ERMITS ADVISORY SERVICES - MASTER TERMS OF SERVICE

Effective Date: April 21, 2026

Last Updated: April 21, 2026

By engaging ERMITS LLC ("ERMITS," "we," "our," or "us") for professional advisory and consulting services (the "Advisory Services"), you ("Client," "you," or "your") agree to be bound by these Master Terms of Service ("Terms"). If you do not agree to these Terms, do not engage our Advisory Services.

Browsing or using our public marketing site at https://www.ermits-advisory.com/ (including the in-browser Cyber Exposure Brief) does not by itself create a client relationship or professional engagement. Site use is subject to our Privacy Policy and Cookie & Portal Policy. The Cyber Exposure Brief runs locally in your browser; ERMITS does not receive your inputs unless you choose to share them (for example via our intake form). Full client obligations in these Terms attach when you execute a Statement of Work or other written agreement for Advisory Services.

1. SCOPE AND APPLICABILITY

1.1 Services Covered

These Terms govern all ERMITS Advisory Services, including:

Cybersecurity Advisory Services:

CMMC (Cybersecurity Maturity Model Certification) consulting and readiness assessments
Cybersecurity program development and maturity assessments
Incident response planning, playbook development, and tabletop exercises
Security architecture review and design recommendations
Vulnerability management program development
Threat modeling and risk assessment
Security tool selection and implementation guidance

Compliance Advisory Services:

NIST SP 800-171 compliance consulting and gap assessments
DFARS (Defense Federal Acquisition Regulation Supplement) compliance guidance
HIPAA Security Rule and Privacy Rule consulting
Privacy compliance advisory (GDPR, CCPA/CPRA, PIPEDA, LGPD)
Policy, procedure, and documentation development
Compliance program maturity assessments
Regulatory response support

Third-Party Risk Management Advisory:

Vendor risk assessment consulting and program development
Supply chain security advisory
Third-party due diligence framework development
Vendor security questionnaire design and evaluation
Continuous monitoring program design

Privacy Advisory Services:

Privacy program development and enhancement
Data Protection Impact Assessments (DPIA)
Privacy by Design consulting
Data breach response planning and advisory
Privacy policy development and review
Data governance framework development

Strategic Advisory Services:

Executive advisory and virtual CISO (vCISO) services
Cybersecurity roadmap and strategic planning
Budget planning and resource allocation guidance
Technology selection and vendor evaluation support
Board-level reporting and communication strategies
Merger & acquisition (M&A) security due diligence
Security awareness and training program development

1.2 Engagement Structure

Advisory Services are delivered through:

Project-Based Engagements:

Fixed-scope deliverables defined in Statement of Work (SOW)
Defined timeline and milestones
Fixed fee or not-to-exceed pricing

Retainer Engagements:

Ongoing advisory support (e.g., virtual CISO services)
Monthly or quarterly retainer arrangements
Defined service hours or availability
Priority access to consultants

Hourly Consulting:

Time-and-materials engagements
Hourly or daily rates
Flexible scope and duration
Detailed time tracking and reporting

Assessment Engagements:

Structured assessments with standardized methodology
Deliverable-based (assessment report)
Fixed or tiered pricing based on scope

1.3 Relationship to Product Terms

These Terms apply ONLY to Advisory Services. If you also use ERMITS software products or platforms, separate Master Terms of Service apply to those products. Advisory Services may be provided independently or as a complement to ERMITS products.

1.4 Website, Cyber Exposure Brief, and intake

The public site may offer descriptions of services, sample materials, and the Cyber Exposure Brief (a browser-based diagnostic for general awareness only; it is not a substitute for a scoped assessment or professional advice). Fees, deliverables, and liability for Advisory Services are governed by your executed SOW and these Terms—not by use of the Brief or website alone. Intake and scheduling requests submitted through forms on this site (for example Talk to an advisor) are subject to the Privacy Policy and do not establish an engagement until ERMITS and you agree in writing (including a SOW where applicable).

2. DEFINITIONS

"Advisory Services" means the professional consulting and advisory services provided by ERMITS under an executed engagement agreement.

