WheelHouse IT Legal

If an Initial Audit / Diagnostic Services are listed in the Quote, then we will audit your managed information technology environment (the “Environment”) to determine the readiness for, and compatibility with, ongoing managed services.  Our auditing services may be comprised of one or more of the following:

• Audit to determine general Environment readiness and functional capability
• Review of hardware and software configurations
• Review of current vendor service / warranty agreements for Environment hardware and software
• Basic backup and file recovery solution audit
• Speed test and ISP audit
• Office telephone vendor service audit
• Asset inventory
• Email and website hosting audit
• IT support process audit

If deficiencies are discovered during any initial audit / diagnostic service or onboarding service, we will bring those issues to your attention and discuss the impact of the deficiencies on our provision of the Services and provide you with options to correct the deficiencies.  Please note, unless otherwise expressly agreed by us in writing, initial audit / diagnostic service and/or onboarding services, do not include the remediation of any issues, errors, or deficiencies (“Issues”), and we cannot guarantee that all Issues will be detected.  Issues that are discovered in the Environment may be addressed in one or more subsequent quotes.

If onboarding services are listed in the Quote, then one or more of the following services may be provided to you.

• Uninstall any monitoring tools or other software installed by previous IT service providers.
• Compile an inventory of all protected servers, workstations, and laptops for you to verify.
• Add undiscovered devices to inventory when identified.
• Uninstall any previous endpoint protection and install our managed security solutions (as indicated in the Quote).
• Install remote support access agents (e., software agents) on each managed device to enable remote support.
• Configure Windows® and application patch management agent(s) and check for missing security updates.
• Optimize device performance including disk cleanup and endpoint protection scans.
• Review firewall configuration and other network infrastructure devices.
• Review status of battery backup protection on all mission critical devices.
• Stabilize network and assure that all devices can securely access the file server.
• Review and document current server configuration and status.
• Determine existing business continuity strategy and status; prepare backup file recovery and incident response option for consideration.
• As applicable, make recommendations for changes that should be considered to the managed environment.

This list is subject to change if we determine, at our discretion, that different or additional onboarding activities are required.

If deficiencies are discovered during the onboarding process, we will bring those issues to your attention and discuss the impact of the deficiencies on our provision of our monthly managed services.  Please note, unless otherwise expressly stated in the Quote, onboarding-related services do not include the remediation of any issues, errors, or deficiencies (“Issues”), and we cannot guarantee that all Issues will be detected during the onboarding process. 

The duration of the onboarding process depends on many factors, many of which may be outside of our control—such as product availability/shortages, required third party vendor input, etc.  As such, we can estimate, but cannot guarantee, the timing and duration of the onboarding process.  We will keep you updated as the onboarding process progresses

Ongoing/recurring services are services that are provided to you on an ongoing basis and, unless otherwise indicated in a Quote, are billed to you monthly. Some ongoing/recurring services will begin with the commencement of onboarding services; others will begin when the onboarding process is completed.  Please direct any questions about start or “go live” dates to your technician.    

Implementation and facilitation of a backup monitoring solution from our designated Third Party Provider.  Features include:

• Monitors backup status for certain backup applications then-installed in the managed environment, such as successful completion of backup, failure errors, and destination free space restrictions/limitations.
• Helps ensure adequate access to Client’s data in the event of loss of data or disruption of certain existing backup applications.
• Note: Backup monitoring is limited to monitoring activities only and is not a backup and file recovery solution.

• Managed email protection from phishing, business email compromise (BEC), SPAM, and email-based malware. 
• Friendly Name filters to protect against social engineering impersonation attacks on managed devices. 
• Protection against social engineering attacks like whaling, CEO fraud, business email compromise or W-2 fraud. 
• Protects against newly registered and newly observed domains to catch the first email from a newly registered domain. 
• Protects against display name spoofing. 
• Protects against “looks like” and “sounds like” versions of domain names. 

Please see Anti-Virus; Anti-Malware and Breach / Cyber Security Incident Recovery sections below for important details. 

All hosted email is subject to the terms of our Hosted Email Policy and our Acceptable Use Policy. 

