Sales: (909) 418-1410EmailBook A Call

Terms and Conditions

Neuron Computer Services, LLC 453 S Spring St, Ste 400, PMB 437 — Los Angeles, CA 90013 Phone: (909) 418-1410

These Terms and Conditions ("T&C") accompany and supplement the Master Services Agreement ("MSA") between Neuron Computer Services, LLC ("Provider") and the entity or individual doing business with Provider ("Client"). Every capitalized term that is not defined here carries the meaning assigned to it in the MSA. Client becomes bound by these Terms and Conditions through the same acceptance-by-conduct mechanism described in the MSA — namely, by paying any Provider invoice, using any Provider service, or granting Provider access to any Client system.

These Terms and Conditions lay out the operational guardrails, data-stewardship commitments, information-security practices, and regulatory-compliance frameworks that shape the Parties' working relationship. Provider may revise these Terms and Conditions by giving Client at least thirty (30) days' advance written notice; Client's continued engagement with Provider after the revision date signals acceptance of the updated version.

Part I — How Managed Services Work

1.1 Quality Benchmark

Provider delivers its services in line with the competence and diligence that a knowledgeable managed-IT firm would bring to comparable engagements involving small and mid-sized organizations. Provider staffs each engagement with appropriately skilled personnel and operates internal quality checks intended to keep output consistent.

1.2 Availability Windows

Routine support runs Monday through Friday, 8:00 a.m. to 5:00 p.m. Pacific Time, except for federal holidays that Provider observes. Clients on a managed-services plan that includes emergency coverage may reach Provider's on-call team outside those hours for issues classified as critical. Any specific response-time commitments are documented in the relevant Engagement scope.

1.3 Remote vs. On-Site Work

Remote assistance is Provider's default delivery channel. If a situation calls for hands-on work at Client's location, Provider will send personnel as outlined in the Engagement scope, or — if on-site visits were not pre-arranged — at Provider's prevailing hourly field rates plus reasonable travel costs. Provider's practice is to exhaust remote options before dispatching someone in person.

1.4 Hardware Buying and Ownership

When an Engagement includes hardware sourcing, Provider handles the procurement, configuration, and delivery. Ownership of the equipment transfers to Client the moment Client's payment clears in full. Provider's support responsibilities for Client-owned gear are limited to whatever management and maintenance the Engagement covers; Provider passes through all manufacturer warranties and does not make independent guarantees about third-party hardware performance or longevity.

1.5 Software License Administration

Any software license that Provider acquires on Client's behalf is Client's license to maintain. Client is the licensee on record and must honor the publisher's terms. Provider advises on licensing matters as part of its consulting function but accepts no liability for Client's licensing shortfalls; Client will hold Provider harmless against any claims arising from improper or insufficient licensing.

1.6 Administrative Password Handling

Provider keeps secure custody of the administrative passwords needed to manage the Client Infrastructure. Client recognizes that uninterrupted credential access is essential to Provider's work. When an Engagement ends, Provider will hand off all Client-related credentials within thirty (30) days, organized in a commercially useful format, to Client or Client's designated successor.

1.7 How Changes Get Implemented

Provider follows structured change-control practices when modifying the Client Infrastructure — applying patches, upgrading firmware, adjusting configurations, and the like. Planned changes that Provider expects to cause noticeable disruption are scheduled during mutually convenient maintenance windows whenever practicable. If an active security threat or critical system failure demands immediate action, Provider may implement changes without advance scheduling.

1.8 Keeping Data Safe and Recoverable

When an Engagement covers backup or disaster-recovery services, Provider sets up, monitors, and periodically tests backup systems against the recovery goals defined in the Engagement scope. Provider alerts Client promptly whenever a backup job fails in a way that jeopardizes Client Data integrity. Even so, Client retains ultimate responsibility for protecting its own data to the degree appropriate for its business, and should not rely exclusively on Provider's backup services as its sole safeguard.

Part II — Rules for Using Provider-Managed Systems

This section establishes the ground rules for every person and device that touches a system, network, or account that Provider manages and constitutes the Acceptable Use Policy referenced in Section 7.4 of the MSA. Any standalone version of the Acceptable Use Policy published on Provider's website is intended to be identical in substance to this Part II; in the event of any discrepancy, this Part II controls. Breaking these rules can lead to service suspension or termination.