"Statement of Work" or "SOW" means a written agreement specifying the scope, deliverables, timeline, and fees for a specific Advisory Services engagement.

"Deliverables" means the reports, assessments, documentation, recommendations, or other work products specified in the SOW.

"Engagement Period" means the duration of the Advisory Services as specified in the SOW, from commencement date to completion or termination.

"Client Data" means any information, documents, data, or materials provided by Client to ERMITS for the purpose of delivering Advisory Services.

"Confidential Information" means any non-public information disclosed by one party to the other, including Client Data, business information, technical information, and engagement details.

"Work Product" means all deliverables, reports, analyses, recommendations, and documentation created by ERMITS in the course of providing Advisory Services.

"Acceptance" means Client's formal acceptance of Deliverables as meeting the requirements specified in the SOW.

3. ELIGIBILITY AND AUTHORITY

Business Entities Only: Advisory Services are provided to businesses, government entities, and organizations only. ERMITS does not provide Advisory Services to individual consumers.

Authority to Engage: By engaging Advisory Services, you represent and warrant that you have the authority to bind your organization to these Terms and any applicable SOW.

Accurate Information: You agree to provide accurate, current, and complete information about your organization, needs, and environment to enable effective service delivery.

Eligibility Verification: ERMITS reserves the right to verify your authority and organizational identity before commencing services.

4. ENGAGEMENT PROCESS

4.1 Engagement Initiation

Initial Consultation:

Complimentary initial consultation to understand your needs
Discussion of objectives, scope, and constraints
Preliminary assessment of engagement approach

Proposal Development:

ERMITS develops proposal outlining approach, scope, timeline, and fees
Proposal valid for 30 days unless otherwise specified
Proposal is non-binding until SOW is executed

Statement of Work (SOW):

Formal engagement document specifying:

Detailed scope of services
Deliverables and acceptance criteria
Timeline and milestones
Fees and payment terms
Roles and responsibilities
Assumptions and dependencies

SOW may incorporate these Terms by reference or include modifications. Engagement commences upon execution of SOW by both parties.

4.2 Non-Disclosure Agreement (NDA)

Prior to engagement commencement:

ERMITS and Client execute mutual Non-Disclosure Agreement (NDA)
NDA governs confidentiality of Client Data and engagement details
NDA remains in effect for duration specified (typically 3-5 years)
Pre-existing NDA may be used if mutually acceptable

4.3 Scope Changes and Change Orders

Change Requests:

Either party may request changes to SOW scope
Changes require written change order signed by both parties
Change order specifies impact on deliverables, timeline, and fees

Out-of-Scope Requests:

Work outside SOW scope is not included in original fees
ERMITS will notify Client of out-of-scope requests
Client may authorize additional work via change order or decline

Emergency Changes:

Critical issues may require immediate scope adjustments
ERMITS will use reasonable efforts to notify Client promptly
Change order formalized as soon as practicable

5. PROFESSIONAL STANDARDS AND CONDUCT

5.1 Professional Standards

ERMITS Advisory Services are delivered in accordance with:

Industry best practices and professional standards
Applicable laws, regulations, and ethical guidelines
Professional codes of conduct
Quality assurance and peer review processes

5.2 Consultant Qualifications

ERMITS consultants assigned to your engagement:

Possess relevant education, training, and experience
Maintain professional certifications as appropriate (CISSP, CISM, CISA, CEH, CPP, CIPM, etc.)
Undergo annual security and privacy training
Sign confidentiality and code of conduct agreements

5.3 Professional Independence

ERMITS maintains professional independence:

No undisclosed conflicts of interest
Objective recommendations based on professional judgment
No kickbacks or referral fees from recommended vendors
Transparent disclosure of any potential conflicts

5.4 Limitations of Advisory Services

Advisory Services Are:

Professional consulting and guidance
Based on information provided by Client and industry best practices
Subject to professional judgment and interpretation

Advisory Services Are NOT:

Legal advice (consult your attorney for legal matters)
Accounting or financial advice (consult your CPA)
Guarantees of regulatory compliance or certification
Implementation or technical execution services (unless explicitly included in SOW)
Attestation or audit services (we are not auditors or certification bodies)
Endorsements of specific vendors or products (unless explicitly contracted)

