These services terms (the “Terms“) are part of an agreement (the “Agreement”) entered into by and between Peak InfoSec LLC, a Florida Limited Liability Company (the “C3PAO”), and the entity (“Client”) (identified on the corresponding Services Order Form (the “Order Form”). Under this Agreement, C3PAO and Client may be referred to individually as a “Party” and collectively as the “Parties”.

The Agreement consists of four (4) documents which are incorporated by reference in their entirety into the Agreement: the Proposal referenced on or otherwise associated with the Order Form (the “Proposal”), the Order Form, the invoice sent from  C3PAO to Client which defines any payment terms and is used to initiate the payment process (the “Invoice”), and these Terms.  The Agreement is effective as of the date the Order Form is signed by authorized representatives of both C3PAO and Client (the “Effective Date”).  Client and C3PAO are referred to in these Terms individually as a “Party” and collectively the “Parties“.

In consideration of the matters described in the Background section below, and of the mutual benefits and obligations set forth in the Agreement, the receipt and sufficiency of which consideration is hereby acknowledged, Client and C3PAO agree as follows:

1. Background and Purpose
   1. C3PAO is a Cybersecurity maturity Model Certification (“CMMC”) 3^rdParty Assessment Organization which has been duly authorized or accredited by The Cyber AB (https://CyberAB.org).
   2. Client is of the opinion that C3PAO has the necessary qualifications, experience and abilities to provide services to Client as defined in the Proposal.
   3. C3PAO agrees to provide such services to Client on the terms and conditions set forth in this the Agreement.
2. Affiliates
   1. For the purposes of the Agreement, the term “Affiliate” shall mean a business entity effectively controlling or controlled by a Party or which is under common ownership or control with a Party.
   2. For the purposes of the Agreement, references to the Parties collectively, and C3PAO and Client individually, are deemed to include their respective Affiliates.
3. Not Legal Advice. Although C3PAO’s staff includes lawyers, C3PAO is not providing legal advice to Client and Client acknowledges that no attorney-client relationship has been, is, or will be created between the Parties.  Client further acknowledges and agrees that Client shall seek the advice of competent, third-party counsel before taking any actions which may be deemed as legal advice.
4. Services to be Provided. Client hereby agrees to engage C3PAO to provide Client with the services defined in the Proposal which have been ordered on an Order Form mutually executed by the Parties (the “Services“) and Client agrees that the Services shall be provided under and subject to the terms set forth in the Agreement.
5. Client Obligations. Under this Agreement, Client agrees to fulfill the following obligations:
   1. Select and designate one employee or contractor as Client Contract Manager to serve as a primary contact and act as Client’s authorized representative with respect to all matters pertaining to the Agreement.  Client Contract Manager will remain in place and in full force until a successor Client Contract Manager is appointed.
   2. Maintain a reasonable level of supervision so as to assure C3PAO that Client Contract Manager will promptly respond to all reasonable requests for instructions, information, or approvals made by C3PAO in its effort to render the Services.
   3. Take all required steps and perform all necessary preparations in order to prevent Client-caused delays in C3PAO’s obligation to render Services. The aforementioned steps and preparations may include obtaining licenses or consents from all relevant third parties and the procurement of required permits, among others.
6. Term and Termination
   1. The term of the Agreement (the “Term“) will begin on the Effective Date and will remain in full force and effect until the earlier to occur of: a) C3PAO’s completion of the Services or b) the termination of the Agreement by either Party, provided such termination is carried out in accordance with the Agreement.
   2. If either Party wishes to terminate the Agreement, that Party will be required to provide 10 days’ written notice to the other Party.
   3. The Agreement may be terminated at any time by mutual agreement of the Parties.
   4. Except as otherwise provided in the Agreement, C3PAO’s obligations to perform the Services will end upon the termination of the Agreement.
7. Capacity/Independent Contractor
   1. In providing the Services under the Agreement it is expressly agreed that C3PAO is acting as an independent contractor and not as an employee of Client.
   2. C3PAO and Client acknowledge that the Agreement between them is exclusively a contract for services and does not create a partnership, joint venture, or other form of joint enterprise, employment, or fiduciary relationship between the parties and neither party will have authority to contract in the name of or bind the other party in any manner whatsoever.
   3. C3PAO will perform the Services at any place or location and at such times as C3PAO shall determine. Only C3PAO has the right to control how C3PAO performs the Services.  While working in any Client facility, C3PAO will comply with all Client policies and procedures provided to C3PAO prior to the signing of this agreement.
