This Master Service Agreement (“Agreement”) is entered into by and between ROI Technology Inc. (“ROI”) and the Client identified in any Statement of Work, Order, or invoice (“Client”). This Agreement governs all Services, Deliverables, Products, and Confidential Information provided by ROI.

By purchasing, accepting, or using ROI’s Services or Deliverables, or by executing a Statement of Work or Order, Client agrees to be bound by this Agreement and applicable Attachments, including Attachment A (SLO) and Attachment B (MNDA).

• Attachment A — SLO: Applies only to recurring managed services under a valid contract with Client’s account in good standing. Not applicable to projects, time & materials, or resale-only transactions.
• Attachment B — MNDA: Applies to all exchanges of Confidential Information.

Each party represents and warrants that it is a business entity acting for commercial and business purposes (and not for personal, family, or household purposes) in entering into and performing under this Agreement and all related Orders, SOWs, and Invoices. The parties acknowledge and agree that any credit terms, deferred payment arrangements, finance charges, or late charges provided hereunder are extended solely for such commercial/business purposes.

ROI means ROI Technology Inc., a Washington corporation, and its affiliates, employees, agents, subcontractors, and independent contractors acting on its behalf.

Agreement means this Master Service Agreement and its Attachments.

Confidential Information has the meaning set forth in Attachment B (Mutual NDA).

Deliverables means any work product, software, equipment, or documentation provided by ROI under this Agreement.

Managed Services means recurring IT services delivered under a written contract with Client.

Order or SOW means a Statement of Work, Order, Scope of Work, or other document executed by Client and ROI describing specific Services or Deliverables.

Services means all professional, managed, project-based, consulting, or resale activities provided by ROI.

Third-Party Terms means license agreements, terms of service, or other contractual terms imposed by third-party developers, manufacturers, publishers, or service providers, compliance with which is Client’s responsibility.

ROI will provide Services and Deliverables as described in executed Orders or SOWs. Unless explicitly included, all other work is out of scope and billable at ROI’s then-current rates.

Third-Party Terms. Client’s acceptance of any ROI Services, Deliverables, or Products constitutes acceptance of applicable Third-Party Terms. Client is responsible for compliance with such terms; ROI is not liable under those third-party agreements.

Product Substitution. ROI may, at its sole discretion, determine that a product sold or used in the provision of Services, whether advertised by name or otherwise, no longer meets ROI’s requirements, or its usage is no longer in Client’s best interest. In such cases, ROI may select a substitute product of similar kind and quality with or without notice, provided such substitution is not expected to increase Client’s price or adversely impact Client’s security.

For clarity regarding services that involve the resale of third-party subscriptions or licenses (e.g., Microsoft 365, Datto backup), please refer to [Broken reference: managed-services-vs-third-party-subscriptions] (Managed Services vs. Third-Party Subscriptions).

• Definition of Managed Services: For purposes of this Agreement, “Managed Services” means the proactive monitoring, management, maintenance, and support of Client’s IT systems, networks, endpoints, servers, or user support by ROI Technology Inc. (“ROI”), as further described in the applicable Statement of Work or Service Description. Managed Services expressly include only those services for which ROI has agreed in writing to provide ongoing operational responsibility, service levels, and support.
• Third-Party Subscriptions: ROI may also make available licenses, subscriptions, or access rights to third-party products or services (e.g., Microsoft 365, Datto backup). In such cases, ROI’s role is limited to reselling or facilitating billing for these subscriptions. ROI does not provide Managed Services in connection with such subscriptions unless expressly stated in a separate Statement of Work.
• Vendor Terms Govern: All third-party subscriptions are subject exclusively to the licensing terms, service levels, warranties, and support processes of the applicable vendor. Client acknowledges and agrees that ROI is not responsible for vendor performance, outages, defects, or failures, and that ROI’s Managed Services service levels, response times, remedies, and termination rights under this Agreement do not apply to third-party subscriptions unless otherwise agreed in writing. ROI may, at its discretion, provide supplemental best-effort assistance related to third-party subscriptions; such assistance does not alter the applicability of vendor terms or create any additional service obligations for ROI.
• Best-Effort Assistance: ROI may, at its sole discretion, provide best-effort support to assist Client in navigating or troubleshooting issues related to third-party subscriptions resold by ROI. Such assistance is supplemental only, provided without warranty, and does not constitute Managed Services or create any obligation for ongoing support.
• Privacy and Billing: ROI’s Privacy Policy applies to Client’s information in connection with billing, account management, and related administrative functions. Except as expressly provided in a Statement of Work, ROI does not process or control data within third-party subscription environments on Client’s behalf.
• Subscription Term and Termination: Client acknowledges that the term, renewal, and termination provisions for third-party subscriptions are governed solely by the applicable vendor’s policies and commitment terms. ROI’s termination rights and service cancellation provisions under this Agreement do not apply to such subscriptions unless otherwise agreed in writing.

• Direct Client Relationship: ROI Technology Inc.’s obligations under this Agreement are owed solely to the entity identified as “Client” in the applicable Quote, Order, or Statement of Work. Unless expressly provided in a separate written agreement with ROI, Client’s own customers, affiliates, or end-users are not parties to this Agreement and have no rights or remedies against ROI.
• Permitted Resale: ROI may, in its discretion, enter into a written reseller or co-branded service agreement with Client. If such an agreement is in place, the parties may specify that Client’s customers shall be treated as “Clients” of ROI for certain purposes. Absent such a separate written reseller agreement, any Client that resells ROI services shall include the Reseller Flow-Down Terms below, verbatim, in all contracts or agreements with downstream customers purchasing ROI services.
• No Assumed Obligations: Absent a specific written reseller agreement with ROI, Client remains solely responsible for its own customer relationships and shall indemnify ROI against any claims made by such customers relating to the services.
• Reseller Indemnification: Client agrees to defend, indemnify, and hold harmless ROI, its affiliates, and their officers, directors, employees, and agents from and against any claims, demands, losses, liabilities, damages, costs, or expenses (including reasonable attorneys’ fees) arising out of or related to (a) Client’s resale or representation of ROI services to downstream customers; (b) any failure by Client to incorporate ROI’s required terms and policies into downstream agreements; or (c) any commitments, warranties, or representations made by Client to downstream customers that are broader than or inconsistent with ROI’s published terms and policies.