6. CLIENT RESPONSIBILITIES

6.1 Information and Access

Client shall:

Provide timely, accurate, and complete information necessary for service delivery
Grant access to personnel, systems, and documentation as specified in SOW
Designate primary point of contact and decision-maker
Provide physical or virtual workspace for consultants (as needed)
Ensure availability of key stakeholders for interviews and meetings

6.2 Cooperation and Communication

Client shall:

Respond to ERMITS requests and questions in a timely manner
Participate in scheduled meetings and reviews
Provide feedback on draft deliverables during review periods
Notify ERMITS of changes affecting engagement scope or timeline
Maintain regular communication with assigned consultants

6.3 Review and Acceptance of Deliverables

Client shall:

Review deliverables within specified timeframe (typically 10 business days)
Provide written feedback or acceptance
Identify deficiencies or non-conformance with SOW requirements
Work collaboratively to resolve issues

Deemed Acceptance:

If Client does not provide feedback within review period, deliverables are deemed accepted
Acceptance does not waive material non-conformance with SOW

6.4 Security and Confidentiality

Client shall:

Implement appropriate security controls for consultant access
Provide secure communication channels (encrypted email, VPN, etc.)
Monitor and log consultant access to sensitive systems (as appropriate)
Notify ERMITS of security incidents affecting engagement
Comply with confidentiality obligations regarding ERMITS methodologies

6.5 Implementation of Recommendations

Client acknowledges:

Client is solely responsible for implementation of recommendations
ERMITS is not responsible for implementation outcomes (unless implementation services explicitly contracted)
Client must exercise independent judgment in applying recommendations
Recommendations are based on information available at time of engagement

7. ERMITS RESPONSIBILITIES

7.1 Service Delivery

ERMITS shall:

Deliver Advisory Services in accordance with SOW requirements
Assign qualified consultants with appropriate expertise
Maintain professional standards of quality and conduct
Provide deliverables on schedule (subject to Client cooperation and dependencies)
Communicate proactively regarding issues, risks, or delays

7.2 Confidentiality

ERMITS shall:

Maintain confidentiality of Client Data and Confidential Information
Use Client Data only for purposes of delivering Advisory Services
Implement appropriate security measures to protect Client Data
Not disclose Confidential Information to third parties without Client consent (except as required by law)
Bind all consultants and subcontractors to equivalent confidentiality obligations

7.3 Quality Assurance

ERMITS shall:

Conduct internal quality review of deliverables
Ensure deliverables meet professional standards
Provide opportunity for Client review and feedback
Correct material deficiencies in deliverables (during warranty period)

7.4 Subcontractors

ERMITS may engage subcontractors or specialists to deliver Advisory Services:

Subcontractors bound by equivalent confidentiality and professional standards
ERMITS remains responsible for subcontractor performance
Client notification of subcontractor involvement (where material)
Client may object to specific subcontractors (SOW may specify approval rights)

8. FEES, PAYMENT, AND EXPENSES

8.1 Fees

Fees for Advisory Services are specified in the SOW and may be structured as:

Fixed Fee:

Total fee for defined scope and deliverables
Payment milestones tied to deliverable completion
Scope changes via change order may adjust fees

Time and Materials:

Hourly or daily rates for consultants
Monthly invoicing based on actual hours worked
Detailed time tracking and reporting
Not-to-exceed caps (if specified in SOW)

Retainer:

Monthly or quarterly retainer fee
Defined service hours or availability
Unused hours may roll over or expire (per SOW terms)
Additional hours billed at specified hourly rate

Value-Based:

Fee based on value delivered or outcomes achieved
Metrics and payment triggers defined in SOW
Used for strategic advisory engagements

8.2 Expenses

Reimbursable Expenses:

Travel (airfare, lodging, ground transportation) at cost
Meals during travel (per diem or actual, as specified)
Software licenses or tools required for engagement (if not otherwise available)
Printing, shipping, and materials for deliverables

Expense Policy:

Expenses pre-approved by Client or within SOW budget
Economy travel standards (coach airfare, standard hotels)
Expense receipts provided with invoices
Markup on expenses (if any) specified in SOW

Non-Reimbursable Expenses:

Normal business overhead (office, equipment, software tools)
Consultant salaries and benefits
Internal travel within ERMITS office locations
Administrative costs

8.3 Invoicing and Payment

Invoicing Schedule:

Fixed Fee: Per milestone completion or monthly progress billing
Time & Materials: Monthly in arrears
Retainer: In advance (monthly or quarterly)

Invoice Contents:

Detailed description of services performed
Hours worked (for time & materials)
Expenses with receipts
Payment terms and due date

Payment Terms:

Payment due within 30 days of invoice date (unless otherwise specified)
Wire transfer or ACH preferred; check accepted
Credit card payment available (processing fees may apply)

Late Payment:

Interest on overdue amounts at 1.5% per month (18% annual) or maximum allowed by law
ERMITS may suspend services for accounts 60+ days overdue
Client responsible for collection costs (attorneys' fees, court costs)

8.4 Taxes

Client is responsible for all applicable taxes (sales tax, VAT, GST, etc.) except taxes on ERMITS' income. If ERMITS is required to collect taxes, they will be added to invoices.

8.5 Pricing Changes

For multi-year retainers or ongoing engagements:

ERMITS may adjust pricing annually with 60 days' notice
Adjustments typically limited to CPI increase or mutually agreed
Client may terminate upon objection to price increase

9. INTELLECTUAL PROPERTY RIGHTS

9.1 Client Data Ownership

Client retains all ownership rights in Client Data. ERMITS does not claim any ownership or intellectual property rights in Client Data.

9.2 Work Product Ownership

Deliverables:

Upon full payment, Client owns all Work Product and Deliverables created specifically for Client under the SOW
Client receives license to use, modify, and distribute Deliverables for internal business purposes
Client may share Deliverables with regulators, auditors, legal counsel, and business partners as necessary

Restrictions:

Client may not publicly disclose proprietary ERMITS methodologies without consent
Client may not resell or commercialize Deliverables
Attribution to ERMITS required if Deliverables shared publicly (with ERMITS consent)

9.3 ERMITS Intellectual Property

ERMITS retains all rights in:

Pre-existing methodologies, frameworks, and tools
General knowledge, know-how, and expertise
Templates and assessment frameworks (underlying structure)
ERMITS trademarks, branding, and proprietary materials

License to Client:

Limited license to use ERMITS methodologies and tools for internal purposes in connection with Deliverables
Non-exclusive, non-transferable, non-sublicensable
Terminates upon engagement completion (except for use of Deliverables)

9.4 Residual Knowledge

ERMITS may use general knowledge, skills, and expertise gained during engagement for other clients, provided:

No Client Confidential Information is disclosed
No Client-specific Work Product is reused without consent
General industry knowledge and best practices may be applied

9.5 Case Studies and Testimonials

ERMITS may request permission to:

Use Client as a reference
Publish anonymized or attributed case study
Feature Client testimonial on website or marketing materials

Client Control:

Explicit written permission required before any public disclosure
Client reviews and approves all content before publication
Client may withdraw permission at any time
Client may remain anonymous in case studies

10. CONFIDENTIALITY

10.1 Mutual Confidentiality Obligations

Both parties agree to maintain confidentiality of Confidential Information disclosed by the other party.

Confidential Information Includes:

Client Data and business information
Engagement details and findings
Technical information and trade secrets
Financial information
Strategic plans and business relationships
Information marked "Confidential" or that reasonably should be understood as confidential

Exclusions from Confidential Information:

Publicly available information (not due to breach)
Information already known to receiving party
Information independently developed without use of Confidential Information
Information rightfully received from third party without confidentiality obligation

10.2 Use and Disclosure Restrictions

Confidential Information shall:

Be used only for purposes of the engagement
Not be disclosed to third parties without prior written consent
Be protected with reasonable security measures
Be disclosed only to personnel with need-to-know

Permitted Disclosures:

To employees, consultants, and subcontractors under confidentiality obligations
As required by law, regulation, or court order (with notice to disclosing party when legally permitted)
To professional advisors (attorneys, accountants) under professional confidentiality duties

10.3 Return or Destruction of Confidential Information

Upon engagement termination or request:

Receiving party shall return or securely destroy Confidential Information
Certification of destruction provided upon request
Receiving party may retain copies as required by law or professional standards
Confidentiality obligations survive termination for period specified in NDA (typically 3-5 years)

11. WARRANTIES AND DISCLAIMERS

11.1 ERMITS Warranties

ERMITS warrants that:

Professional Standards:

Advisory Services will be performed in a professional and workmanlike manner
Services will conform to generally accepted industry standards and practices
Consultants possess appropriate qualifications and experience

Deliverable Quality:

Deliverables will conform to requirements specified in SOW
Deliverables will be based on accurate analysis of information provided

Authority and Rights:

ERMITS has authority to enter into engagement agreement
Services will not infringe third-party intellectual property rights

11.2 Client Warranties

Client warrants that:

Has authority to engage ERMITS and provide access to Client Data
Client Data does not infringe third-party rights
Information provided to ERMITS is accurate and complete
Has rights to use and disclose Client Data to ERMITS

11.3 Warranty Remedy

Exclusive Remedy:

If Deliverables fail to conform to SOW requirements, ERMITS will re-perform services or correct Deliverables at no additional charge
Warranty applies for 90 days after Deliverable delivery
Client must notify ERMITS in writing of deficiencies within warranty period
Warranty does not apply to issues caused by Client modifications or misuse

11.4 DISCLAIMER OF WARRANTIES

EXCEPT AS EXPRESSLY PROVIDED ABOVE, ADVISORY SERVICES AND DELIVERABLES ARE PROVIDED "AS IS" WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING:

NO WARRANTY OF:

Compliance or Certification: Advisory Services do not guarantee regulatory compliance, certification, or audit passage
Results: No guarantee that implementation of recommendations will achieve specific outcomes
Accuracy of Third-Party Information: ERMITS relies on Client-provided information and public sources
Fitness for Particular Purpose: Client must exercise independent judgment in applying recommendations
Uninterrupted Service: Consultant availability subject to reasonable scheduling and emergencies
Completeness: Assessments are based on sampling and point-in-time analysis

NOT LEGAL ADVICE:

Advisory Services do not constitute legal, accounting, or financial advice
Consult appropriate licensed professionals for legal, tax, and financial matters
ERMITS is not a law firm and consultants are not attorneys (unless explicitly stated)

NOT CERTIFICATION OR AUDIT:

ERMITS is not a certification body (not C3PAO, not auditor)
Advisory Services are consulting and guidance, not attestation
Third-party auditors and certification bodies make final compliance determinations

12. LIMITATION OF LIABILITY

12.1 Exclusion of Consequential Damages

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL ERMITS LLC, ITS AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, CONSULTANTS, AGENTS, OR SUBCONTRACTORS BE LIABLE FOR:

Indirect, incidental, special, consequential, or punitive damages
Loss of profits, revenue, business opportunities, or anticipated savings
Loss of data, use, goodwill, or other intangible losses
Loss of data or business interruption
Regulatory fines, penalties, or enforcement actions
Failed audits or certification attempts
Reputational harm or loss of goodwill
Cost of procurement of substitute services
Third-party claims arising from Client's use of Deliverables
Reliance on recommendations or advisory guidance
Unauthorized access to or alteration of Client Data
Results of security assessments or compliance evaluations

This limitation applies regardless of legal theory (contract, tort, negligence, strict liability, professional liability, or otherwise) and whether or not ERMITS was advised of the possibility of such damages.

12.2 Cap on Liability

ERMITS' TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO ANY ENGAGEMENT SHALL NOT EXCEED THE LESSER OF:

$100,000 USD, or
Total fees paid by Client to ERMITS for the specific engagement giving rise to the claim

Alternative Cap (if applicable):

For certain engagements, ERMITS' total aggregate liability may be limited to the greater of:

$100 USD, or
The total amount paid by Client to ERMITS in the 12 months preceding the claim

12.3 Liability Allocation

The limitations in this section reflect the allocation of risk between the parties and the fees charged by ERMITS. The limitations will apply even if any remedy fails of its essential purpose.