   4. Client shall provide any specialized equipment, hardware, materials, or software necessary to provide the Services and Fathom Cyber is exempt from having to furnish such equipment or materials.
   5. Client is not required to pay, or make any contributions to any employee benefit for C3PAO, including without limitation any social security, local, state or federal tax; unemployment compensation; workers’ compensation; insurance premium; profit-sharing; or pension or retirement account.
   6. C3PAO is responsible for paying and complying with reporting requirements for all local, state, and federal taxes related to payments made to C3PAO under the Agreement.
8. Use of Client Name in Marketing. Client hereby agrees that C3PAO may use Client’s name, logo, and publicly-available information about Client for marketing purposes, provided, unless expressly authorized by Client, such use does not imply an endorsement of C3PAO by Client.  By way of example without limitation, C3PAO may post promotional information or advertisements to social media identifying Client as a client of C3PAO and congratulating client on successfully reaching a specific compliance milestone or earning a third-party certification.
9. Compensation
   1. Currency. Except as otherwise provided in the Agreement, all monetary amounts referred to in the Agreement are in USD (US Dollars).
   2. Invoices. C3PAO shall issue one or more Invoices to Client to request payment for the Services.
      1. Hourly. Services billed on an hourly basis will be included on an Invoice at the rate identified in the Order Form or Proposal (the “Hourly Compensation“). C3PAO shall submit Invoices to Client for all Hourly Compensation on the first and fifteenth of each month for any hourly work performed during the prior period.  Notwithstanding the foregoing, C3PAO shall not be required to submit Invoices for periods during which no work is performed. If the Agreement is otherwise silent, payment for all Hourly Compensation invoices shall be due net fifteen (15).
      2. Fixed Fee. Services billed on a fixed fee basis will be included on an Invoice at the rate identified in the Order Form (the “Fixed Fee Compensation”). C3PAO shall submit to Client one or more Invoices for the Fixed Fee Compensation Payment in accordance with the terms defined on the Order Form or Proposal. If the Order Form and Proposal are silent as to the Fixed Fee Compensation payment terms, C3PAO will issue an Invoice to Client for fifty percent (50%) of the Fixed Fee Compensation, which must be paid prior to the start of any Services billed on a fixed-fee basis.  The balance of the Fixed Fee Compensation shall be due thirty (30) days from the Effective Date.
      3. Combined. The Fixed Fee Compensation and the Hourly Compensation are collectively referred to in these Terms as the Compensation.
   3. Sales Tax. The Compensation does not include sales tax or other applicable duties as may be required by law.  Any sales tax and duties required by law will be charged to Client in addition to the Compensation.
10. Expenses
    1. Except as otherwise provided for in the Agreement, Compensation does not include any expenses incurred by C3PAO in connection with providing the Services.  Client agrees to reimburse C3PAO for all reasonable, pre-approved expenses incurred by C3PAO in connection with providing the Services (the “Expenses”).
    2. For the purposes of this Section, reasonable Expenses are deemed to include business class, or where business class is unavailable, first class, tickets for all travel:
       1. outside the United States;
       2. within the United States where the time from departure at the initial commercial carrier point (e.g., an airport, train station, etc.) to arrival at the destination commercial carrier point is four (4) or more hours; or
       3. which requires the traveler(s) to travel overnight.
    3. C3PAO shall submit an invoice for the Expenses to Client within thirty (30) days of incurring such Expenses unless otherwise agreed to by the Parties in writing.
    4. Invoices for Expenses are due within fifteen (15) days of receipt.
11. Delays.
    1. Client acknowledges and agrees that the cost of the Fixed Fee Compensation has been determined by C3PAO based on representations made by Client, including without limitation representations as to Client’s preparedness for a CMMC assessment and the availability of Client’s personnel, documentation, and other assets. Any schedule changes or other delays are likely to impact not only Client, but also C3PAO and C3PAO’s other clients. Therefore, for any delays which are reasonably determined by C3PAO, in C3PAO’s sole judgment, to be attributable to Client, C3PAO shall be entitled to bill Client, and Client agrees to pay, for such delays at the rate of $2,000 per day. Such delays will be billed by C3PAO on a whole day basis.
12. Payment Terms
    1. Payment of all Invoices is due on the date(s) indicated on the Invoice and all payments shall be made by electronic means (e.g., wire transfer, ACH, or credit card), as further defined on the Invoice.