Reseller Flow-Down Terms: The services provided under this agreement include services delivered by ROI Technology Inc. (“ROI”). ROI is not a party to this agreement and bears no obligations to Customer except as expressly set forth in ROI’s then-current Master Services Agreement, Privacy Policy, and applicable policies, all of which are incorporated herein by reference. Customer’s use of ROI services is subject to those terms and policies as though Customer had contracted directly with ROI. ROI shall have no liability to Customer beyond the limitations, disclaimers, and remedies contained in such terms. Customer agrees that ROI is a third-party beneficiary of this paragraph.

ROI may, in its discretion, utilize qualified independent contractors and subcontractors in performing the Services. ROI will ensure such personnel meet appropriate industry standards and are bound by confidentiality obligations no less protective than those herein. Client shall treat such personnel the same as ROI staff for purposes of cooperation, access, and professional conduct.

• Fees are due as specified in each Order, SOW, and Invoice; payment obligations survive termination.
• Late amounts accrue interest at the lesser of 1.5% per month (18% per annum) or the maximum rate permitted by law, calculated without compounding from the day after the due date; ROI may suspend Services for nonpayment.
• Client will reimburse reasonable costs of collection (including attorneys’ fees and third-party collection fees), whether or not suit is filed.
• Taxes. Fees are exclusive of all sales, use, excise, VAT/GST, and other taxes, duties, and government charges (“Taxes”). ROI will collect and remit Taxes where required; Client is responsible for all other Taxes associated with its purchases, excluding ROI’s income taxes.
• Committed & Subscription Charges: Fees for committed terms and third-party subscriptions (e.g., Microsoft 365 NCE, Datto) are non-cancelable and non-refundable during the applicable commitment. Client remains liable for all amounts through the end of the vendor commitment, including any vendor early-termination fees.
• No Setoff / Chargebacks: Client may not withhold, set off, or charge back any amounts properly invoiced under this Agreement.
• Non-Waiver of Late Charges: Any waiver or reduction of late charges is discretionary and applies only to that instance; no waiver is a continuing waiver or modification.

Unless otherwise agreed in writing, billing for committed services shall commence no later than sixty (60) days after contract signature, irrespective of Client’s internal readiness or scheduling delays.

Billing continues through any applicable vendor or committed service term regardless of Client’s deployment status or internal usage after activation or order acceptance.

• Title & Risk of Loss. Title and risk of loss for hardware transfer to Client upon delivery to the carrier (FOB shipping point) unless otherwise stated in the Order.
• Returns. Returns are subject to vendor RMA policies, restocking fees, and shipping charges. Special-order or customized items may be non-cancellable and non-returnable.
• Warranties. Manufacturer warranties apply directly from the vendor; ROI is not the warrantor of third-party products.
• Delays. Lead times and availability are estimates only; ROI is not liable for vendor delays.
• RMA-Only Responsibility: ROI’s obligations for third-party hardware are limited to reasonable assistance with vendor RMA processes; all repair/replace obligations flow from the manufacturer’s warranty.
• No Vendor Performance Liability: ROI is not responsible for vendor or carrier delays, shortages, discontinuations, or defects beyond the remedies offered by the applicable vendor.

ROI’s services and billing automatically adjust in line with Client’s business changes. To maintain security and consistency, the following rules apply:

• Every User, Every Device: Each active employee or contractor using technology in Client’s environment must be licensed, and each workstation, server, or company-owned mobile device must be enrolled in support. No “shared” or unlicensed use is permitted.
• Devices Stay Covered: Once a device is added to support, it must remain covered unless it is permanently decommissioned, recycled, or removed from the corporate network. Devices may not be cycled on and off support to avoid charges.
• Business-Driven Scaling: Billing quantities will be adjusted up or down automatically as new users/devices are onboarded or old ones are retired. Services may only be reduced in response to legitimate business changes (e.g., employee termination, hardware retirement).
• Microsoft 365 NCE: Microsoft 365 licenses purchased under Microsoft’s New Commerce Experience cannot be reduced mid-term, even if associated users are no longer active. Client remains responsible for such licenses until the end of the applicable Microsoft term.

These requirements are essential to ensure complete security coverage and to avoid introducing weak links into Client’s environment.

• Provide Cooperation & Access. Ensure timely access to systems, personnel, facilities, and accurate information as reasonably required for ROI to deliver services.
• Payment. Ensure timely payment of all invoices by their due date, and timely dispute for any invoices Client deems incorrect before their due date.
• Maintain Backups. Maintain adequate backups unless expressly contracted through ROI for managed backup services.
• Regulatory & Licensing Compliance. Remain solely responsible for compliance with applicable laws and regulations (e.g., HIPAA, PCI, CMMC, ITAR) and for maintaining proper software licensing. ROI acts as a consultant and advisor, not as the Client’s compliance officer or software licensor.
• Responsible Staff Conduct. Ensure that Client’s staff, contractors, and representatives conduct themselves in a professional and respectful manner when interacting with ROI personnel. ROI reserves the right to pause or withdraw services in the event of abusive, harassing, or unsafe conduct.

ROI will maintain commercially reasonable administrative, physical, and technical safeguards for Client data under ROI’s control. Client is responsible for its own compliance with applicable data protection and privacy laws.

• Purpose and Use. ROI may use SMS-based Two-Factor Authentication (2FA) as an additional identity verification method when Client personnel request support services. SMS 2FA will only be used when other verification methods (such as email to Client’s company domain) are unavailable or impractical.
• Client Responsibility. Client shall provide accurate and up-to-date phone numbers for authorized personnel. Such numbers will be securely stored and used only for identity verification.
• Consent to Receive SMS Messages. By signing this Agreement, Client consents to receive SMS 2FA messages from ROI. Message frequency will vary, and standard message and data rates may apply. Client may opt out at any time by written notice; however, doing so may limit ROI’s ability to verify identity or provide support.
• 10DLC Compliance. All SMS messages sent under this Agreement will comply with 10DLC regulations requiring registration and compliance standards for long-code messaging, to ensure secure and reliable delivery.
• Privacy and Data Protection. ROI will safeguard all phone numbers and related data consistent with its Data Privacy Policy. ROI will not sell or share such information with third parties except as required by law or as necessary to deliver services under this Agreement.

