CDA.Security, LLC Master Services Agreement

Version 1.0

Effective Date: 2026-01-01

PLEASE READ THIS MASTER SERVICES AGREEMENT ("AGREEMENT") CAREFULLY. THIS AGREEMENT GOVERNS YOUR PURCHASE AND USE OF SERVICES FROM CDA.SECURITY, LLC.

BY CLICKING "I ACCEPT," COMPLETING THE PURCHASE PROCESS, OR USING ANY SERVICES PROVIDED BY CDA.SECURITY, LLC, YOU, ON BEHALF OF THE ENTITY YOU REPRESENT ("CUSTOMER"), AGREE TO BE BOUND BY THE TERMS OF THIS AGREEMENT. YOU REPRESENT AND WARRANT THAT YOU HAVE THE FULL LEGAL AUTHORITY TO BIND THE CUSTOMER TO THIS AGREEMENT. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THESE TERMS, YOU MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT USE THE SERVICES.

This Master Services Agreement ("Agreement") is made between CDA.Security, LLC, a North Carolina, Service-Disabled Veteran-Owned Small Business (“SDVOSB”) and limited liability company ("CDA.Security"), and the entity purchasing Services ("Customer").

1. Definitions

1.1. "Active Operations" means Services that intentionally attempt to compromise the security of Customer Systems.

1.2. "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity.

1.3. "Agreement" means this Master Services Agreement, including all Addendums and all Incorporated Documents.

1.4. "Confidential Information" means all information disclosed by a party ("Disclosing Party") to the other party ("Receiving Party"), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure.

1.5. "Customer Data" means any data, information, or material provided or submitted by Customer to the Services or collected or processed on behalf of Customer through the use of the Services.

1.6. "Customer Systems" means the information technology infrastructure, including but not limited to networks, systems, applications, and endpoints, that are owned, operated, or controlled by Customer and are designated by Customer as the subject of the Services in a Mission Order. Customer represents and warrants that it has the full and necessary authority to grant CDA.Security access to all systems designated as Customer Systems. Customer Systems do not include systems, platforms, or environments owned or controlled by third parties unless expressly identified in the applicable Mission Order and accompanied by documented authorization from the relevant third party.

1.7. "Deliverables" means the reports, findings, and other work product specified in a Mission Order to be delivered by CDA.Security to Customer.

1.8. "Incorporated Documents" means the Mission Order Framework, Acceptable Use & Security Policy, AI & Automation Disclosure, and Services Privacy Policy, each as may be updated from time to time in accordance with Section 2.2.

1.9. "Intellectual Property Rights" means unpatented inventions, patent applications, patents, design rights, copyrights, trademarks, service marks, trade names, domain name rights, mask work rights, know-how, and other trade secret rights, and all other intellectual property rights, derivatives thereof, and forms of protection of a similar nature anywhere in the world.

1.10. "Mission Order" means a document, executed via CDA.Security's online purchasing portal, that specifies the Services to be provided by CDA.Security, including the scope, duration, fees, and any specific parameters. Each Mission Order is governed by and incorporates this Agreement.

1.11. "Services" means the professional cybersecurity services provided by CDA.Security to Customer as described in a Mission Order.

1.12. "Tools" means the software, hardware, methodologies, processes, and other tools used by CDA.Security to provide the Services.

1.13. “Total Remuneration” means the total economic value paid or payable to an individual in connection with services performed for a party, including without limitation profit participation, revenue share, incentive compensation, fees, bonuses, draws, commissions, or other variable or contingent compensation, whether or not fixed, guaranteed, or annually denominated.

2. Incorporated Documents & Order of Precedence

2.1. Incorporation by Reference. The following documents are hereby incorporated by reference into this Agreement and are legally binding:

1. Acceptable Use & Security Policy;
2. AI & Automation Disclosure;
3. Mission Order Framework; and
4. Services Privacy Policy.

2.2. Updates to Incorporated Documents. CDA.Security may update the Incorporated Documents from time to time. CDA.Security will provide Customer with at least 30 days' prior written notice of any material changes. Continued use of the Services after the effective date of such changes will constitute Customer's acceptance of the changes.2.3. Order of Precedence. In the event of a conflict between the terms of these documents, the order of precedence will be:

1. The applicable Mission Order (for that specific mission only);
2. The Addendums to this Agreement;
3. This Master Services Agreement; and
4. The Incorporated Documents.