We use different end point solutions for different circumstances and levels of service, which may include: 

• Utilizes artificial intelligence and machine learning to provide a comprehensive and adaptive protection paradigm to managed endpoints. 
• Detects unauthorized behaviors of users, applications, or network servers. 
• Blocks suspicious actions before execution. 
• Analyzes suspicious app activity in isolated sandboxes. 
• Antivirus and malware protection for managed devices such as laptops, desktops, and servers. 
• Protects against file-based and fileless scripts, as well as malicious JavaScript, VBScript, PowerShell, macros and more. 
• Allows whitelisting for legitimate scripts. 
• Allows for blocking of unwanted web content. 
• Detects advanced phishing attacks. 
• Detects / prevents content from IP addresses with low reputation. 

* Please see Anti-Virus; Anti-Malware and Breach / Cyber Security Incident Recovery sections below for important details. 

• Automated correlation of data across multiple security layers*—email, endpoint, server, cloud workload, and the managed network, enabling faster threat detection. 
• Provides extended malware sweeping, hunting, and investigation. 
• Allows whitelisting for legitimate scripts. 
• Next-generation deep learning malware detection, file scanning, and live protection for workstation operating system. 
• Web access security and control, application security and control, intrusion prevention system. 
• Data loss prevention, exploit prevention, malicious traffic detection, disk and boot record protection. 
• Managed detection, root cause analysis, deep learning malware analysis, and live response. 
• On-demand endpoint isolation, advanced threat intelligence, and forensic data export. 

* Requires at least two layers (e.g., endpoint, email, network, servers, and/or cloud workload.)  

Please see Anti-Virus; Anti–Malware and Breach / Cyber Security Incident Recovery sections below for important details. 

We assist in setting up training, but Customer, through a “training contact” designated by Customer, runs training: 

• Online, on-demand training videos (multi-lingual). 
• Online, on-demand quizzes to verify employee retention of training content. 

Please see Anti-Virus; Anti-Malware and Breach / Cyber Security Incident Recovery sections below for important details. 

• Provide a FIPS 140-2 compliant firewall configured for your organization’s specific bandwidth, remote access, and user needs.  
• Helps to prevent hackers from accessing internal network(s) from outside the network(s), while providing secure and encrypted remote network access; provides antivirus scanning for all traffic entering and leaving the managed network; provides website content filtering functionality. 
• Firewall appliance is subject to “Hardware as a Service” terms and conditions located in this Guide. 
• Firewall appliance must be returned to WheelHouse IT upon the termination of service. Client will be responsible for missing or damaged (normal wear and tear excepted) appliance. 

• Monitors, updates (software/firmware), and supports Client-supplied firewall appliance. 
• Helps to prevent hackers from accessing internal network(s) from outside the network(s), while providing secure and encrypted remote network access; provides antivirus scanning for all traffic entering and leaving the managed network; provides website content filtering functionality. 

• Scope. Provision and deployment of hardware and devices listed in the Quote or other applicable schedule (“HaaS Equipment”). 

• Deployment. We will deploy the HaaS Equipment within the timeframe stated in the Quote, provided that you promptly provide all information and physical access to your facilities that we reasonably request from you to complete deployment.  This deployment guaranty does not apply to any software, other managed services, or hardware devices other than the HaaS Equipment. If you wish to delay the deployment of the HaaS Equipment, then you may do so if you give us written notice of your election to delay no later than five (5) days following the date you sign the Quote.  Deployment shall not extend beyond two (2) months following the date on which you sign the Quote.  You will be charged at the full monthly recurring fees for the HaaS-related services during the period of delay, unless the delay is caused by WheelHouse IT.  Following deployment, we will charge you the full monthly recurring fee (plus other usage fees as applicable) for the full term indicated in the Quote. 

• Repair/replacement of HaaS Equipment. WheelHouse IT will repair or replace HaaS Equipment by the end of the business day following the business day on which the applicable problem is identified by, or reported to, WheelHouse ITand has been determined by WheelHouse IT to be incapable of being remediated remotely, provided that you promptly provide all information and physical access to your facilities that we reasonably request from you to complete deployment.  