Neither Party shall be liable for any delay or failure to perform obligations (including Service Level Objectives) caused by events beyond its reasonable control and without its fault or negligence, including but not limited to acts of God, natural disasters, government actions or changes in law, war, terrorism, civil unrest, labor disputes, epidemics or pandemics, failures of utilities or carriers, supply chain or vendor disruptions, cyberattacks, or other events of similar nature. Affected obligations shall be suspended for the duration of the Force Majeure event.

Payment obligations for Services already rendered remain due and payable. ROI shall have the discretion to reasonably prioritize restoration efforts across affected clients as circumstances require.

Client acknowledges that Force Majeure events may impact multiple ROI clients simultaneously, and agrees that ROI’s allocation of resources in response to such events shall be deemed commercially reasonable, even if Client’s restoration is delayed as a result. Force Majeure shall not excuse Client’s payment obligations under this Agreement, which shall remain due and payable in accordance with [Broken reference: managed-services-vs-third-party-subscriptions] (Fees & Payment).

ROI IP. Unless otherwise expressly stated in a Statement of Work or Order, ROI retains all right, title, and interest in and to all content and materials it creates, develops, or customizes in the course of providing Services, whether tangible or intangible, including without limitation scripts, programs, software, configurations, graphics, CAD designs, blueprints, diagrams, databases, documentation, playbooks, and policy templates (collectively, “ROI Materials”).

License to Client. Subject to payment of applicable fees, ROI grants Client a non-exclusive, non-transferable, revocable license to use ROI Materials delivered as part of the Services for Client’s internal business purposes only. Deliverables are licensed, not sold.

No Compulsion. ROI may, in its discretion, sell, donate, license, or release rights to specific ROI Materials; Client may not compel ROI to sell, donate, license, or release any intellectual property beyond the limited license granted herein.

Third-Party IP. Intellectual property owned by third parties (including open-source components and vendor software) remains the property of its respective owners and is governed by applicable third-party terms. Client agrees to comply with all such terms.

Confidentiality obligations are set forth in Attachment B (MNDA), incorporated by reference.

EXCEPT AS EXPRESSLY STATED IN AN ORDER OR SOW, THE SERVICES, DELIVERABLES, AND ANY THIRD-PARTY PRODUCTS ARE PROVIDED “AS IS.” ROI DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. ROI does not warrant third-party products or services; any remedies are solely under the applicable third-party terms.

By ROI. ROI will defend and indemnify Client against third-party claims alleging that ROI-provided Deliverables infringe intellectual property rights, provided Client promptly notifies ROI and allows ROI to control the defense and settlement.

By Client. Client will defend and indemnify ROI against claims arising from Client data, misuse of Services, breach of law, or failure to comply with Third-Party Terms. This expressly includes claims, penalties, or assessments arising from Client’s breach of Third-Party Terms (e.g., license misuse or non-compliance under Microsoft 365 NCE, Datto, or similar vendor programs).

• Aggregate Cap: To the fullest extent permitted by law, ROI’s total cumulative liability arising out of or relating to this Agreement, whether in contract, tort (including negligence), strict liability, or otherwise, shall not exceed the fees actually paid by Client to ROI in the one (1) month immediately preceding the event giving rise to the claim. This cap applies in the aggregate across all claims, not per incident.
• Exclusive Remedy: Any service credits provided under Attachment A (SLO), if applicable, constitute Client’s sole and exclusive remedy for Service Level failures. Client waives all other remedies, whether at law or in equity.
• No Indirect or Special Damages: ROI shall not be liable for any consequential, incidental, indirect, punitive, special, or exemplary damages, or for any lost profits, lost data, loss of goodwill, or business interruption, even if advised of the possibility of such damages.
• Responsibility Allocation: ROI’s liability shall not be expanded by any risks expressly allocated to Client under Sections 21 (Shared Responsibility), 25 (Third-Party Fees & Pass-Through Costs), or 27 (Client Insurance), or under any other provision of this Agreement.
• Carve-Outs: The foregoing limitations shall not apply only to liability arising from ROI’s fraud, gross negligence, or intentional misconduct, to the extent such limitations are not permitted by applicable law.
• Basis of the Bargain: Client acknowledges that the fees charged by ROI reflect the allocation of risk set forth in this Section, and that this limitation of liability is an essential element of the Agreement between the Parties.
• Data Loss: ROI has no liability for loss, corruption, or recovery of Client data unless (and only to the extent) expressly assumed in a written managed backup SOW that specifies recovery objectives and corresponding limits.

• Term. This Agreement remains in effect until terminated in accordance with this Section.
• Standard Termination. Client may terminate Services not subject to a committed service term by providing at least ninety (90) days’ prior written notice. ROI will confirm whether any service terms remain in effect and will not begin offboarding until all invoices are current.
• Early Termination of Committed Services. If Client terminates Services before the end of a committed service term, Client shall:
  • Provide at least ninety (90) days’ prior written notice;
  • Repay ROI for all discounts or incentives provided in connection with the committed term;
  • Pay an early termination fee equal to 12.5% of the remaining committed service balance, at ROI’s sole discretion;
  • Pay the remaining balance of all Office 365 or similar subscription services, including any applicable early termination fees imposed by Microsoft, distributors, or other upstream vendors; and
  • Pay any fees imposed on ROI by third-party vendors, distributors, or subcontractors arising as a result of Client’s early termination.
• Suspension Rights. ROI may suspend Services immediately for nonpayment, abusive or unsafe Client conduct, or violations of law or applicable third-party terms.
• Offboarding. Within seven (7) days of receiving notice to terminate and after payment of all outstanding invoices and applicable termination fees, ROI will provide Client with an invoice for early termination fees (if applicable) and will begin the offboarding process.
  • Offboarding Documentation (passwords, site materials, etc.) will be delivered to up to two Client-designated contacts via a password-protected file-sharing service.
  • Links will remain active for thirty (30) days after offboarding, after which ROI will permanently delete remaining Client data from all ROI systems and backups.
  • Client is solely responsible for the transfer of any products or services they wish to retain post-termination, including but not limited to Office 365 subscriptions, Datto or other backup products, offsite datasets, and licensing.