3. Services & Responsibilities

3.1. Performance. CDA.Security will perform the Services described in each Mission Order in a professional and workmanlike manner.

3.2. Customer Cooperation. Customer will provide CDA.Security with timely access to relevant personnel, information, and Customer Systems as reasonably required for the performance of the Services. Customer is solely responsible for securing all necessary rights, permissions, and authorizations for CDA.Security to access and operate within the Customer Systems as required by the applicable Mission Order.

3.3. Customer Acknowledgment of Risk. Customer acknowledges that the Services may involve actions that could disrupt or impact Customer Systems. Customer retains sole responsibility for the decision to authorize such actions and for implementing appropriate safeguards, such as data backups.

3.4. Independent Contractor. The parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship between the parties.

3.5. No Implied Flow-Down; No Subcontract Status.
Except as expressly agreed in a separate written agreement executed by CDA.Security, Customer acknowledges and agrees that:

1. CDA.Security does not accept, and shall not be deemed to have accepted, any obligations, requirements, representations, certifications, or flow-down provisions arising from Customer’s agreements with third parties, including without limitation prime contracts, government contracts, or end-customer agreements;
2. No such third-party terms shall apply to CDA.Security by reference, pass-through, operation of law, or otherwise; and
3. CDA.Security shall not be considered a subcontractor, teaming partner, joint venturer, or participant in any government procurement or regulated engagement unless expressly designated as such in a separate written agreement.

Any flow-down, pass-through, or subcontracting obligations shall apply only if explicitly identified and affirmatively accepted in writing by CDA.Security, and only to the extent expressly stated therein.4. Fees & Payment

4.1. Fees. Customer will pay all fees specified in the applicable Mission Order. All fees are non-refundable and are quoted and payable in United States dollars.

4.2. Payment. Fees are due in full upon acceptance of the Mission Order and prior to the commencement of Services, unless otherwise specified in the Mission Order.

4.3. Taxes. Fees do not include any taxes, levies, duties, or similar governmental assessments of any nature. Customer is responsible for paying all taxes associated with its purchases hereunder.

5. Intellectual Property

5.1. CDA.Security IP. CDA.Security retains all right, title, and interest in and to its Tools, methodologies, and all related Intellectual Property Rights. No license is granted to Customer for any CDA.Security Tools.

5.2. Deliverables. Subject to Customer's payment of all fees, CDA.Security grants Customer a worldwide, perpetual, non-exclusive, non-transferable, royalty-free license to use the Deliverables for its internal business purposes. Customer is solely responsible for compliance with applicable export control laws governing its use or distribution of Deliverables.

5.3. Customer Data. Customer grants CDA.Security a worldwide, non-exclusive, royalty-free license to use and reproduce Customer Data solely to the extent necessary to provide the Services.

6. Confidentiality

6.1. Obligations. The Receiving Party will use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but not less than reasonable care) to not use any Confidential Information of the Disclosing Party for any purpose outside the scope of this Agreement and except as otherwise authorized by the Disclosing Party in writing, limit access to Confidential Information of the Disclosing Party to those of its and its Affiliates’ employees and contractors who need that access for purposes consistent with this Agreement and who have signed confidentiality agreements with the Receiving Party containing protections no less stringent than those herein.

6.2. Compelled Disclosure. The Receiving Party may disclose Confidential Information of the Disclosing Party to the extent compelled by law to do so, provided the Receiving Party gives the Disclosing Party prior notice of the compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party's cost, if the Disclosing Party wishes to contest the disclosure.

7. Indemnification

7.1. Indemnification by CDA.Security. CDA.Security will defend Customer against any claim, demand, suit, or proceeding made or brought against Customer by a third party alleging that the Services, as provided by CDA.Security, infringe or misappropriate such third party’s intellectual property rights, and will indemnify Customer from any damages finally awarded against Customer as a result of, and for reasonable attorney’s fees incurred by Customer in connection with, any such claim. This indemnification obligation does not apply to the extent a claim arises from Customer Data, Customer-provided instructions, or Customer-directed use of the Services outside the scope of the applicable Mission Order.

