Managed Services will not be held liable for any claims, costs, fees, or expenses arising from (i) responses by monitoring companies or law enforcement authorities to penetration testing activities or (ii) the partial or complete shutdown of the Environment caused by alarms or security monitoring devices.

(14)(18) No Third Party Scanning - Unless explicitly authorized by us in writing, you agree not to perform, or permit any third party to perform, any testing—diagnostic or otherwise—of the security systems, protocols, processes, or solutions that we implement in the managed environment ("Testing Activity"). Any services required to diagnose or remediate errors, issues, or problems resulting from unauthorized Testing Activity are not covered under the Quote. If you request, and we agree, to perform such services, they will be billed at our then-current hourly rates.

(14)(19) Obsolescence - If any part of the managed environment becomes outdated, obsolete, reaches the end of its useful life, or is designated as "end of support" by its manufacturer (referred to as an "Obsolete Element"), we may classify the device or software as "unsupported" or "non-standard" and require you to update the Obsolete Element within a reasonable timeframe. If the Obsolete Element is not replaced promptly, we may, at our discretion: (i) continue to provide Services to the Obsolete Element on a "best efforts" basis only, with no warranty or obligation to ensure its operability or functionality, or (ii) remove the Obsolete Element from the scope of the Services by providing written notice to you (email is sufficient for this purpose). In either case, we make no representations or warranties regarding any Obsolete Element, including its deployment, service level guarantees, or remediation activities.

(14)(20) Hosting Services - You are responsible for the actions and behaviors of all users of the Services. You agree that neither you, your employees, nor your designated representatives will use the Services in any manner that violates applicable laws, regulations, ordinances, or other legal requirements. Additionally, you agree not to transmit unsolicited commercial or bulk emails, engage in "spamming," or conduct "denial of service" attacks on any website or Internet service. You will not infringe on any copyright, trademark, patent, trade secret, or other proprietary rights of third parties or collect, attempt to collect, publicize, or disclose personally identifiable information without explicit consent. If such information is collected through registrations or subscriptions to your services, you must provide a privacy policy that clearly discloses all uses of the information and complies with applicable laws. You will also refrain from taking any action that is harmful or potentially harmful to HERO Managed Services or its infrastructure. You are solely responsible for ensuring that your login credentials are used only by authorized users or agents and for maintaining the secrecy and strength of user identifications and passwords. HERO will not be liable for any unauthorized use of your login information. If your login credentials are lost, stolen, or used by unauthorized parties, or if you suspect unauthorized access to hosted applications or data, it is your responsibility to notify HERO immediately to request a password reset or take other actions to prevent further unauthorized access. HERO will make commercially reasonable efforts to implement such requests as soon as practicable after receiving notice.

(14)(21) Licenses - If we are required to install, re-install, or replicate any software provided by you as part of the Services, it is your responsibility to ensure that all such software is properly licensed. We reserve the right, but not the obligation, to request proof of licensing before performing any installation, re-installation, or replication of software within the managed environment. Unless expressly stated in the Quote, the cost of acquiring software licenses is not included in the scope of the Services.

(Revised 3/20/2023)