Client acknowledges and agrees that:

• ROI cannot guarantee absolute security, availability, or uninterrupted operation of Client systems or third-party services.
• IT service delivery necessarily involves shared responsibilities between ROI, Client, and third-party providers.
• Client remains responsible for its own internal policies, user behavior, regulatory compliance, and adherence to ROI’s recommendations.

ROI shall not be liable for any incident, breach, or disruption caused in whole or in part by Client actions, omissions, or failure to follow ROI’s guidance.

Unless otherwise specified in a Statement of Work or Order, each committed service term under this Agreement shall automatically renew upon expiration for successive terms equal in length to the immediately preceding term, unless either party provides at least thirty (30) days’ written notice of non-renewal prior to the end of the then-current term.

Upon each renewal, fees shall increase by no less than the rolling five (5) year average inflation rate published by the U.S. Bureau of Labor Statistics (Consumer Price Index) as of the renewal date, or such higher percentage as ROI may determine in its sole discretion. ROI will provide Client written notice of renewal pricing prior to the renewal date if renewal rates exceed the rolling five (5) year average inflation rate published by the U.S. Bureau of Labor Statistics (Consumer Price Index) as of the renewal date.

• During the term and for eighteen (18) months thereafter, Client shall not, without ROI’s written consent, directly or indirectly solicit for employment or engagement any ROI employee or contractor who provided Services to Client.
• Injunctive Relief. Client acknowledges monetary damages may be inadequate; ROI may seek injunctive relief in addition to other remedies.
• Liquidated Damages. If Client breaches this Section, Client shall pay liquidated damages equal to the greater of (a) 250% of the individual’s annualized total compensation with ROI, or (b) 1% of Client’s prior fiscal year gross revenue. The Parties agree this is a reasonable pre-estimate of ROI’s loss and not a penalty.

• Good-Faith Negotiation. The Parties will attempt in good faith to resolve any dispute arising out of or relating to this Agreement through negotiations between a director (or equivalent) of each Party with authority to settle the dispute. If the dispute is not resolved within fourteen (14) days after written notice of the dispute, either Party may pursue relief in court.
• Governing Law; Venue. This Agreement is governed by the laws of the State of Washington, excluding its conflicts of law rules. The Parties consent to exclusive jurisdiction and venue in the state and federal courts located in Snohomish County, Washington.
• Attorneys’ Fees. Each Party shall bear its own attorneys’ fees and costs in any action, except that the prevailing Party may recover its reasonable attorneys’ fees and costs if the opposing Party is found to have acted in bad faith, engaged in willful misconduct, or materially breached this Agreement.
• Equitable Relief. Nothing in this Section prevents either Party from seeking injunctive or other equitable relief in any court of competent jurisdiction to prevent immediate and irreparable harm.

Client is solely responsible for all third-party vendor fees, pass-through costs, and contractual obligations incurred in connection with ROI’s delivery of Services, including but not limited to licensing, subscriptions, distributor charges, and early termination fees imposed by vendors.

Such fees may be billed directly to Client by the vendor, or through ROI as a pass-through charge, and shall remain payable by Client regardless of whether the vendor relationship is maintained directly or indirectly through ROI.

ROI is not liable for changes in pricing, terms, or availability imposed by third-party vendors, distributors, or upstream providers.

Notices under this Agreement must be in writing and sent by email to the addresses specified in the applicable Order or by nationally recognized courier. Email notices are deemed given when sent, if no bounce-back is received. Either Party may update its notice address by written notice.

Client agrees to maintain adequate insurance coverage, including at a minimum commercially reasonable cyber liability insurance and general business liability insurance, to cover risks outside ROI’s reasonable control. Such coverage shall be sufficient to address potential losses arising from data breaches, cyberattacks, regulatory penalties, and other events for which ROI expressly disclaims liability under this Agreement.

At ROI’s request, Client shall provide reasonable evidence of such insurance. Failure to maintain adequate insurance does not expand ROI’s liability beyond the limitations set forth in this Agreement.

• Scope and Consent. Client acknowledges and agrees that ROI may monitor, log, and collect telemetry regarding network traffic, device activity, account usage, and security events associated with (i) Client-owned or -managed devices and networks; (ii) Client tenants, accounts, and cloud services configured or administered by ROI; and (iii) personal/BYOD devices and accounts solely to the extent they are enrolled in Client’s management stack or used to access Client systems or ROI-managed services.
• Purpose and Lawful Basis. Monitoring is necessary for service delivery, operational security, incident response, compliance, troubleshooting, and quality improvement. Processing is performed on the basis of contract necessity and ROI’s legitimate interests, and as further described in the Privacy Policy, which is incorporated by reference.
• No Opt-Out / No Interference. Because monitoring is integral to the Services, Client and its users shall not disable, circumvent, or interfere with ROI’s monitoring, logging, or security controls while engaging with the Services.
• Data Minimization; Personal Content. ROI does not access end-user personal content (e.g., photos, personal email, texts) on BYOD devices except to the extent technically unavoidable to enforce security controls (e.g., device posture checks, container policies). ROI’s standard deployment uses containerization or policy boundaries where feasible.
• Use and Sharing. Monitoring data is used for ROI’s internal business purposes (service delivery, security, analytics, and improvement). ROI does not sell monitoring data. ROI may share monitoring data with trusted vendors and subprocessors bound by confidentiality obligations and data-protection terms, and may disclose data as required by law, regulation, subpoena, or court order, providing notice to Client where legally permitted.
• Retention. Monitoring and log data are retained consistent with ROI’s internal retention schedules and the Privacy Policy, or as required by law, regulation, audit, or incident response. Client may request commercially reasonable adjustments that are technically feasible; additional fees may apply.
• Client Responsibilities. Client is responsible for informing its personnel and contractors of these monitoring practices, updating its internal policies (including BYOD where applicable), and obtaining any required consents under applicable law. Client will not instruct ROI to disable monitoring in a manner that materially degrades security or compliance.
• Security and Access. ROI applies reasonable and appropriate administrative, technical, and physical safeguards to monitoring data and restricts access on a least-privilege basis to personnel with a need to know.
• Clarifications. Monitoring under this Section is not a workplace surveillance service and is not a substitute for Client’s HR, legal, or supervisory obligations. In the event of a conflict between this Section and the Privacy Policy or any Data Processing Addendum, data-protection terms govern processing of personal data; otherwise, this Section governs.