    2. If Client does not pay any undisputed invoices by the date indicated on the Invoice, C3PAO reserves the right to initiate an action in court for breach of contract. C3PAO also reserves the right to: a) delay or stop all work including, without limitation, the submission of information to third parties such as The Cyber AB or the United States Department of Defense, or performance of any assessments and the issuing of any certifications; and b) pursue from Client the costs C3PAO incurs in disputing or defending any such action, including but not limited to the lost business profits in the form of time C3PAO and its representatives spent handling such dispute, at C3PAO’s hourly rate as set forth in the Agreement but not less than $250/hour.
    3. C3PAO shall be entitled to receive an additional fee of five percent (5.00%) per month or the highest rate permissible under Florida law, whichever is greater, calculated daily and compounded monthly, on all late payments on all late payments.  The Parties further agree that the C3PAO, in addition to all the remedies under this Agreement or provided by law, will be entitled to suspend the provision of any Services if Client fails to pay any undisputed payment or other amount when due under this Agreement within 30 days after C3PAO has issued a written notice thereof.
    4. Client’s obligation to pay all fees does and shall survive the termination of the Agreement.
    5. Client acknowledges that Client’s engagement of C3PAO to provide the Services may prevent C3PAO from providing services to other clients during that time. Client therefore agrees that if the Agreement is terminated by Client at any point prior to the completion of the Services, C3PAO shall have no obligation to repay to Client any pre-paid fees.
13. Confidentiality
    1. Confidential Information
       1. For purposes of the Agreement, the term “Confidential Information” means any information, technical data, or know-how, including, but not limited to information that which relates to research, products, services, customers, markets, software, developments, inventions, processes, designs, drawings, engineering, marketing, or finances, regulatory matters, business plans, codes, databases, operational and hiring matters, employee lists, sales and pricing, which Confidential Information is designated in writing or other visual form to be confidential or proprietary, or if given orally, is confirmed within ten (10) business days in writing as having been disclosed as confidential or proprietary.
       2. A Party may disclose Confidential Information (the “Disclosing Party”) to the other Party (the “Receiving Party”) under this Agreement.
       3. Confidential Information does not include information, technical data or know-how which:
          1. is in the possession of the Receiving Party at the time of disclosure as evidenced by the receiving Party’s files and records immediately prior to the time of disclosure,
          2. becomes a part of public knowledge or literature prior or after the time of disclosure by the Disclosing Party, not as a result of any inaction or action of the Receiving Party,
          3. is approved for release by the Disclosing Party,
          4. is developed, formulated, and obtained by the Receiving Party without using any Confidential Information, or,
          5. is information received by the Receiving Party through non-confidential means and on a non-confidential basis from a third party as long as the Receiving Party reasonably believed or believes that such third party is not, nor has been, barred from disclosing the Confidential Information in question.
    2. Non-Disclosure of Confidential Information
       1. In agreeing to receive the Confidential Information, the Receiving Party agrees to only use the Disclosing Party’s Confidential Information for the purpose of exercising its rights or fulfilling its duties under the Agreement.
       2. The Receiving Party shall keep confidential any and all of the Disclosing Party’s Confidential Information already disclosed or to be disclosed hereunder, and the Receiving Party shall not divulge the Disclosing Party’s Confidential Information, in whole or in part, to any third Party except as expressly permitted by the Agreement.
       3. The Receiving Party shall not make any commercial or other use of the Disclosing Party’s Confidential Information unless agreed to separately in writing by the Disclosing Party.
       4. The Receiving Party shall not disclose the Disclosing Party’s Confidential Information to third parties or to the Receiving Party’s employees, except employees (including officers and directors) who are required to have the information in order to carry out the purpose of the Agreement.
       5. Neither Party may disclose the other’s Confidential Information to an Affiliate or its attorneys, agents, advisors, financiers, engineers or accountants (collectively “Representatives”) without the prior written consent of the disclosing party except to the extent appropriate to advance the relationship or transaction contemplated hereby.
       6. The Receiving Party has advised or will advise employees and/or any Representatives, as appropriate, to whom the Disclosing Party’s Confidential Information is disclosed that such employees or Representatives are and will be required to maintain the confidentiality of all of the Disclosing Party’s Confidential Information consistent with the terms of the Agreement.
       7. The Receiving Party agrees that it will treat the Disclosing Party’s Confidential Information with at least the same level of care as it treats its own Confidential Information, and at least commercially reasonable care. The Receiving Party agrees to promptly notify the Disclosing Party in writing of any misuse or misappropriation of the Disclosing Party’s Confidential Information that may come to the Receiving Party’s attention.