2.1 Off-Limits Activities

No Client or Authorized User may use any Provider-managed resource to:

  • Carry out any action that would breach a federal, state, municipal, or international statute or regulation.
  • Store, move, or broadcast material that is illegal, menacing, libelous, obscene, deceptive, or that invades another person's privacy.
  • Introduce viruses, ransomware, spyware, trojans, worms, or any other code designed to damage, surveil, or commandeer a system.
  • Probe, break into, or try to reach any computer, account, or dataset that the user is not authorized to access — whether or not Provider manages the target system.
  • Overwhelm or destabilize any network or server through deliberate overloading, traffic floods, or resource-exhaustion techniques.
  • Blast unsolicited commercial messages in contravention of the CAN-SPAM Act, the Telephone Consumer Protection Act, or any analogous rule.
  • Falsify message headers, network-packet origins, or any other identifying metadata, or pretend to be someone else online.
  • Run cryptocurrency mining, hash-cracking, or other computationally heavy workloads on Provider-managed systems unless Provider has given explicit written permission.
  • Tamper with, deactivate, or work around any security control, access gate, or usage cap that Provider has put in place.
  • Copy, share, or alter copyrighted or trademarked material without proper authorization from the rights holder.

2.2 Email and Messaging Standards

All electronic correspondence routed through Provider-managed mail systems must conform to applicable law. Client will not use those systems to send commercial solicitations without the recipient's prior opt-in, to mislead recipients through deceptive subject lines or sender fields, or to omit a working unsubscribe link when one is legally required.

2.3 No Unauthorized Testing

Client may not perform — or allow anyone to perform — any penetration test, vulnerability scan, load test, or analogous security probe against any Provider-managed environment without getting Provider's express written go-ahead in advance. Approved tests must be coordinated with Provider to avoid collateral disruption.

2.4 How Provider Enforces These Rules

If Provider has reasonable grounds to believe that a rule violation has occurred or is about to occur, Provider may, without incurring liability: (i) restrict or freeze access to the relevant resources; (ii) take offending content offline; (iii) alert law enforcement as appropriate; and (iv) terminate the relationship per the MSA. Provider will make a good-faith effort to warn Client before acting, unless the situation demands immediate intervention to protect Provider's infrastructure or other clients.

2.5 Duty to Report Misuse

Client must inform Provider as soon as it becomes aware of any actual or suspected policy breach by an Authorized User or by a third party using Client's credentials. Client will cooperate fully with Provider's investigation and cleanup efforts.

Part III — When Security Incidents Happen

Provider operates a standing security-incident management program designed to detect threats quickly, contain damage, eliminate root causes, and restore normal operations. Here is how it works.

3.1 How Provider Categorizes Incidents

Level What It Looks Like Provider's Target
Critical Live data exfiltration, ransomware actively encrypting files, full system takeover, or imminent risk of massive data loss. Mobilize within 60 minutes
Elevated Confirmed unauthorized access with limited blast radius, active exploit of a known weakness, major service disruption, or strong indicators that an attacker is inside the perimeter. Mobilize within 4 hours
Moderate Unusual behavior under investigation, a single endpoint flagging malware, internal policy breaches with possible security implications, or blocked intrusion attempts accompanied by evidence of ongoing reconnaissance. Begin investigation within 24 hours
Low / Informational Routine security alerts, minor policy deviations, newly published vulnerability advisories, or housekeeping events that need documentation but not emergency action. Log and assess within 72 hours

3.2 Who Responds

Provider maintains a dedicated incident-management group that includes, at minimum, a lead coordinator empowered to direct response activities and allocate resources, hands-on technical staff responsible for forensic analysis and containment, and a communications point person who keeps Client informed throughout. When the scope of an incident exceeds in-house capabilities, Provider brings in vetted outside specialists.

3.3 Telling Client What Happened

When Provider confirms that a security event has actually compromised Client Data or breached the Client Infrastructure, Provider will contact Client's designated security representative within a timeframe commensurate with the severity and, at the latest, within seventy-two (72) hours of confirmation. The initial notice covers, to the extent then known: a description of what occurred, the categories of data potentially exposed, the steps Provider has taken or is planning, and what Client should consider doing on its end.

3.4 Digging Into the Root Cause

For any event classified as Critical or Elevated, Provider preserves all pertinent log files, system snapshots, and digital artifacts. When the incident touches personal data or data that triggers regulatory reporting duties, Provider works with Client to facilitate or conduct a deeper forensic review. Cost allocation for forensic work follows this principle: if Provider's failure to implement a security measure that this Agreement required was a proximate cause, Provider absorbs the expense; otherwise, the cost falls on Client, including any outside forensic firm that Client elects to retain.