• Assignment. Client may not assign this Agreement or any rights or obligations hereunder without ROI’s prior written consent. ROI may assign this Agreement to its affiliates or in connection with a merger, acquisition, sale, or corporate reorganization without Client consent.
• Severability. If any provision of this Agreement is held invalid or unenforceable, the remainder shall remain in full force and effect. Invalid or unenforceable provisions shall be deemed modified to the minimum extent necessary to render them valid and enforceable.
• Entire Agreement. This Agreement, including all Attachments (Attachment A — Service Level Objectives and Attachment B — Mutual Non-Disclosure Agreement), together with any executed Statements of Work or Orders, constitutes the complete and exclusive agreement between the parties, superseding all prior or contemporaneous oral or written understandings relating to the subject matter.
• No Waiver. Failure by ROI to enforce any right or provision of this Agreement shall not constitute a waiver of such right or provision, nor of any other rights or provisions.
• Survival. Sections relating to payment obligations, confidentiality, intellectual property, limitation of liability, indemnification, dispute resolution, and any other provisions that by their nature should reasonably survive termination shall survive termination of this Agreement.
• Counterparts & Electronic Acceptance. This Agreement may be executed in counterparts and via electronic signatures or acceptance (including by click-through, email confirmation, or purchase order), all of which shall be deemed binding and of equal legal effect as original signatures.
• Privacy.ROI’s collection, use, storage, and disclosure of personal data in connection with the Services are governed by ROI’s Privacy Policy, as updated from time to time. By entering into this Agreement, Client acknowledges and agrees that ROI’s Privacy Policy is incorporated herein by reference and forms part of this Agreement. Client further agrees to inform its personnel of ROI’s Privacy Policy as applicable.

Binding Authority. By executing a Statement of Work, Order, or invoice that references this Agreement, Client affirms that it has read, understood, and agreed to be bound by this Master Service Agreement and its Attachments. Client further represents and warrants that the individual executing such Statement of Work, Order, or invoice on Client’s behalf has full legal authority to bind Client to this Agreement and its Attachments.

Updates to Attachments. ROI may update Attachment A (Service Level Objectives) from time to time with reasonable notice to Client. Continued use of ROI’s Managed Services after such notice constitutes Client’s acceptance of the updated Attachment A. Attachment B (Mutual Non-Disclosure Agreement) shall remain in effect as executed unless otherwise amended in writing by both parties.

• ROI’s Right to Assign: ROI may assign, transfer, or delegate this Agreement, in whole or in part, including all rights, obligations, and data thereunder, in connection with a merger, acquisition, corporate reorganization, sale of assets, or other business transaction, without Client’s consent.
• Binding Effect: Any successor or assign of ROI shall be entitled to the same rights and subject to the same obligations under this Agreement. Such successor or assign may continue to use information in accordance with this Agreement and the Privacy Policy.
• No Client Veto: Client shall have no right to block, veto, or limit any assignment, transfer, or delegation by ROI. Any attempted restriction on ROI’s assignment rights shall be void.
• Client Limitation: Client may not assign or transfer this Agreement without ROI’s prior written consent, except in connection with a merger or sale of substantially all of Client’s assets, provided that the assignee agrees in writing to be bound by this Agreement.

31.1 Provider-Owned Equipment on Client Premises

1. Ownership & No Sale. Certain hardware placed on-site by ROI Technology Inc. (“ROI”) for service delivery (e.g., firewalls, switches, backup appliances, sensors, LTE failover, loaners, staging gear) remains ROI’s personal property and is not sold to Client.
2. License to Use Space & Utilities. Client grants ROI the right to place, operate, and connect such equipment at Client locations and authorizes ROI’s reasonable use of Client’s power, rack/shelf space, and network cabling/ports required for service delivery. All utility costs are Client’s responsibility.
3. Environmental Requirements. Client will provide a suitable environment (stable power and grounding, reasonable temperature/humidity, and internet connectivity). ROI may require UPS/surge protection for ROI and Client equipment.
4. Care, Custody & Control. Client will take reasonable care to secure ROI equipment; will not move, modify, or allow third parties to service it without ROI’s consent; and will promptly notify ROI of damage, failure, or loss.
5. Risk of Loss. ROI is responsible for ordinary wear and manufacturer defects. Client is responsible for loss or damage caused by Client personnel, vendors under Client’s control, misuse, relocation without approval, theft due to inadequate site security, or failure to maintain a suitable environment.
6. Access Rights. Client will provide ROI reasonable access (onsite or remote) to install, maintain, repair, and remove ROI equipment. If escorted access is required, Client will make personnel reasonably available.
7. Fixtures & Landlord Waiver. ROI equipment is not a fixture and does not become part of the real property. Client will obtain any necessary landlord/co-location waivers permitting installation, power use, and removal without charge for restoration beyond ordinary patch/paint of mounting points.
8. Insurance. Each party maintains customary insurance for its own property. Client’s general liability should cover third-party bodily injury/property damage occurring at Client premises. ROI may (but is not required to) list equipment on its own property policy.
9. Replacement & Fees. If ROI equipment is lost or irreparably damaged while in Client’s care as described above, Client will reimburse ROI for its then-current replacement cost. Monthly service fees tied to that equipment may continue until it is replaced or returned.
10. No Lien/Encumbrance. Client will not pledge, assign, or encumber ROI equipment and will keep it free of liens or claims by third parties.