7.2. Indemnification by Customer. Customer will defend CDA.Security against any claim, demand, suit, or proceeding made or brought against CDA.Security by a third party arising from or related to:

1. Customer Data;
2. Customer's breach of its representations and warranties;
3. Any activities conducted by CDA.Security within Customer Systems at Customer's direction and authorization as part of the Services. Customer will indemnify CDA.Security from any damages finally awarded against CDA.Security as a result of, and for reasonable attorney’s fees incurred by CDA.Security in connection with, any such claim; and
4. This indemnification obligation extends to claims arising from actions authorized under the Addendums and Incorporated Documents in this Agreement.

Customer’s indemnification obligations do not apply to the extent a claim arises from CDA.Security’s gross negligence or willful misconduct.

8. Limitation of Liability

8.1. Exclusion of Consequential Damages. IN NO EVENT WILL EITHER PARTY HAVE ANY LIABILITY TO THE OTHER PARTY FOR ANY LOST PROFITS, REVENUES, OR FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, COVER, OR PUNITIVE DAMAGES, WHETHER AN ACTION IS IN CONTRACT OR TORT, AND REGARDLESS OF THE THEORY OF LIABILITY, EVEN IF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

8.2. Liability Cap. IN NO EVENT WILL THE AGGREGATE LIABILITY OF CDA.SECURITY ARISING OUT OF OR RELATED TO THIS AGREEMENT EXCEED THE TOTAL AMOUNT PAID BY CUSTOMER HEREUNDER FOR THE SERVICES GIVING RISE TO THE LIABILITY IN THE 12 MONTHS PRECEDING THE FIRST INCIDENT OUT OF WHICH THE LIABILITY AROSE.

The foregoing limitations do not apply to liability arising from a party’s gross negligence or willful misconduct.

8.3. Acknowledgment. The parties acknowledge that the limitations of liability in this Section 8 and in the other provisions of this Agreement and the allocation of risk herein are essential elements of the bargain between the parties, without which CDA.Security would not have entered into this Agreement.

9. Term & Termination

9.1. Term. This Agreement commences on the date Customer first accepts it and continues until all Mission Orders have expired or have been terminated.

9.2. Termination for Cause. A party may terminate this Agreement for cause:

1. Upon 30 days written notice to the other party of a material breach if such breach remains uncured at the expiration of such period; or
2. If the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation, or assignment for the benefit of creditors.

9.3. Suspension of Services. CDA.Security may immediately suspend Services if it believes, in its reasonable judgment, that Customer's use of the Services poses a security risk, may adversely impact the Services or systems of CDA.Security or other customers, or violates applicable law or this Agreement. CDA.Security will provide notice of suspension and an opportunity to cure, where practicable.

9.4. Survival. Sections 5, 6, 7, 8, and 10 will survive any termination or expiration of this Agreement.

10. General Provisions

10.1. Governing Law. This Agreement will be governed by and construed in accordance with the laws of the State of North Carolina and the United States of America, without regard to its conflict of laws principles. The parties agree that this governing law selection reflects CDA.Security’s state of formation and principal place of business, and bears a reasonable relationship to the Services. Except as expressly required by law or agreed in writing, Customer has no audit or inspection rights with respect to CDA.Security’s systems, tools, or internal controls.

10.2. Assignment. Neither party may assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the other party’s prior written consent (not to be unreasonably withheld).

10.3. Entire Agreement. This Agreement, including all Addendums and Incorporated Documents, constitutes the entire agreement between the parties and supersedes all prior and contemporaneous agreements, proposals, or representations, written or oral, concerning its subject matter.

10.4. Notices. All notices under this Agreement will be in writing and will be deemed to have been duly given when received, if personally delivered; when receipt is electronically confirmed, if transmitted by facsimile or e-mail; the day after it is sent, if sent for next day delivery by recognized overnight delivery service; and upon receipt, if sent by certified or registered mail, return receipt requested.

10.5. Waiver. No failure or delay by either party in exercising any right under this Agreement will constitute a waiver of that right.

10.6. No Reliance. Customer acknowledges that it has not relied on any representations, statements, or assurances other than those expressly set forth in this Agreement.

10.7. Force Majeure.
Neither party will be liable for any failure or delay in performance due to events beyond its reasonable control, including acts of God, war, terrorism, labor disputes, governmental actions, internet or cloud service provider failures, or utility outages, provided that the affected party uses commercially reasonable efforts to resume performance.