This warranty does not include the time required to rebuild your system, such as the time required to configure a replacement device, rebuild a RAID array, reload the operating system, reload and configure applications, and/or restore from backup (if necessary).  

• Technical Support for HaaS Equipment. We will provide technical support for HaaS Equipment in accordance with the Service Levels listed in this Services Guide. 

• In-Warranty Repair. WheelHouse IT will repair or replace HaaS Equipment by the end of the business day following the business day on which the applicable problem is identified by, or reported to, WheelHouse IT and has been determined by WheelHouse IT to be incapable of being remediated remotely.  

• Periodic Replacement of HaaS Equipment.  From time to time and in our discretion, we may decide to swap out older HaaS Equipment for updated or newer equipment.  (Generally, equipment that is five years old or older may be appropriate for replacement).  If we elect to swap out HaaS Equipment due to normal, periodic replacement, then we will notify you of the situation and arrange a mutually convenient time for such activity. 
• Usage. You will use all HaaS Equipment for your internal business purposes only.  You shall not sublease, sublicense, rent or otherwise make the HaaS Equipment available to any third party without our prior written consent.  You agree to refrain from using the HaaS Equipment in a manner that unreasonably or materially interferes with our other hosted equipment or hardware, or in a manner that disrupts or that is likely to disrupt the services that we provide to our other clientele.  We reserve the right to throttle or suspend your access and/or use of the HaaS Equipment if we believe, in our sole but reasonable judgment, that your use of the HaaS Equipment violates the terms of the Quote, this Services Guide, or the Agreement. 

• Credits/Remedies. If WheelHouse IT fails to meet the warranties in this section and the failure materially and adversely affects your hosted environment, you are entitled to a credit in the amount of 5% of the monthly fee per hour of downtime (after the initial one (1) hour allocated to problem identification), up to 100% of your monthly fee for the affected HaaS Equipment.  In no event shall a credit exceed 100% of the applicable month’s monthly fee for the affected equipment. 
• Return of HaaS Equipment. Unless we expressly direct you to do so, you shall not remove or disable, or attempt to remove or disable, any software agents that we installed in the HaaS Equipment.  Doing so could result in network vulnerabilities and/or the continuation of license fees for the software agents for which you will be responsible, and/or the requirement that we remediate the situation at our then-current hourly rates, for which you will also be responsible.  Within ten (10) days after the termination of HaaS-related Services, Client will provide WheelHouse IT access to the premises at which the HaaS Equipment is located so that all such equipment may be retrieved and removed by us.  If you fail to provide us with timely access to the HaaS Equipment or if the equipment is returned to us damaged (normal wear and tear excepted), then we will have the right to charge you, and you hereby agree to pay, the replacement value of all such unreturned or damaged equipment. Moreover, if you fail to return any HaaS Equipment as required, we may nevertheless terminate remote management of that equipment, which may cause the failure of that equipment as well as the failure of systems or networks attached to the HaaS Equipment. 

When we refer to such labor charges in an Order, it includes all labor charges for setup of new workstations, or replacement of existing workstations in our offices, and, unless otherwise stated in the Order, remote installation of the workstations with your on-site assistance.  

• Labor covers: 

• • New computers / additional computers added during the term of the Quote; 
  • Replacement of existing computers that are four (4) or more years old (as determined by the manufacturer’s serial number records); 
  • Replacement of existing computers that have been lost/stolen or irreparably damaged and/or are out of warranty but not yet four years old; 
  • Operating systems upgrades – subject to hardware compatibility. 

The following restrictions apply: 

• Upgrades or installs of new or replacement computers are limited to four (4) devices per month unless otherwise approved in advance by WheelHouse IT; 
• This service is not available for used or remanufactured computers; and, 
• New/replacement computers must be business-grade machines (not home) from a major manufacturer like Dell, Hewlett Packard Enterprise, or Lenovo. 