12.4 Basis of the Bargain

Client acknowledges and agrees that:

ERMITS has set fees in reliance on these limitations of liability
These limitations reflect the allocation of risk between the parties
These limitations are an essential basis of the bargain
Advisory Services involve professional judgment and interpretation, not guarantees
ERMITS has offered the Services, set pricing, and entered into these Terms in reliance upon the disclaimers and limitations of liability set forth herein

12.5 Exceptions

The limitations in this section do not apply to:

ERMITS' indemnification obligations under Section 13.2
Claims arising from gross negligence, willful misconduct, or fraud
Violations of confidentiality obligations
Infringement of intellectual property rights
Liabilities that cannot be limited under applicable law

12.6 Timely Notice of Claims

Client must notify ERMITS in writing of any claims within 90 days of discovery or these limitations apply with full force. Claims not brought within one (1) year of the act or omission giving rise to the claim are barred.

13. INDEMNIFICATION

13.1 Client Indemnification

Client agrees to indemnify, defend, and hold harmless ERMITS, its affiliates, consultants, and subcontractors from claims, liabilities, damages, and expenses (including reasonable attorneys' fees) arising from:

Client's breach of these Terms or applicable SOW
Inaccuracy or incompleteness of Client-provided information
Client's implementation of recommendations
Third-party claims that Client Data infringes third-party rights
Client's violation of applicable laws or regulations
Negligence or willful misconduct by Client or its personnel
Client's use of Deliverables beyond scope of license granted

13.2 ERMITS Indemnification

ERMITS agrees to indemnify, defend, and hold Client harmless from third-party claims alleging that:

Advisory Services or Deliverables infringe valid U.S. patent, copyright, or trademark
ERMITS' negligence or willful misconduct caused bodily injury or property damage

Conditions:

Client promptly notifies ERMITS in writing of claim
ERMITS has sole control of defense and settlement
Client reasonably cooperates in defense
Indemnification does not apply to claims arising from Client modifications or misuse

13.3 Exclusive Remedy

Section 13.2 states ERMITS' sole obligation and Client's exclusive remedy for intellectual property infringement claims.

14. TERM AND TERMINATION

14.1 Engagement Term

Each engagement commences upon SOW execution and continues until:

Completion of all deliverables and acceptance
Termination by either party as provided below
Expiration of retainer period (for retainer engagements)

14.2 Termination for Convenience

By Client:

May terminate engagement for any reason with 15 days' written notice
Client pays for all services performed and expenses incurred through termination date
Client pays termination fee of 25% of remaining SOW fees (to compensate for resource commitments)
ERMITS delivers work-in-progress in current state

By ERMITS:

May terminate engagement for any reason with 30 days' written notice
Client pays only for services performed and expenses incurred through termination date
ERMITS delivers work-in-progress in current state
Pro-rata refund of pre-paid fees (if applicable)

14.3 Termination for Cause

Either party may terminate immediately upon written notice if:

Material Breach:

Other party materially breaches Terms or SOW
Breach is not cured within 15 days of written notice
Examples: Non-payment, breach of confidentiality, refusal to cooperate

Impossibility:

Engagement becomes impossible or illegal to perform
Client unable or unwilling to provide necessary access or information
Force majeure event prevents performance for more than 30 days

Insolvency:

Other party files bankruptcy, becomes insolvent, or makes assignment for benefit of creditors

Effect of Termination for Cause:

Immediate cessation of services
Client pays for services performed through termination date (if ERMITS not in breach)
No termination fee if terminating party not in breach
Non-breaching party may pursue legal remedies

14.4 Effect of Termination

Upon termination:

ERMITS ceases work immediately (unless wind-down period agreed)
Client pays all outstanding invoices within 15 days
ERMITS delivers completed work and work-in-progress in current state
Client owns completed Deliverables upon full payment
Confidentiality obligations survive termination
Provisions that by their nature should survive remain in effect (warranties, liability limitations, indemnification, confidentiality, dispute resolution)