3.5 Regulatory Filings

Deciding which regulators, affected individuals, or other stakeholders need to be notified is Client's call. Provider will supply whatever incident-specific data it holds that Client reasonably needs to meet its filing obligations, and will help Client draft notifications when asked. Provider will not issue any public statement about a Client-related incident without Client's written authorization, except where the law leaves Provider no choice.

3.6 Learning From Each Incident

After any Critical or Elevated incident is closed, Provider prepares a written debrief for Client covering: the most likely chain of events that led to the incident, a chronological account of how it was detected and handled, an inventory of affected systems and data, and a set of recommended improvements to reduce the chances of recurrence. Provider implements those improvements within a commercially reasonable period.

Part IV — How Provider Protects Information

Provider runs an enterprise-grade information-security program built around three pillars: organizational discipline, physical protections, and technology controls. Below is a summary of Provider's commitments.

4.1 Organizational Discipline

  • At least one named individual inside Provider's organization is accountable for the overall health of the security program.
  • Every candidate for a role that involves exposure to Client Data undergoes a background screening to the extent that applicable employment law permits.
  • Provider's team receives recurring education on threat awareness, social engineering, phishing recognition, and secure handling of sensitive material.
  • Access privileges follow a need-to-know model: each person can reach only the systems and datasets that their specific role demands.
  • Provider conducts periodic threat-and-risk evaluations aimed at spotting gaps in its defenses and prioritizing corrective action.

4.2 Physical Protections

  • Any Provider facility where Client Data is handled or stored has controlled entry that restricts casual or unauthorized physical access.
  • When a storage device or piece of hardware that has held Client Data reaches end of life, Provider wipes or destroys it following recognized sanitization procedures (such as those outlined in NIST Special Publication 800-88 or a comparable standard).
  • If Client Data resides in a third-party hosting facility, Provider selects providers that hold current SOC 2 Type II reports or an equivalent independent verification of their physical and logical controls.

4.3 Technology Controls

  • Data moving between systems travels through encrypted channels using current-generation transport-layer security (no lower than TLS 1.2). Data sitting on disk is protected with strong symmetric encryption (AES-256 grade or better).
  • Provider deploys and maintains network firewalls, intrusion-detection capabilities, and endpoint-protection agents across the infrastructure it manages.
  • Vendor-issued security fixes are applied to Provider-managed systems on a prioritized cadence, with critical patches receiving the fastest turnaround.
  • Provider retains system-access and activity logs for a minimum rolling window of ninety (90) days.
  • Administrative portals and, where technically feasible, Client-facing portals require multi-factor authentication.

4.4 Personal-Device Rules for Provider Staff

Any Provider team member who touches Client Data from a personal laptop, tablet, or phone must comply with Provider's internal bring-your-own-device policy. At a minimum, the device must have full-disk encryption enabled, a locked screen secured by password or biometric, up-to-date operating-system patches, and the ability to be remotely wiped if lost or stolen. Provider does not dictate Client's own personal-device rules, though it may recommend one as part of its advisory services.

4.5 Keeping Vendors Honest

Provider evaluates the security hygiene of every outside vendor that handles or warehouses Client Data, and insists on data-handling agreements with those vendors that are at least as stringent as the commitments in this document. Provider reviews key vendor practices on a recurring basis and will tell Client about any vendor security event that has a material bearing on Client Data.

Part V — Data-Handling Commitments

This section functions as the Data Processing Agreement ("DPA") between the Parties. It spells out how Provider handles personal and regulated data that flows through the Services, and it establishes each Party's duties under the data-protection statutes that apply to their relationship.

5.1 Who Does What

Under every applicable privacy law: Client acts as the entity that determines the purposes and methods of processing (the "business," "controller," or equivalent designation); Provider acts as the entity that processes data at Client's direction (the "service provider," "processor," or equivalent designation). The types of personal data involved, the reasons for processing, and the affected population are dictated by the nature of the Engagement.