• 24×7 Managed network detection and response. 
• Real time and continuous (24×7) monitoring and threat hunting. 
• Real time threat response. 
• Alerts handled in accordance with our Alert Notification table, below. 
• Security reports, such as privileged activities, security events, and network reports, available upon request. 
• 24x7x365 access to a security team for incident response* 

* Remediation services provided on a time and materials basis.  Please see Anti-Virus; Anti-Malware and Breach / Cyber Security Incident Recovery sections below for important details.  

• Perform, or cooperate or facilitate the performance by an independent service provider, a cybersecurity assessment under NIST CSF using the NIST Risk Management Framework & NIST 800-53. 
• Identifies how Client currently assesses, mitigates, and tracks its cybersecurity requirements. 
• Identifies authorized and unauthorized devices in the managed network. 
• Identifies gaps or deficiencies in the Client’s operations that would prevent compliance under NIST CSF.

The assessment will cover the following five core areas of the NIST framework: 

The results of the assessment will be provided in a report that will identify detected risks and your organization’s current maturity levels (i.e., indicators that represent the level of capabilities within your organization’s security program) and will propose actionable activities to help increase relevant maturity levels and augment your organization’s security posture.  

Please Note: This service is limited to an assessment/audit only. Remediation of issues discovered during the assessment, as well as additional solutions required to bring your managed environment into compliance, are not part of this service.  After the audit is complete, we will discuss the results with you to determine what steps, if any, are needed to bring your organization into full compliance. 

• Password Vault: Securely store and organize passwords in a secure digital location accessed through your browser or an app. 

• Password Generation: Generate secure passwords with editable options to meet specific criteria. 

• Financial Information Vault: Securely store and organize financial information such as bank accounts and credit card information in a secure digital location accessed through your browser or an app. 

• Contact Information Vault: Store private addresses and personal contact information within your vault accessed through your browser or an app. 

• Single Sign-On: Single sign-on grants authorized employees or users access to applications with a single set of login credentials, based on a user’s identity and permission levels. Single sign-on relies on SAML (Security Assertion Markup Language), a secure, behind-the-scenes protocol, to authenticate users to cloud, mobile, legacy, and on-premise apps. 

• Browser App: Browser extension permits easy access to all of your information including the vaults, financial information, contact information, and single sign-on through the app.  

• Smart-Phone App:  Mobile phone app enables access to your vault and stored information on your mobile device. 

External Pen Testing: exposes vulnerabilities in your internet-facing systems, networks, firewalls, devices, and/or web applications that could lead to unauthorized access. 

Internal Pen Testing: Validates the effort required for an attacker to overcome and exploit your internal security infrastructure after access is gained. 

PCI Pen Testing: Using the goals set by the PCI Security Standards Council, this test involves both external and internal pen testing methodologies. 

Web App Pen Testing: Application security testing using attempted infiltration through a website or web application utilizing PTES and the OWASP standard testing checklist.  

Please see additional terms for Penetration Testing below. 

• Remote support provided during normal business hours for managed devices and covered software 
• Tiered-level support provides a smooth escalation process and helps to ensure effective solutions. 

• Configuration, monitoring, and preventative maintenance services provided for the managed IT infrastructure 
• If remote efforts are unsuccessful, thenWheelHouse IT will dispatch a technician to the Client’s premises to resolve covered incidents (timing of onsite support is subject to technician availability and scheduling) 

Software agents installed in Covered Equipment (defined below) report status and IT-related events on a 24×7 basis; alerts are generated and responded to by Wheelhouse IT.   

• Includes capacity monitoring, alerting us to severely decreased or low disk capacity (covers standard fixed HDD partitions, not external devices such as USB or mapped drives) 
• Includes routine operating system inspection and cleansing to help ensure that disk space is increased before space-related issues occur. 

In addition to the above, our remote monitoring and management service will be provided as follows:  

YES=depending on availability and practicality. 

The SIEM service utilizes threat intelligence to detect threats that can exploit potential vulnerabilities against your managed network. 

• Initial Assessment.  Prior to implementing the SIEM service, we will perform an initial assessment of the managed network at your premises to define the scope of the devices/network to be monitored (the “Initial Assessment”).   