14.5 Transition Assistance

Upon termination, ERMITS will provide reasonable transition assistance:

Knowledge transfer to Client or successor consultant
Up to 10 hours at standard hourly rate (unless otherwise agreed)
Return or secure destruction of Client Data

15. FORCE MAJEURE

Neither party shall be liable for failure or delay in performance due to causes beyond reasonable control, including:

Natural disasters (earthquakes, floods, hurricanes, pandemics)
War, terrorism, civil unrest, or government actions
Labor disputes, strikes, or lockouts
Cyberattacks, data breaches, or infrastructure failures
Power outages, telecommunications failures, or internet disruptions
Supplier or subcontractor failures

Obligations During Force Majeure:

Affected party promptly notifies other party
Affected party uses commercially reasonable efforts to mitigate impact
Performance deadlines extended by duration of force majeure event
If force majeure continues for more than 30 days, either party may terminate without penalty

16. DISPUTE RESOLUTION

16.1 Informal Resolution

Before initiating formal dispute resolution, parties agree to:

Negotiate in good faith to resolve disputes
Escalate to senior management (at least Director level)
Attempt to resolve within 30 days of dispute arising

16.2 Mediation

If informal resolution fails, parties agree to:

Mediate dispute with neutral third-party mediator
Mediation conducted in Washington, D.C. (or mutually agreed location)
Parties split mediation costs equally
Mediation must be attempted before arbitration or litigation

16.3 Binding Arbitration (Optional)

If SOW specifies binding arbitration:

Arbitration Terms:

Administered by American Arbitration Association (AAA)
Commercial Arbitration Rules apply
Single arbitrator (unless dispute value exceeds $500,000)
Arbitration conducted in Washington, D.C.
District of Columbia law applies
Arbitrator's decision is final and binding
Judgment may be entered in any court with jurisdiction

Exceptions to Arbitration:

Injunctive relief for intellectual property infringement
Small claims court actions (within jurisdictional limits)
Enforcement of confidentiality obligations

Class Action Waiver:

Disputes must be brought individually, not as class action or representative proceeding
No consolidation of multiple client disputes without consent

16.4 Litigation

If arbitration not specified in SOW, disputes shall be resolved by litigation:

Governing Law:

Governed by laws of District of Columbia, United States
Federal Arbitration Act applies to arbitration agreements
UN Convention on Contracts for International Sale of Goods does not apply

Jurisdiction and Venue:

Exclusive jurisdiction in federal or state courts located in Washington, D.C.
Both parties consent to personal jurisdiction and venue
Waive any objection to venue or forum non conveniens

16.5 Attorneys' Fees

Prevailing party in any arbitration or litigation entitled to recover reasonable attorneys' fees and costs from non-prevailing party.

17. GENERAL PROVISIONS

17.1 Entire Agreement

These Terms, together with any executed SOW and NDA, constitute the entire agreement between parties regarding Advisory Services and supersede all prior agreements and understandings.

Order of Precedence:

Statement of Work (SOW)
These Master Terms of Service
Non-Disclosure Agreement (NDA)

17.2 Amendments

Amendments must be in writing and signed by authorized representatives of both parties. Email acceptance by authorized signatory is binding.

17.3 Severability

If any provision is found invalid or unenforceable, remaining provisions continue in full force. Invalid provision shall be modified to minimum extent necessary to make it enforceable.

17.4 Waiver

Failure to enforce any right or provision does not constitute waiver. Waivers must be in writing and signed by party granting waiver.

17.5 Assignment

Client Assignment:

Client may not assign engagement without ERMITS' prior written consent
Consent not unreasonably withheld

ERMITS Assignment:

ERMITS may assign to affiliates or successors without consent
ERMITS remains responsible for performance
Client notified of assignment

17.6 No Third-Party Beneficiaries

These Terms are for benefit of parties only and do not create rights in any third party. Deliverables are for Client's internal use only unless SOW specifies third-party reliance.

17.7 Independent Contractors

Parties are independent contractors. No partnership, joint venture, agency, or employment relationship is created.