    3. Disclosure. In the event that the Receiving Party is compelled by law or by any applicable regulatory agency to disclose any of the Disclosing Party’s Confidential Information, the Receiving Party shall immediately notify the Disclosing Party of such pending disclosure so that a protective order or other appropriate remedy may be obtained. In the event that such an order or other remedy is not available, the Receiving Party shall disclose only the minimum portion of the Disclosing Party’s Confidential Information that it is legally compelled to disclose, consistent with the advice of its counsel.
    4. Return of Materials. Upon termination of the Agreement or within ten (10) business days of any written request from the Disclosing Party, the receiving Party will deliver the Disclosing Party’s Confidential Information to the Disclosing Party, including, without limitation, all copies thereof and any related materials and documentation that contain any Confidential Information, and will destroy, and certify in writing to the Disclosing Party, the destruction of all analyses, compilations, studies or other documents, and all copies thereof, derived therefrom.
    5. Patent or Copyright Infringement. Nothing in the Agreement is intended to grant any rights under any patent, copyright or other intellectual property right of either Party, nor shall the Agreement grant either Party any rights in or to the other Party’s Confidential Information, except the limited right to review and use such Confidential Information solely for the Purpose.
    6. Liability.
       1. THE PARTIES AGREE THAT THE CONFIDENTIAL INFORMATION SHALL BE TREATED AS-IS AND THAT THE CONFIDENTIAL INFORMATION HAS NOT BEEN TO VERIFICATION BY THE DISCLOSING PARTY.
       2. NEITHER PARTY MAKES ANY REPRESENTATION OR WARRANTY, EXPRESS OR IMPLIED, WITH RESPECT TO ITS OWN CONFIDENTIAL INFORMATION.
       3. NEITHER PARTY SHALL BE LIABLE TO THE OTHER HEREUNDER FOR ANY DAMAGES, INCLUDING WITHOUT LIMITATION AMOUNTS REPRESENTING LOSS OF PROFITS, LOSS OF BUSINESS, OR INDIRECT, CONSEQUENTIAL, OR PUNITIVE DAMAGES, IN CONNECTION WITH THE PROVISION, USE OF, OR RELIANCE UPON CONFIDENTIAL INFORMATION MADE AVAILABLE HEREUNDER.
14. LIMITATION OF LIABILITY
    1. C3PAO SHALL NOT BE LIABLE FOR ERRORS WHICH RESULT FROM FAULTY OR INCOMPLETE INFORMATION SUPPLIED TO C3PAO OR THE LOSS OF DATA OR A DECREASE OF DATA’S VALUE THAT IS THE RESULT OF A BREACH OF CONTRACT, TORT, OR OTHERWISE.
    2. C3PAO SHALL NOT BE LIABLE TO CLIENT FOR ANY COSTS, DAMAGES, OR DELAYS DUE TO CAUSES BEYOND ITS CONTROL, EXPRESSLY INCLUDING WITHOUT LIMITATION UNKNOWN SITE CARACTERISTICS, UNKNOWN FACTS, CHANGES IN POLICIES, CHANGES IN TERMS OF SERVICE, ACTS OF GOD, ACTS OF WAR, ACTS OF TERRORISM, GLOBAL OR REGIONAL HEALTHCARE ISSUES, AND NATURAL DISASTERS.
    3. C3PAO SHALL NOT BE LIABLE FOR ANY INCIDENTIAL, CONSEQUENTIAL, INDIRECT, OR SPECIAL DAMAGES, OR FOR ANY LOSS OF PROFITS OR BUSINESS INTERRUPTIONS CAUSED OR ALLEGED TO HAVE BEEN CAUSED BY THE PERFORMANCE OR NONPERFORMANCE OF THE SERVICES. CLIENT AGREES THAT THIS DISCLAIMER OF LIABILITY APPLIES AND SHALL OPERATE IN FULL FORCE REGARDLESS OF WHETHER OR NOT C3PAO HAS BEEN ADVISED THAT SUCH DAMAGES ARE A POSSIBLITY AND DESPITE THE FAILURE OF ANY AGREED OR OTHER REMEDY OF ITS ESSENTIAL PURPOSE.