• Monitoring. The SIEM service detects threats from external facing attacks as well as potential insider threats and attacks occurring inside the monitored network. Threats are correlated against known baselines to determine the severity of the attack.  

• Alerts & Analysis.  Threats are reviewed and analyzed by third-party human analysts to determine true/false positive dispositions and actionability. If it is determined that the threat was generated from an actual security-related or operationally deviating event (an “Event”), then you will be notified of that Event.  

Events are triggered when conditions on the monitored system meet or exceed predefined criteria (the “Criteria”). Since the Criteria are established and optimized over time, the first thirty (30) days after deployment of the SIEM services will be used to identify a baseline of the Client’s environment and user behavior.  During this initial thirty (30) day period, Client may experience some “false positives” or, alternatively, during this period not all anomalous activities may be detected.   

Note: The SIEM service is a monitoring and alert-based system only; remediation of detected or actual threats are not within the scope of this service and may require Client to retain WheelHouse IT’s services on a time and materials basis. 

• Software agents installed in covered servers report status and IT-related events on a 24×7 basis; alerts are generated and responded to by Wheelhouse IT.  
• Online status monitoring, alerting us to potential failures or outages 
• Capacity monitoring, alerting us to severely decreased or low disk capacity (covers standard fixed HDD and SSD partitions, not external devices such as USB or mapped network drives) 
• Endpoint protection agent monitoring, alerting us to potential security vulnerabilities 
• Routine operating system inspection and cleansing 
• Secure remote connectivity to the server and collaborative screen sharing 
• Review and installation of updates and patches for Windows and supported software 
• Asset inventory and server information collection 

• Advanced two factor authentication with advanced admin features. 
• Enhances security of on-premises and cloud-based applications. 

Primary endpoint security layer. Software agents installed in covered server devices protect against malware and prevents intruder access. Used in coordination with other endpoint security layers and security solutions to form a comprehensive defense strategy. 

• Next-generation deep learning malware detection, file scanning, and live protection for Server OS 
• Web access security and control, application security and control, intrusion prevention system 
• Data loss prevention, exploit prevention, malicious traffic detection, disk and boot record protection 

All software (including software installed on HaaS Equipment) and software as a service provided to you by or through WheelHouse IT is licensed, not sold, to you by a Third Party Provider (“Software”).  In addition to any Software-related requirements described in the MSA, software may also be subject to end user license agreements (EULAs), acceptable use policies (AUPs), and other restrictions all of which must be strictly followed by you and any of your authorized users. 

When installing/implementing software licenses in the managed environment or as part of the Services, we may accept (and you agree that we may accept) any required EULAs or AUPs on your behalf. You should assume that all Software has an applicable EULA and/or AUP to which your authorized users and you must adhere. If you have any questions or require a copy of the EULA or AUP, please contact us.  

Updates and patching varies by the type of hardware, operating systems and installed software, but may include: 

• Remotely deploy updates (e.g., x.1 to x.2), as well as bug fixes, minor enhancements, and security updates as deemed necessary on managed hardware. 
• Perform minor hardware and software installations and upgrades of managed hardware. 
• Perform minor installations (i.e., tasks that can be performed remotely and typically take less than thirty (30) minutes to complete). 
• Deploy, manage, and monitor the installation of approved service packs, security updates and firmware updates as deemed necessary on all applicable managed hardware. 
• Review and installation of updates and patches for supported software  

• Scalable VoIP-based telephone service with call transferring, voicemail, caller ID, call hold, conference calling, and call waiting functionalities. 
• Central control panel provides access to VoIP-related configurations, including physical address registration, call routing, updating greetings, and ability to turn on/off service features. 
• Ability to use mobile app dialing  

Important: There are additional terms related to the VoIP service, including your use of E911 features, toward the end of this Services Guide.  Please read them carefully.  You may be required to sign an additional consent form indicating your understanding and acceptance of the limitations of 911 dialing using the VoIP services. 

We or our designated Third Party Provider will provide sufficient space and bandwidth to host your designated website (“Website”) which, except for Scheduled Downtime or force majeure events, will be available on a 24×7 basis. The Website will be hosted on a server that may be shared between many customers; however, the Website will be given a unique address (DNS). 