31.2 Return, Transfer, or Buyout of Service-Tied Equipment

1. Scope. This section applies to ROI-owned devices placed for service delivery that are not sold to Client (“Service-Tied Equipment”).
2. Client Election at Termination or Transition. Upon expiration/termination of the applicable Service, or upon Client’s request to transition, Client shall elect one of the following within five (5) business days:
   1. Return. ROI retrieves on-site, or Client ships (insured) using an ROI-provided RMA, all Service-Tied Equipment.
   2. Transfer to Successor. With ROI’s written consent, ROI may transfer temporary custody to Client’s successor provider solely to facilitate cutover, subject to proof of insurance and chain-of-custody acceptance.
   3. Buyout. If available for the device model, Client may purchase title at ROI’s then-current quoted buyout price provided in writing upon request. Title passes upon cleared funds.
3. Timelines & Access. Client will provide onsite access (or ship per RMA) within ten (10) business days of termination. ROI will use commercially reasonable efforts to coordinate cutover and retrieval to minimize downtime. If escorted access is required, Client will make personnel reasonably available.
4. Condition on Return. Equipment must be returned in substantially the same condition (ordinary wear excepted), with all accessories (e.g., rack ears, power supplies, rails). Missing/damaged items may be invoiced at replacement cost.
5. Fees. Standard de-installation and logistics are included in offboarding unless otherwise stated in an SOW. Non-standard work (after-hours, expedited, complex re-cabling, third-party rigging) may be billed at current rates. If Client ships equipment, Client pays shipping/insurance and bears risk until delivery is confirmed.
6. Risk of Loss & Unreturned Equipment. Client is responsible for loss or damage to Service-Tied Equipment while in Client’s care or control. If not returned or bought out within fifteen (15) business days after ROI’s written notice, ROI may invoice the then-current replacement cost plus reasonable retrieval expenses. Monthly service fees tied to that equipment may continue until return, buyout, or verified decommissioning.
7. Data Handling & Sanitization. Prior to removal, ROI will (a) assist with a one-time export of reasonable configuration and logs; and (b) for backup appliances, provide a reasonable window for Client to extract data per the applicable Service Description. After removal/return, ROI will securely wipe/sanitize ROI-owned storage per NIST SP 800-88 or manufacturer-approved methods and provide a sanitization confirmation upon request.
8. Credentials & Configuration IP. ROI’s standard configurations, scripts, and templates remain ROI intellectual property. ROI will, upon request and provided Client’s account is current, provide operational credentials needed for continuity (e.g., device admin access) and a baseline configuration export sufficient for continued operation by Client or a successor.
9. Transfer to Successor—Chain of Custody. For any temporary transfer: (i) the successor must acknowledge receipt and assume responsibility while in its custody; (ii) Client remains responsible to ROI for loss/damage; (iii) the device remains ROI property and must be returned or bought out per this section; and (iv) any ROI licensing tied to the device will be removed at or after cutover.
10. Third-Party Licenses. Third-party subscriptions provisioned by ROI (e.g., security, support, warranty) are not transferable unless expressly permitted by the licensor. Where permitted, transfer fees (if any) will be passed through.
11. UCC Notice. ROI may file a precautionary UCC-1 financing statement to evidence ownership; this is not a security interest in Client assets.
12. Survival. Obligations regarding return, buyout, fees, data handling, and risk of loss survive termination until fully performed.

In the event of any conflict or inconsistency between this Master Services Agreement, its attachments, and any incorporated policies, the following order of precedence shall apply:

1. This Master Services Agreement (exclusive of attachments and policies);
2. Attachment A (Service Level Objectives), Attachment B (Mutual Non-Disclosure Agreement), and any other attachments explicitly incorporated herein;
3. The Privacy Policy and any other referenced policies published by ROI;
4. Any statement of work, proposal, or quotation, unless expressly agreed otherwise in writing by ROI.

Notwithstanding the foregoing, ROI reserves the right to interpret its Privacy Policy in its sole discretion, subject only to applicable law.

These Service Level Objectives (“SLOs”) apply only to recurring Managed Services under a valid written agreement with Client’s account in good standing. They do not apply to time-and-materials engagements, resale-only transactions, or project-based work unless explicitly incorporated into the applicable SOW or Order.

1.1 Definitions

• Supported User: An active employee or contractor of Client with a named account in Client’s directory/tenant and an active Managed Services license/seat.
• Covered Endpoint: A workstation, laptop, thin client, or server enrolled in ROI’s management platform, running ROI’s standard security/monitoring agents, and meeting minimum supported OS/hardware requirements.
• Standard Stack: ROI’s current toolset for management, security, backup, email protection, and network monitoring (e.g., RMM/patching, MDR/EDR, email security, backup, network monitoring, and supported firewall/Wi-Fi platforms). Functionally equivalent tools may be substituted over time at ROI’s discretion.