    4. C3PAO IS NOT RESPONSIBLE FOR ANY LOSS OF REVENUE OR OTHER DAMAGES THAT MAY OCCUR IF A) CLIENT DOES NOT SUCCESSFULLY EARN A CONDITIONAL CMMC LEVEL 2 (C3PAO) OR FINAL LEVEL 2 (C3PAO) STATUS OR CERTIFICATION, OR B) FAILS TO ACHIEVE A FINAL LEVEL 2 (C3PAO) STATUS OR CERTIFICATION AFTER BEING CONDITIONALLY CERTIFIED.
    5. CLIENT AGREES THAT, IN THE EVENT C3PAO IS DETERMINED TO BE LIABLE FOR ANY LOSS, CLIENT’S SOLE REMEDY AGAINST C3PAO IS LIMITED TO A REFUND OF PAYMENTS MADE BY CLIENT FOR SAID SERVICES, LESS FEES PAID TO SUCONTRACTORS OR THIRD PARTIES.
    6. CLIENT AGREES NOT TO SEEK DAMAGES IN EXCESS OF THE CONTRACTUALLY AGREED UPON LIMITATIONS DIRECTLY OR INDIRECTLY THROUGH SUITS BY OR AGAINST OTHER PARTIES.
15. LIMITED WARRANTY – C3PAO agrees to comply with the following warranties with respect to its performance of the Services:
    1. The Services will be rendered in a timely, workmanlike, and professional manner in line with generally recognized and expected industry standards.
    2. The Services will be rendered in line with the terms and subject to the conditions described and set forth in the Agreement.
16. NO OTHER GUARANTEES OR WARRANTEES, INCLUDING ON RESULTS
    1. EXCEPT AS EXPRESSLY PROVIDED FOR IN THIS AGREEMENT AND TO THE MAXIMUM EXTEND PERMITTED BY APPLICABLE LAW, THE SERVICES PROVIDED BY C3PAO UNDER THE AGREEMENT ARE PROVIDED WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTY OF QUALITY, MERCHANTABILITY, TITLE, NON-INFRINGEMENT, FITNESS FOR A PARTICULAR PURPOSE, AND EXPECTED RESULTS, AND SUCH IMPLIED WARRANTIES, AND ANY OTHER WARRANTIES, REPRESENTATIONS, CONDITIONS, AND TERMS EXPRESS OR IMPLIED (AND WHETER IMPLIED BY STATUTE, COMMON LAW, COURSE OF DEALING, TRADE USAGE, OR OTHERWISE) ARE HEREBY EXCLUDED TO THE FULLEST EXTENT PERMITTED BY LAW. C3PAO AND ITS AFFILIATES DO NOT GUARANTEE THAT THE SERVICES PROVIDED UNDER THIS AGREEMENT HAVE BEEN DESIGNED TO MEET CLIENT’S SPECIFIC BUSINESS REQUIREMENTS, COMPLY WITH LEGAL OR REGULATORY REQUIREMENTS APPLICABLE TO CLIENT, OR THAT C3PAO WILL CORRECT ANY ERRORS. CLIENT AGREES THAT IT IS SOLELY RESPONSIBLE FOR THE RESULTS OBTAINED FROM THE USE OF THE SERVICES PROVIDED UNDER THIS AGREEMENT.
    2. Example results obtained for other clients of C3PAO may be used as a marketing tool and shown to Client but are intended for demonstrative purposes only and shall not be construed by Client as indicating any promised results or level of results.
17. Breach. The Parties agree to use all reasonable and commercially standard efforts to promptly cure any breach of this Agreement. If the Party in breach (the “Breaching Party”) cannot cure such breach within thirty (30) days after receiving written notice from the other Party (the “Non-Breaching Party”) of the breach in question, the Non-Breaching Party may rescind this Agreement after serving the Breaching Party with a written notice of termination in accordance with this Agreement.
18. CMMC Certification Assessment Engagements. The following terms apply to all CMMC Certification Assessments:
    1. Definitions.
       1. Appeal: A request by the provider of the item of inspection to the inspection body for reconsideration by that body of a decision it has made relating to that item.
       2. Assessment Objective: An outcome or objective that must be achieved to demonstrate the implementation of a Security Requirement.
       3. Assessment Period: The time from when the Client provides their final set of artifacts at the start of Phase II or Phase IV of an assessment for C3PAO’s examination until C3PAO completes all necessary Headquarters and secondary site surveys. The assessment period does not include the Security Requirement re-evaluation window specified in 32 CFR §170.17(c)(2).
       4. Assets: An item of value to Client, including without limitation tangible (e.g., physical items such as hardware, firmware, computing platforms, network devices, or other technology components) or intangible (e.g., humans, data, information, software, capability, function, service, trademark, copyright, patent, intellectual property, image, or reputation).