• Migration of Servers.  As a normal course of business, we or our Third Party Provider, as applicable, may migrate the servers on which the Website is hosted.  This process will not interfere with the Hosting Services, however, due to the potential for migration, you are not guaranteed a permanent or dedicated IP address. 
• Administration.  You will be provided with access to a dashboard through which you may make configuration adjustments to the hosted environment; however, we strongly advise you to refrain from making changes to the hosted environment without our guidance or direction.  We will not be responsible for remediating issues caused by your adjustments to the hosted environment unless those adjustments were made pursuant to our written directions or under our supervision. 
• Resource/Load Balancing. The bandwidth made available to your website may be shared and allocated among all of our customers.  You must comply with all bandwidth and WheelHouse IT-imposed limitations on the hosting services as established by WheelHouse IT from time to time. We reserve the right to load-balance applicable bandwidth to ensure that your activity will not restrict, inhibit, or diminish any other user’s use of the bandwidth or create an unusually large burden on the bandwidth.  We reserve the right to restrict your access to your hosted website in the event that your activities create a disproportionate burden on our network or our Third Party Providers’ networks (if applicable), or any other crucial resources reasonably needed to ensure the functionality, integrity, and/or security of the hosting services. 
• Backup.  Data in the hosted environment will be backed up daily (“Standard Backup Service”); however, the Standard Backup Service is not, and should not be regarded as, a backup and disaster recovery solution. Although the Standard Backup Service is a part of the hosting services, it is only a basic backup service, and it does not provide data integrity verification services or other advanced backup or recovery options.  We strongly recommend that you implement a separate backup and disaster recovery solution to protect the security and integrity of, and accessibility to, the data in the hosted environment. 
• Storage and Security. We and/or our Third Party Providers will take reasonable steps to prevent unauthorized access to the Website and the hosted environment; however, you understand and agree that no security solution is 100% effective, and we do not warrant or guarantee that the hosted environment will be free from unauthorized access or malware at all times.   
• Domain Names.   For an additional fee, we can manage your domain name registrations. 

Client, as well as any visitors to the Website, must comply with our Acceptable Use Policy which is located at the end of this Services Guide. 

• WheelHouse IT will install at the Client’s premises Wireless Access Points with such bandwidth and coverage stated in the Order. 
• WheelHouse IT will maintain, supervise, and manage the wireless system at no additional cost.  
• Installed equipment, if provided by WheelHouse IT, will be compatible with the then-current industry standards.  
• WheelHouse IT will provide remote support services during normal business hours to assist with device connectivity issues. (Support services will be provided on a “best efforts” basis only, and Client understands that some end-user devices may not connect to the wireless network, or they may connect but not perform well).  

Please note: Any Wi-Fi devices, such as access points or routers, that are supplied by Client cannot be older than five (5) years from the applicable device’s original date of manufacture, and in all cases must be supported by the manufacturer of the device(s). 

Primary endpoint security layer. Software agents installed in covered devices protect against malware and prevent intruder access. Used in coordination with other endpoint security layers and security solutions to create a comprehensive defensive strategy. 

• Next-generation deep learning malware detection, file scanning, and live protection for Workstation OS. 
• Web access security and control, application security and control, intrusion prevention system. 
• Data loss prevention, exploit prevention, malicious traffic detection, disk, and boot record protection. 

Software agents installed in covered workstations report status and IT-related events on a 24×7 basis; alerts are generated and responded to by Wheelhouse IT. 

• Online status monitoring, alerting us to potential failures or outages. 
• Capacity monitoring, alerting us to severely decreased or low disk capacity (covers standard fixed HDD and SSD partitions, not external devices such as USB or mapped network drives). 
• Performance monitoring, alerting us to unusual processor or memory usage. 
• Endpoint protection agent monitoring, alerting us to potential security vulnerabilities. 
• Routine operating system inspection and cleansing.  
• Secure remote connectivity to the workstation and collaborative screen sharing. 
• Review and installation of updates and patches for Windows and supported software. 
• Asset inventory and workstation information collection.