1.2 Default In-Scope Activities (Included in Managed Services)

• Service Desk (Business Hours, Remote-First): L1–L2 remote support for Supported Users and Covered Endpoints, including ticket intake, triage, troubleshooting, and guidance for standard business applications. SLO measurements apply to response, not onsite arrival.
• Onsite Support (Discretionary & Scheduled): ROI may, at its sole discretion, schedule onsite attendance when remote resolution is not reasonably practical. Onsite work is best-effort, subject to technician availability, cross-client triage, safety considerations, and [legal-ref key="definitions" doc="msa"] (Force Majeure). Onsite attendance is not guaranteed within any specific time window and may be deferred in favor of higher-impact incidents. Travel logistics, scope, and any location-specific requirements must permit safe/secure access. Unless otherwise stated in an Order or service plan, onsite work is included only when scheduled by ROI and does not convert response-time objectives into dispatch/arrival commitments.
• Server & Workstation Maintenance (Recurring): Continuous monitoring and weekly scheduled maintenance of Covered Endpoints and servers; managed cybersecurity with 24/7 threat operations and hunting via the Standard Stack; ransomware detection and isolation actions; unlimited remote support and remedial repairs as needed to restore service on Covered Endpoints/servers. (Onsite remedial work, if required, proceeds per the “Onsite Support” terms above.)
• Patch & Update Management: Operating system and supported third-party application updates for Covered Endpoints and servers; monitoring, remediation of failed updates, and restarts per SLO [Broken reference: maintenance-windows] Maintenance Windows.
• Security Operations (Baseline): Policy management and alert triage for the Standard Stack (e.g., MDR/EDR, endpoint protection, email security); ransomware containment on endpoints/servers; user password/MFA resets; account lock/unlock; investigation and remediation consistent with baseline service.
• Identity & Collaboration Admin: Routine Microsoft 365/Google Workspace administration (mailboxes, aliases, distribution lists, shared mailboxes/drives, Teams/SharePoint/Drive access, groups, basic site/team/channel setup).
• Email Security & Hygiene: Allow/deny list administration subject to security review; DMARC/DKIM/SPF configuration for Client-owned domains; tuning of anti-phishing/anti-spam policies.
• Backup Administration: Monitor backup jobs and capacity; adjust policies/retention within Client’s plan; perform reasonable file/folder restores and periodic test restores; assist with backup encryption key escrow where applicable; desktop-to-cloud backup management for Covered Endpoints when included in Client’s plan.
• Application Privileged Access Management (PAM): Configure and administer application-level elevation controls and just-in-time privileges on Covered Endpoints where supported by the Standard Stack.
• Network Monitoring & Minor Changes: Monitor supported network devices; apply standard configuration changes on supported platforms (e.g., DHCP reservations, basic NAT rules, SSIDs, VLAN tagging, VPN user provisioning); routine firmware updates per SLO [Broken reference: maintenance-windows].
• Endpoint Hardening & Compliance Baselines: Enforce baseline security policies (e.g., disk encryption, screen lock, USB storage policy where supported); maintain inventory; record exceptions with risk acknowledgement.
• Vendor Coordination: With Client authorization, open and track tickets with third-party vendors (e.g., ISP, line-of-business apps) for issues impacting Managed Services.
• Asset & Lifecycle Management: Maintain device/user inventory, warranty/age tracking, standard join/retire processes, and secure wipe workflows for decommissioned devices.
• Awareness & Phishing Simulation (Baseline): Assign standard security awareness content and phishing simulations via ROI’s platform and provide portal-available completion/metrics.
• Documentation & Reporting: Maintain core environment documentation and make standard metrics and reports available via ROI’s IT portal (see SLO [Broken reference: measurement-reporting] Measurement & Reporting).

1.3 Standard Change Requests (Included)

• User adds/moves/changes (single or small batch), group membership updates, mailbox and shared resource permissions.
• DNS/DHCP changes, printer/queue setup, Wi-Fi access changes, MFA resets, SSO assignments for supported apps.
• Light policy tuning for security, backup, and collaboration platforms that does not materially re-architect services.

1.4 Service Boundaries & Project/T&M Triggers

The following generally fall outside the default scope and require a separate SOW or T&M authorization:

• Planned efforts expected to exceed 4 engineering hours or requiring after-hours execution.
• New implementations or migrations (e.g., tenant-to-tenant, email/domain moves, major version upgrades, new servers, new sites/networks, SIEM deployments, advanced MDM/Intune rollouts).
• Bulk user/device changes (e.g., onboarding/offboarding of 10+ users at once) beyond routine cadence.
• Custom automation, scripting, or reporting outside what is available in ROI’s IT portal.
• Formal compliance audits, risk assessments, third-party questionnaires requiring customized evidence packages.
• Large-scale data restores, disaster recovery events, or forensics/incident response beyond initial triage and containment.
• Work on platforms, hardware, or software outside the Standard Stack or past end-of-support.

Items not expressly listed in [Broken reference: scope].2 or [Broken reference: scope].3 are considered out of scope unless added by an Order or SOW.

1.5 Assumptions & Client Responsibilities

• Client will submit requests via the methods in SLO [Broken reference: service-request-handling] and maintain accurate contact/licensing information.
• Covered Endpoints will be powered on, connected to the network, and accessible during maintenance windows (see SLO [Broken reference: maintenance-windows]).
• Client will adhere to ROI’s published security requirements and promptly remediate exceptions or accept documented risk.
• Client will provide reasonable access/authorizations and designate a point of contact for approvals and vendor coordination.

ROI’s standard service desk hours are 9:00 AM to 5:00 PM Pacific Time, Monday through Friday, excluding weekends and U.S. federal holidays observed by ROI. A current list of observed holidays will be published by ROI and may be updated with reasonable notice.

Support outside of standard hours (including evenings, weekends, and holidays) is not included in standard Managed Services but may be provided under a separate written agreement or service plan expressly covering 24/7 availability.

To ensure efficient and secure handling of support requests, Clients must use the following methods in order of preference:

1. IT Portal: Submit tickets via portal.roitechnologyinc.com (preferred).
2. Tray Icon: Submit tickets directly from the ROI tray icon installed on managed devices.
3. Email: Send requests to ROI’s designated support email address.
4. Phone: Phone support is reserved for urgent matters or for responding to ROI’s callbacks. Routine issues should not be submitted by phone.

Ticket Classification & Triage: ROI assigns the final priority to each request based on its objective impact to business operations, not solely on the urgency perceived by the requester. ROI will use commercially reasonable efforts to classify and respond to all requests with appropriate urgency, balancing Client needs with overall service demands.

Contact Attempts: ROI will make up to three (3) reasonable attempts to contact the requester. If no response is received, ROI may close the ticket at ROI’s discretion. Closed tickets may be reopened or resubmitted by the Client if the issue persists.

ROI measures service performance using methods consistent with reasonable industry practices. ROI has sole discretion to determine how response and resolution times are defined and tracked, and may adjust measurement methods as needed to reflect evolving standards, technologies, or business requirements.