       5. Baseline Freeze: The locking of all in scope assets from changes not expressly authorized by C3PAO or this Agreement, including without limitation updates or fixes to such assets. Actions taken in accordance with Client’s standard operational procedures (e.g., on-boarding new staff, performing normal incident response activities, and conducting vulnerability management actions) are not considered fixes or changes which would contravene a Baseline Freeze.
       6. CMMC Assessment Process (“CAP”): The document published and maintained by The Cyber AB which is the official procedural guide for conducing CMMC Level 2 Certification Assessments. The most recent CAP can be accessed via The Cyber AB’s Downloads Page under the Download Resources heading.
       7. Certification Assessment: Formal validation that a Client’s information security program or other assessed aspects conforms to the applicable Security Requirements or other guidance. Certification Assessments include POA&M Closeout Certification Assessments, as defined in 32 CFR §170.
       8. Complaint: An expression of dissatisfaction, other than appeal, by any person or organization to an inspection body, relating to the activities of that body, where a response is expected
       9. The Cyber AB: The Cybersecurity Maturity Model Certification (“CMMC”) Accreditation Body, referred to as The Cyber AB, is the entity designated by the United States Department of Defense as the sole Accreditation Body for the CMMC program.
       10. Error: A mistake committed by an Assessor or Lead Assessor such as improperly interpreting the assessment guides or incorrectly recording or interpreting evidence provided by the Client.
       11. In Scope Assets: The set of all assets in Client’s environment that will be assessed against the Security Requirements.
       12. Limited Scope Change: A change which corrects or clarifies a minor issue in Client’s documentation and which, as determined by C3PAO: a) does not impact or contradict a previously assessed Security Requirement, b) does not require a subsequent interview or test, and c) requires only a brief period of time (i.e., less than five (5) minutes) to review. Each change within a specific document counts as a separate Limited Scope Change. Examples of Limited Scope Changes include, without limitation, clarification of a configuration that is implemented but not fully documented in a policy. Examples of changes that would not qualify as Limited Scope Changes include, without limitation, the creation of new implementations, sections, documents, or processes.
       13. Project Manager: An individual appointed by each Party to act as the primary point of contact for that Party throughout the period of performance of the Agreement.
       14. Security Requirement: A requirement defined in a law, regulation, government-wide policy, contract, industry standard, framework, or other authoritative source. Examples of Security Requirements include, without limitation,
       15. Unprofessional Conduct: Actions and behavior that violate the standards the Guiding Principles set forth in The Cyber AB’s Code of Professional Conduct, which can be accessed via The Cyber AB’s Downloads Page under the Download Resources heading.
    2. PROJECT CHANGE CONTROL PROCEDURE: The following process is to be followed if costs or scope must change once the Agreement is effective:
       1. A Project Change Request (“PCR”) is the vehicle for communicating change. The PCR must describe the change, the rationale for the change, and the effect the change will have on the project including, without limitation, delivery timeline and cost.
       2. The designated Project Manager of the Party requesting the change (the “Requesting Party”) shall review and approve all proposed PCRs prior to their submission to the other Party (the “Receiving Party”) via the Project Manager.
       3. PCRs must be approved in writing by authorized representatives of the Parties.
    3. RULES OF ENGAGEMENT: The following Rules of Engagement govern this effort:
       1. GENERAL:
          1. Both Parties must comply with all applicable requirements specified in 32 CFR §170 and the CAP at all times.
          2. Client acknowledges and agrees that C3PAO is the sole decision-making authority for determining if a Security Requirement and associated Assessment Objectives are determined to have been MET, NOT MET, or NOT APPLICABLE.
       2. OUT-OF-SCOPE WORK: Client acknowledges and agrees that, under the 32 CFR §170 and the CAP, C3PAO is prohibited from providing the following services to Client in conjunction with a certification assessment:
          1. recommending remediations or suggesting corrective actions to resolve any findings where Client has NOT MET a Security Requirement or any associated Assessment Objective(s).
          2. identifying deficiencies or gaps in artifacts provided by Client.
       3. IN SCOPE ASSET CHANGES:
          1. Client shall implement a Baseline Freeze to all In Scope Assets for a period which begins fifteen (15) business days prior to the start of the Certification Assessment and which lasts until the completion of the Certification Assessment.