17.8 Notices

All notices must be in writing and delivered to:

For ERMITS:

Email: legal@ermits.com
Mail: ERMITS LLC, [Physical Address to be inserted], Attn: Legal

For Client:

Email and mail address specified in SOW

Notices deemed delivered when sent by email (with confirmation) or when received by mail.

17.9 Publicity

Neither party may issue press releases or public statements regarding engagement without prior written consent. Exceptions:

Disclosure required by law or regulation (with notice to other party)
General listing of Client name in client list (with Client consent)

17.10 Export Controls

Client shall not export or re-export Deliverables in violation of U.S. export control laws. Client is responsible for compliance with all export regulations.

17.11 U.S. Government Clients

For U.S. Government clients, the following additional terms apply:

Advisory Services are "commercial services" under FAR 12
Delivered under FAR Part 12 commercial terms
Government-specific clauses incorporated by reference as required by FAR
Any inconsistency between these Terms and mandatory FAR clauses resolved in favor of FAR

17.12 Survival

The following provisions survive termination:

Payment obligations
Confidentiality (for period specified in NDA)
Intellectual property rights
Warranties (for warranty period)
Limitation of liability
Indemnification
Dispute resolution

17.13 Counterparts and Electronic Signatures

Agreements may be executed in counterparts, each constituting an original. Electronic signatures (DocuSign, Adobe Sign, etc.) are binding and enforceable.

18. SPECIFIC SERVICE PROVISIONS

18.1 Virtual CISO (vCISO) Retainer Services

For ongoing vCISO advisory services:

Services Include:

Strategic cybersecurity leadership and guidance
Board and executive reporting
Cybersecurity program oversight
Incident response leadership (during incidents)
Vendor and budget recommendations
Policy and standards governance

Service Levels:

Defined monthly hours or availability (per SOW)
Priority response time for urgent matters (typically 4 hours)
Regular check-in meetings (weekly, bi-weekly, or monthly)
After-hours emergency availability (for critical incidents)

Exclusions:

Hands-on technical implementation (unless separately contracted)
24/7 SOC or monitoring services
Direct management of Client's security personnel

18.2 Incident Response Advisory

For incident response consulting:

Retainer Model:

Pre-paid retainer for guaranteed availability
Rapid response within agreed timeframe (typically 2-4 hours)
Discounted hourly rates during active incidents

Time-and-Materials Model:

Billed hourly during active incident response
Premium rates for after-hours and emergency response
No guaranteed availability without retainer

Services Include:

Incident response leadership and coordination
Forensic analysis support and guidance
Containment and eradication planning
Recovery and remediation recommendations
Post-incident review and lessons learned
Regulatory notification advisory (HIPAA, state breach laws, etc.)

Limitations:

ERMITS does not preserve evidence for litigation (recommend forensic specialists)
ERMITS does not provide legal advice (engage legal counsel)
Client responsible for notification decisions (with ERMITS guidance)

18.3 Compliance Assessment Services

For CMMC, NIST 800-171, HIPAA, and other compliance assessments:

Services Include:

Gap assessment against regulatory requirements
Documentation review and analysis
Stakeholder interviews
Control testing (sampling-based)
Assessment report with findings and recommendations
Remediation roadmap

Not Included:

Certification or attestation (ERMITS is not a certification body)
Guarantee of certification or audit passage
Implementation of remediation (unless separately contracted)
Legal interpretation of regulatory requirements

Client Responsibilities:

Provide access to systems, documentation, and personnel
Complete self-assessment questionnaires (if applicable)
Provide evidence of control implementation
Designate knowledgeable points of contact

19. CONTACT INFORMATION

20. EFFECTIVE DATE AND ACCEPTANCE

Effective Date: April 21, 2026

Last Updated: April 21, 2026

By executing a Statement of Work for Advisory Services, Client acknowledges that it has read, understood, and agrees to be bound by these Master Terms of Service.

ERMITS Advisory Services - Expert. Independent. Trusted.

Advisory Privacy Policy Advisory Acceptable Use Policy Cookie & Portal Policy