Reporting Obligation: ROI’s sole reporting obligation under this Agreement is to provide Clients access to the reporting features available within ROI’s designated IT portal. Reports are limited to those formats and functions supported by the portal’s third-party developer. ROI is not obligated to produce, customize, or manually generate reports outside of the IT portal, even if similar information is technically available.

Continued use of Managed Services following notice of updates to these SLOs constitutes Client’s acceptance of such updates.

To preserve the security, stability, and performance of Client systems, ROI conducts maintenance in two categories: (a) recurring Scheduled Maintenance and (b) Unscheduled (Out-of-Cycle) Maintenance as circumstances require. Maintenance performed in accordance with this [Broken reference: maintenance-windows] (including any resulting downtime, degraded performance, or restarts) SHALL NOT CONSTITUTE A BREACH OF THIS AGREEMENT and is EXCLUDED FROM SERVICE LEVEL OBJECTIVE CALCULATIONS AND SERVICE CREDITS set forth in Attachment A. Maintenance-related impacts remain subject to the liability limitations in [legal-ref key="introduction" doc="msa"] (Limited Liability) and may be excused under [legal-ref key="definitions" doc="msa"] (Force Majeure).

• Scheduled Maintenance (Recurring)
  • Window Definition: ROI maintains a recurring maintenance window (the “Scheduled Maintenance Window”) for routine updates and changes. Specific days and times will be communicated privately via the Client portal or email to Client’s registered contacts and may be modified by ROI from time to time without public disclosure. The existence and timing of the Scheduled Maintenance Window constitute ROI Confidential Information.
  • Scope: Routine operating system and application patching, agent and firmware updates, and configuration changes that can reasonably await the next Scheduled Maintenance Window.
  • Notice: Where a scheduled change is reasonably likely to be user-visible or service-impacting, ROI will provide advance notice when practical. Routine low-impact updates may proceed without individual notice. Notice delivered via the portal or email to Client’s registered contacts is deemed received upon transmission.
  • Client Cooperation: Client will ensure that managed endpoints and servers are powered on and network-connected during the Scheduled Maintenance Window so updates can complete.
  • Catch-Up Behavior: Devices unavailable during the Scheduled Maintenance Window may receive updates at the next successful check-in and may be temporarily unavailable while updates and required restarts complete.
• Unscheduled Maintenance (Out-of-Cycle)
  • Triggers: Zero-day or other critical vulnerabilities; active exploits or credible threats; material service degradation or outages; vendor-mandated changes; incident response; or legal/compliance obligations.
  • Authority to Act: ROI may, in its reasonable discretion and good faith, perform Unscheduled Maintenance with little or no prior notice when required to protect Client systems or the broader environment.
  • Notifications: ROI will use commercially reasonable efforts to notify Client prior to commencement and/or as soon as practicable thereafter, and will provide a brief post-event summary once conditions are stabilized.
  • Operational Impact: Temporary service interruption, degraded performance, and/or required restarts may occur. These impacts are excluded from the Service Level Objectives in Attachment A.
  • Deferral: Maintenance addressing critical risk may not be deferred. For non-critical items, Client may request deferral in writing with acknowledgment of the associated risk. If ROI agrees to defer, Client assumes all risk arising from the deferral and will indemnify and hold ROI harmless from claims, losses, or costs to the extent caused by the deferral.

General Provisions

• Security and Risk Acknowledgment: Devices that are routinely powered off, disconnected, or otherwise unavailable for maintenance may remain unpatched and present elevated risk. ROI is not liable for incidents, breaches, or disruptions attributable to missed updates resulting from Client actions or inaction.
• Upstream Dependencies: Cloud, ISP, or vendor maintenance windows and emergency changes may occur outside ROI’s control and without advance notice; associated impacts are excluded from Service Level Objectives and may constitute Force Majeure under [legal-ref key="definitions" doc="msa"].
• Order of Precedence: In the event of conflict between this [Broken reference: maintenance-windows] and any SLO, uptime, availability, or service-credit provision, this [Broken reference: maintenance-windows] controls.

SLOs do not apply to service delays or interruptions caused by:

• Planned or scheduled maintenance;
• Force Majeure events (see [legal-ref key="data-security-privacy" doc="msa"]);
• Issues with third-party networks, carriers, vendors, or upstream service providers outside ROI’s reasonable control;
• Client-caused delays, including lack of access, inaccurate information, or unlicensed/uncovered users or devices;
• Client systems being unavailable, including due to power-off, shutdown, disconnection, or network isolation;
• Abusive, unsafe, or unprofessional conduct by Client personnel;
• Security incidents resulting from Client actions, including but not limited to weak passwords, unmanaged devices, or shadow IT;
• Unsupported, end-of-life, or unpatched software, operating systems, or hardware not upgraded despite ROI recommendations;
• Failure by Client to follow ROI’s published security requirements or mandatory policies;
• Changes, modifications, or work performed by Client or third parties not authorized by ROI;
• Requests that are excessive, repetitive, or outside the normal scope of contracted Services, including bespoke or manual reporting not supported by ROI’s IT portal.

• Eligibility: If ROI, in its sole discretion, determines that it has materially failed to meet an applicable SLO (excluding any circumstances described in [Broken reference: exclusions], Exclusions), Client may be eligible for a service credit.
• Claims: Client must submit any claim for credit in writing within ten (10) business days of the alleged event, with reasonable supporting details. Failure to submit within this period constitutes a waiver of the claim.
• Calculation: Validated credits will be applied only against future invoices for the affected service. Credits shall not exceed, in aggregate across all claims, an amount equal to one (1) month of fees for the affected service in any rolling twelve (12) month period. Credits have no cash value and may not be refunded, transferred, or applied to other obligations.
• Sole Remedy: Service credits are Client’s sole and exclusive remedy for any failure to meet an SLO, and are in lieu of any other rights, remedies, or damages, whether at law or in equity, relating to such failure.

Client shall provide reasonable cooperation, accurate information, and timely access necessary for ROI to deliver services. ROI is not responsible for delays or failures caused by Client’s lack of cooperation or inaccurate information.