5.2 Provider's Core Data-Handling Rules

Provider commits to the following baseline practices with respect to all personal data it handles on Client's behalf:

  • Provider touches personal data only for the purpose of fulfilling its role under the MSA and only within the boundaries of Client's written directions, unless a law independently compels processing.
  • Provider will never monetize, trade, or hand off personal data to unrelated parties.
  • Provider operates a security program (summarized in Part IV) that is designed to shield personal data from unauthorized viewing, tampering, accidental loss, or destruction.
  • Everyone on Provider's team who works with personal data is contractually obligated to keep it confidential.
  • Within thirty (30) days after the Agreement concludes, Provider either sends back or wipes all personal data in its custody — Client's choice — unless a legal obligation forces Provider to hold onto it longer.

5.3 Working With Sub-Processors

Provider may delegate specific processing tasks to vetted sub-processors. Provider keeps an up-to-date roster of these sub-processors and gives Client at least thirty (30) days' heads-up before onboarding a new one. If Client raises a substantive data-protection objection to a proposed sub-processor, the Parties will work together in good faith to address the concern. Provider holds every sub-processor to data-protection commitments that mirror those in this section.

5.4 Helping With Individual Rights Requests

When someone whose data is being processed exercises a right granted by privacy law — such as the right to see, fix, erase, port, or restrict the use of their information — Provider gives Client the practical help it needs to respond on time. If Provider receives such a request directly from an individual, Provider redirects it to Client without delay (except where Provider has its own independent legal duty to respond).

5.5 What Happens When Personal Data Is Compromised

If Provider discovers a security event that has compromised personal data, Provider alerts Client without undue delay and no later than seventy-two (72) hours after confirming the breach. The initial alert covers, to the extent then ascertained: the character of the breach, a rough count and categorization of affected records and individuals, the anticipated fallout, and the mitigation steps Provider is pursuing.

5.6 Accountability and Auditing

At Client's reasonable written request (limited to once every twelve months), Provider will share enough information for Client to satisfy itself — or to demonstrate to a regulator — that Provider's data-handling practices conform to applicable law. Provider will cooperate with any supervisory-authority audit that relates to Provider's processing on Client's behalf, as long as Client provides reasonable advance notice and covers the out-of-pocket costs Provider incurs in helping. For Clients that have activated the HIPAA Business Associate Addendum (Part VI), the audit right under Section 6.7 of that addendum is satisfied by the audit conducted under this Section and does not create an additional annual audit entitlement.

5.7 Artificial Intelligence and Automated Processing Tools

Where Provider uses artificial-intelligence platforms, machine-learning models, or similar automated-processing tools (collectively, "AI Tools") in delivering the Services, the following additional commitments apply:

(a) Each third-party AI Tool through which Client Data is processed constitutes a sub-processor for purposes of Section 5.3, and Provider will include such AI Tools on its sub-processor roster and provide the advance notice required by that Section before onboarding a new AI Tool.

(b) Provider will not submit Client Data to any AI Tool whose terms of service permit the AI-tool vendor to use Client Data for model training, benchmarking, or product-improvement purposes, unless Client has given prior written consent to that specific use.

(c) For Engagements involving CUI, ITAR-controlled data, or data subject to the HIPAA Business Associate Addendum, Provider will not process such data through any AI Tool unless the AI Tool's data-handling practices satisfy the applicable regulatory requirements set forth in these Terms and Conditions, and Provider has confirmed in writing that the AI Tool's environment meets those requirements.

(d) The confidentiality obligations in Article 5 of the MSA apply to all Client Data processed through AI Tools, and Provider remains responsible for ensuring that third-party AI-tool vendors' terms of service do not conflict with those obligations.

5.8 California's Consumer Privacy Framework (CCPA / CPRA)

When Provider handles personal information governed by the California Consumer Privacy Act (Cal. Civ. Code §1798.100 et seq., as strengthened by the California Privacy Rights Act), these additional commitments kick in:

  • Provider operates in the capacity of a "service provider" under the CCPA. Provider does not keep, utilize, or reveal personal information for any objective beyond delivering the Services described in the MSA.
  • Provider will not monetize personal information, transfer it for cross-context behavioral advertising, or pool it with data obtained from unrelated engagements — each of which the CCPA/CPRA prohibits for service providers.
  • Provider assists Client in handling consumer demands to access, erase, correct, or opt out of certain uses of their data, and cooperates within the statutory deadlines.
  • Provider affirms that it understands the boundaries the CCPA/CPRA places on service providers and pledges to operate within them.
  • Client may take reasonable steps — including periodic check-ins and assessments — to satisfy itself that Provider's practices align with Client's own CCPA/CPRA duties.