          2. Client agrees that all technical or configuration changes during the assessment for NOT MET requirements will not be re-assessed during the Assessment Period, even if they can be remediated during the Assessment Period.
          3. During the Certification Assessment, Client shall be permitted to make up to fifteen (15) changes to Client’s documentation where such changes are necessitated due to a NOT MET finding by C3PAO, provided such changes are deemed by C3PAO to be Limited Scope Changes. Any additional changes identified during the Certification Assessment, in excess of the fifteen (15) permitted changes, shall be scored by the C3PAO as NOT MET.
       4. CONDITIONAL CERTIFICATION.
          1. 32 CFR §170 defines circumstances under which an assessed organization which receives one or more NOT MET findings for certain Security Requirements may be awarded a Conditional Assessment. In accordance with 32 CFR §§170.17(c)(3) and 170.21(b), the assessed organization must remediate (i.e., close out) all NOT MET findings within a one hundred eighty (180) day window to receive a Final CMMC Level 2 (C3PAO) Status or Certification.
          2. If Client receives a Conditional Certification and chooses to use C3PAO for the Phase IV, POA&M Closeout Certification Assessment, Client shall complete all remediation actions and schedule the POA&M Closeout Certification Assessment to begin no later than one hundred thirty-five (135) calendar days after C3PAO delivers the Final Out Brief to Client. This timeframe is critical to ensure the assessment is completed and the assessment results are properly reported within the 180-day window.
       5. C3PAO APPEALS RESOLUTION PROCESS: The following terms govern any Appeals during this this effort:
          1. Any controversy or claim arising out of or relating to the performance or outcome of a Certification Assessment shall be exclusively settled in accordance with the then-current version of C3PAO’s Appeals Resolution Process (“ARP”), which is accessible via C3PAO’s website and incorporated into the Agreement by reference in its entirety. In the event of a conflict between this Agreement and the ARP, the ARP shall control with respect to all Appeals.
          2. Client expressly waives all right to a trial or other proceedings outside of the ARP with respect to all Appeals. Any judgment thereon rendered by C3PAO or The Cyber AB may be entered in any court having jurisdiction thereof.
          3. Appeals may be submitted to C3PAO at any time via the procedure specified in the ARP.
          4. C3PAO reserves the right, for each submitted Appeal, to halt all active assessment efforts until the appeals process is completed.
19. General.
    1. Survival. The Parties’ confidentiality obligations under the Agreement shall survive the termination of the Agreement for a period of five (5) years.  Client’s payment obligations shall survive the termination of the Agreement.  Sections 12, 13.6, 14, 15, 16, 18, and 19 shall survive termination of the Agreement.
    2. Notice. All notices, requests, demands or other communications required or permitted by the terms of the Agreement will be given in writing and delivered to the Parties at the addresses set forth on the Order Form or in the Proposal, or to such other address as either Party may from time to time notify the other, and will be deemed to be properly delivered (a) immediately upon being served personally, (b) two days after being deposited with the postal service if served by registered mail, or (c) the following day after being deposited with an overnight courier.
    3. Employees. Each Party shall be responsible for any breach of the terms of the Agreement by any of its directors, officers, employees, Representatives or agents (the “Entities”). Each Party further agrees to take reasonable actions to ensure that such Entities comply with the obligations imposed hereunder.
    4. Return of Property. Except as required by law, upon the expiration or termination of the Agreement, C3PAO will return to Client, or at Client’s option certify the destruction of, any property, documentation, records, or Confidential Information which is the property of Client.  The Parties recognize that destruction of Confidential Information that is stored as part of C3PAO’s routine backup and maintenance efforts shall be excluded from the foregoing obligation.
    5. Disputes. The Parties agree that, except where required by law, any dispute regarding the Agreement, and any claim made by Client for return of monies paid to C3PAO, shall be handled in accordance with applicable state and federal laws and in the courts of Hillsborough County, Florida.
    6. Governing Law. Except where required by law, the Parties agree that the Agreement will be governed by and construed in accordance with the laws of the State of Florida excluding (to the greatest extent permissible by law) the conflict of laws principles of that state or any rule of law that would cause the application of the laws of any jurisdiction other than the laws of the State of Florida or federal laws.
    7. Jurisdiction and Venue.  Except where required by law, the Parties hereby consent to the personal jurisdiction of the courts of Florida, and the exclusive venue for any legal proceeding shall be the courts located in Hillsborough County, Florida unless C3PAO otherwise agrees, which consent it may withhold in its sole discretion. Client waives any claim of forum non conveniens. Client agrees that if Client brings an action in a forum other than one authorized by this paragraph, C3PAO may move to dismiss the action and Client will be responsible for paying C3PAO’s reasonable attorneys’ fees and court costs associated with the motion.
