Limitation of Liability

To the fullest extent permitted by law, Service Provider's total liability under any applicable terms or agreement shall not exceed the total amount of fees paid by Client to Service Provider during the three (3) months immediately preceding the event giving rise to the claim.

Under no circumstances shall Service Provider be liable for:

• loss of profits or revenue
• loss of data
• business interruption
• reputational damage
• regulatory fines
• indirect, incidental, special, or consequential damages

even if Service Provider has been advised of the possibility of such damages.

Client acknowledges that no information technology environment can be made fully secure and that cybersecurity threats, including ransomware and related attacks, pose inherent risks. Service Provider implements commercially reasonable security practices but does not guarantee protection against:

• ransomware attacks
• phishing attacks
• credential compromise
• zero-day vulnerabilities
• insider threats
• third-party supply chain attacks
• third-party data breaches

Service Provider shall not be liable for damages arising from or caused by such cyber incidents unless such damages are directly caused by Service Provider's gross negligence or willful misconduct.

Service Provider may monitor backup systems where implemented but does not guarantee successful restoration in all circumstances. Data loss may occur due to hardware failure, ransomware encryption, software corruption, vendor outages, or accidental deletion. Service Provider shall not be liable for loss of data or data corruption. Data restoration services may incur additional charges.

Service Provider is not responsible for outages, failures, or damages caused by third-party providers, including Microsoft, AWS, SaaS vendors, internet service providers, telecom carriers, or other infrastructure or software vendors outside Service Provider's direct control.

Service Provider may recommend security controls, infrastructure upgrades, configuration changes, or other remediation actions to improve the security, stability, or reliability of Client's systems. Such recommendations may include MFA, endpoint protection, firewall upgrades, patching, network segmentation, backup strategy improvements, and user cybersecurity training.

If Client declines, delays, or fails to implement any recommended security measure, Client acknowledges that such decision may increase the risk of cybersecurity incidents. In such cases, Service Provider shall not be liable for any damages that could reasonably have been mitigated or prevented by the declined recommendation. Service Provider may document declined recommendations in writing.

Service Provider provides information technology management and support services only. Service Provider does not provide legal, regulatory, compliance, accounting, or auditing services. Compliance with regulatory requirements—including GLBA, FTC Safeguards Rule, PCI DSS, SOC 2, state data privacy laws, credit reporting regulations, and data breach notification laws—remains the sole responsibility of Client.

Service Provider does not guarantee regulatory compliance and shall not be liable for regulatory penalties, compliance violations, audit findings, or certification failures unless directly caused by Service Provider's gross negligence or willful misconduct.

Client shall remain solely responsible for identifying, classifying, and protecting sensitive data within its systems, including consumer credit data, financial records, PII, and confidential business information. Service Provider shall not be responsible for identifying regulated data stored within Client systems unless specifically engaged under a separate written agreement for compliance assessment services.

Client is strongly encouraged to maintain cyber liability insurance sufficient to cover data breaches, ransomware events, regulatory penalties, and incident response costs. Service Provider shall not be liable for damages that would reasonably be covered by such insurance.

Neither Party shall be liable for delays or failures caused by events beyond reasonable control, including natural disasters, cyber warfare, critical infrastructure outages, acts of government, or power failures.

These terms, all services provided by Service Provider, and any dispute or claim arising out of or relating to the parties' relationship shall be governed by and construed in accordance with the laws of the State of California, without regard to conflict-of-laws principles.

Subject to the mediation requirement below, the state and federal courts located in Los Angeles County, California shall have exclusive jurisdiction over any action or proceeding arising out of or relating to these terms or the services, and Client consents to personal jurisdiction and venue in those courts.

Before filing any lawsuit, the parties shall first attempt in good faith to resolve the dispute through a written notice describing the issue in reasonable detail and a conference between authorized representatives. If the dispute is not resolved within fifteen (15) days after notice, the parties shall participate in non-binding mediation in Los Angeles County, California, or by remote video conference if Service Provider elects remote participation.

Client shall not commence litigation until the mediation has concluded or Service Provider has declined to participate after receiving written notice. Notwithstanding the foregoing, Service Provider may, to the fullest extent permitted by law, seek temporary, preliminary, or permanent injunctive relief, specific performance, repossession or recovery of Service Provider property, or pursue collection of undisputed past due amounts without first completing mediation.

Client shall reimburse Service Provider, to the fullest extent permitted by applicable law, for all reasonable costs incurred in collecting undisputed overdue amounts, including attorneys' fees, court costs, mediation fees, expert fees, and collection agency fees.

In any dispute arising out of or relating to these terms or the services, Service Provider shall be entitled to recover its reasonable attorneys' fees and costs if it is the prevailing party, except to the extent a different allocation is required by non-waivable applicable law.