5.9 Financial-Data Protections Under the Gramm-Leach-Bliley Act

If Client qualifies as a "financial institution" within the meaning of 15 U.S.C. §6801 et seq. and Provider handles nonpublic personal information ("NPI") on Client's behalf, Provider additionally commits to:

  • Running a holistic information-security program that spans people, technology, and physical controls and that is calibrated to the sensitivity of the NPI at issue, consistent with what the FTC's Safeguards Rule (16 C.F.R. Part 314) expects of service providers.
  • Confining NPI access to those team members whose job duties genuinely require it.
  • Using NPI exclusively to perform the Services and not disclosing it to anyone outside the delivery chain unless Client directs otherwise or a law demands it.
  • Immediately flagging any security event that touches NPI and collaborating with Client on containment and any mandatory regulatory reporting.

5.10 Defense and Export-Control Compliance (CMMC / CUI / NIST / ITAR)

When an Engagement involves information classified as Controlled Unclassified Information ("CUI") or data subject to the Cybersecurity Maturity Model Certification, the NIST 800-171 framework, DFARS clause 252.204-7012, or the International Traffic in Arms Regulations, the following supplemental duties apply:

  • Provider configures and operates every system that touches CUI in conformance with the control families prescribed by NIST Special Publication 800-171 Revision 2 (or a later revision if the Engagement specifies one).
  • Provider documents its security posture in a System Security Plan and tracks any open remediation items in a Plan of Action and Milestones. Client may request copies of both documents.
  • If Provider detects a cyber event that has affected CUI, Provider notifies Client within seventy-two (72) hours so that Client can in turn report to the DoD Cyber Crime Center or other designated authority as federal procurement regulations require.
  • CUI stays within the physical borders of the United States at all times. Provider will not move CUI offshore or grant access to it from outside the country without Client's advance written authorization.
  • Where ITAR-controlled technical data is in play, Provider limits access to individuals who qualify as U.S. Persons under 22 C.F.R. §120.62 and will not export, re-export, or disclose such data to foreign nationals absent a valid State Department authorization.
  • Provider backs Client's journey toward achieving or maintaining the applicable CMMC level by furnishing documentation, hosting assessment activities, and executing corrective measures identified during the assessment process.

5.11 Colorado's Privacy Act

For personal data of Colorado residents governed by C.R.S. §6-1-1301 et seq.:

  • Provider handles data solely per Client's instructions and the purposes the MSA identifies.
  • Provider lends operational support when Colorado consumers invoke their rights to view, fix, delete, transfer, or opt out of targeted advertising and profiling, and when Client conducts or responds to data-protection assessments the statute mandates.
  • Provider furnishes Client, on reasonable request, with the evidence needed to show that the processing complies with the Colorado Privacy Act.
  • Provider opens its practices to reasonable compliance checks by Client or Client's chosen auditor.

5.12 Connecticut's Data Privacy Statute

For personal data of Connecticut residents governed by Public Act No. 22-15:

  • Provider follows Client's processing directives and confines its use of data to the parameters set out in the MSA.
  • Provider supports Client in answering consumer-rights requests, carrying out privacy-impact studies, and maintaining data security.
  • Every Provider team member who interacts with the data owes a contractual duty of secrecy.
  • When Client directs it, Provider deletes or returns all relevant personal data once the Engagement concludes.

5.13 New York's SHIELD Act

For private information (as N.Y. Gen. Bus. Law §899-aa defines it) belonging to New York residents:

  • Provider runs a program of sensible administrative, technical, and physical protections tailored to the nature and volume of the private information in question.
  • One or more named Provider employees are charged with keeping the program current.
  • Provider evaluates both internal and external threats to the private information and deploys countermeasures proportionate to the risks identified.
  • If a "breach of the security of the system" (as the SHIELD Act uses that phrase) occurs, Provider tells Client immediately and cooperates with Client's notification obligations under §899-aa.

5.14 Virginia's Consumer Data Protection Statute

For personal data of Virginia residents governed by Va. Code §59.1-575 et seq.:

  • Provider processes data only as Client instructs and within the framework the MSA establishes.
  • Provider helps Client respond to consumer demands — including requests to access, fix, erase, export, or opt out of targeted ads, data sales, and profiling — and assists with any privacy-impact assessments Client undertakes.
  • Confidentiality obligations bind every Provider team member who comes into contact with the data.
  • On reasonable request, Provider furnishes Client with the documentation necessary to demonstrate VCDPA compliance.