    8. Modification of Agreement. Any amendment or modification of the Agreement or additional obligation assumed by either Party in connection with the Agreement will only be binding if evidenced in writing signed by each Party or an authorized representative of each Party.
    9. Entire Agreement.
       1. The Agreement supersedes any and all other prior understandings and agreements, either oral or in writing, between the Parties with respect to the subject matter hereof and constitutes the sole and only agreement between the parties with respect to the said subject matter.
       2. All prior negotiations and agreements between the Parties with respect to the subject matter hereof are merged into the Agreement.
       3. Each Party acknowledges that no representations, inducements, promises, or agreements, orally or otherwise, have been made by any Party or by anyone acting on behalf of any Party, which are not embodied in the Agreement and that any agreement, statement or promise that is not contained in the Agreement shall not be valid or binding or of any force or effect.
    10. Authority to Execute. The Parties each represent and warrant that the person executing this Agreement on behalf of each respective Party has full power and authority to enter into this Agreement on behalf of themselves or the Party on whose behalf they execute this Agreement.
    11. Enurement. The Agreement will enure to the benefit of and be binding on the Parties and their respective heirs, executors, administrators and permitted successors and assigns.
    12. Titles/Headings. Headings are inserted for the convenience of the Parties only and are not to be considered when interpreting the Agreement.
    13. Order of Precedence.  The Parties have entered into the Agreement which consists of the Invoice(s), Order Form(s), the Proposal, and these Terms.  Any pre-printed, default, or other terms which do not expressly reference this Agreement and which may appear on any Purchase Order or similar document created or provided by Client are expressly rejected by the Parties.  In the event there is a conflict between the terms of those documents, the terms in the Invoice(s) shall control with respect to the subject matter related thereto, followed by the Order Form which shall control with respect to the subject matter related thereto, followed by the Proposal, and then these Terms.
    14. Gender and Plural. Words in the singular mean and include the plural and vice versa.  Words in the masculine mean and include the feminine and vice versa.
    15. Severability. If any term, clause, or provision of this Agreement is found to be invalid, illegal, or unenforceable by a court of competent jurisdiction in any jurisdiction, such invalidity, illegality or unenforceability will not have any effect on any other term or provision of this Agreement and such a finding will not invalidate or render unenforceable such term of provision in any other jurisdiction. In the event that such a determination by a court of competent jurisdiction does occur, the Parties agree to negotiate in good faith to modify this Agreement so as to preserve the original intent of the Parties as closely as possible so that the transactions contemplated hereby be consumed as originally contemplated to the greatest extent possible.
    16. Waiver. The waiver by either Party of a breach, default, delay or omission of any of the provisions of the Agreement by the other Party will not be construed as a waiver of any subsequent breach of the same or other provisions.
    17. Assignment.  Neither Party may assign this Agreement, or any of the rights or obligations created and provided under it, without the other Party’s signed, written consent which shall not be unreasonably withheld.
    18. Counterparts. This Agreement may be executed in counterparts, and each counterpart will be deemed to be an original. Notwithstanding the foregoing, when the aforementioned counterparts are taken together, they will constitute one and the same agreement. The Parties also agree that, if delivered by facsimile, email, or other means of electronic transmission, a signed copy of this Agreement will be deemed to have the same legal effect as delivery of an original signed copy of this Agreement.
    19. FORCE MAJEURE. Client agrees that C3PAO will not be held liable, deemed responsible, or found to have defaulted or breached the Agreement for any failure or delay in fulfilling or performing any term of this Agreement when such failure or delay is caused by or as a result of circumstances beyond the reasonable control of C3PAO. Such circumstances include, but are not limited to, acts of God, flood, fire, earthquake, explosion, governmental actions, war, invasion or hostilities (whether war is declared or not), terrorist threats or acts, riot, or other civil unrest, national emergency, revolution, insurrection, epidemic, lock-outs, strikes or other labor disputes (whether or not relating to either Party’s workforce), or restraints or delays affecting carriers or inability or delay in obtaining supplies of adequate or suitable materials, or telecommunication breakdown or power outage. Notwithstanding the foregoing, the Parties also agree that if the event in question continues active for a continuous period in excess of 30 days, Client may, at its sole discretion, but not before sending C3PAO written notice, terminate this Agreement.