5.15 Other State Privacy Laws

To the extent Client's personal data is governed by a state consumer privacy or data-protection statute not specifically enumerated in Sections 5.8 through 5.14 — including but not limited to the Texas Data Privacy and Security Act, the Oregon Consumer Privacy Act, the Montana Consumer Data Privacy Act, and any substantially similar statute enacted after the effective date of these Terms and Conditions — Provider will process such data in accordance with the general data-handling commitments set forth in Sections 5.1 through 5.6 and will cooperate with Client in meeting its compliance obligations under the applicable statute to the same extent contemplated by the enumerated state provisions above.

Part VI — HIPAA: Optional Healthcare-Data Addendum

This Part VI is a dormant addendum. It springs to life only when Client activates it by checking the box on an Engagement form or sending Provider a separate written activation notice. Until activated, this Part imposes no obligations on either Party.

6.1 Vocabulary

Within this addendum, "Protected Health Information" ("PHI"), "Electronic Protected Health Information" ("ePHI"), "Covered Entity," "Business Associate," "Designated Record Set," and every other HIPAA-specific term carry the meanings that the Health Insurance Portability and Accountability Act (together with the HITECH Act and the Privacy, Security, and Breach Notification regulations at 45 C.F.R. Parts 160 and 164) assigns to them, as those laws may be updated over time.

6.2 Permitted Handling of Health Data

Provider (operating as a Business Associate) will restrict its use and disclosure of PHI to what this addendum, the MSA, applicable law, or Client's written instructions authorize. Specifically, Provider may handle PHI to: (i) carry out the Services; (ii) satisfy a legal duty; (iii) run its own business operations, provided that any outside disclosure for this purpose is either compelled by law or accompanied by reasonable assurance from the recipient that confidentiality will be preserved; and (iv) aggregate or de-identify data, but only when Client has separately authorized that activity.

6.3 Keeping ePHI Secure

Provider will build and sustain a set of organizational, physical, and technological safeguards that offer reasonable protection for the confidentiality, integrity, and accessibility of ePHI. These safeguards will align with the benchmarks the HIPAA Security Rule establishes for entities in Provider's position.

6.4 Reporting a Breach of Health Data

If Provider identifies a Breach (as 45 C.F.R. §164.402 defines it) involving Unsecured PHI, Provider will notify Client no later than thirty (30) calendar days after discovery, or as soon as reasonably practicable if circumstances beyond Provider's control prevent notification within that period. Provider's report will cover, to the extent available: the identity of each affected individual, a narrative of what happened and when, a description of the PHI categories involved, suggested mitigation steps for affected individuals, and a summary of Provider's own investigative and corrective actions.

6.5 Supporting Patient Rights

Provider will: (i) deliver PHI from a Designated Record Set to Client (or directly to the requesting individual if Client so directs) within fifteen (15) business days of a request, supporting Client's access obligations under 45 C.F.R. §164.524; (ii) implement amendments to PHI that Client directs within fifteen (15) business days, in furtherance of 45 C.F.R. §164.526; and (iii) compile and make available the disclosure-tracking information Client needs to satisfy an accounting-of-disclosures request under 45 C.F.R. §164.528.

6.6 Downstream Vendors

Every sub-processor or subcontractor that will touch PHI on Provider's behalf must first sign an agreement imposing substantively identical protections and restrictions to those set out in this addendum, as 45 C.F.R. §164.502(e)(1)(ii) requires.

6.7 Government Audit Access

Provider will make the books, records, and internal practices related to its handling of PHI available to the U.S. Department of Health and Human Services if the Secretary requests them for compliance-verification purposes. Client (or a representative Client designates) may also conduct a reasonable compliance review of Provider's HIPAA practices, once per calendar year, upon at least thirty (30) days' advance notice during Provider's normal working hours.

6.8 Winding Down This Addendum

If either Party concludes that the other has materially broken this addendum, the non-breaching Party will send a written cure notice. If thirty (30) days pass without a fix, the non-breaching Party may terminate both this addendum and the MSA. When this addendum ends for any reason, Provider will — at Client's choice — return or destroy all PHI (including PHI held by sub-processors) and send written confirmation that the job is done. If returning or destroying the data is not feasible, Provider will continue to apply the addendum's protections to the retained PHI indefinitely.

Part VII — Outside Technology Partners

Provider relies on an ecosystem of specialized technology vendors to power various aspects of the Services. The table below identifies the major categories. A comprehensive, current roster — including links to each vendor's own terms and privacy documentation — is available from Provider on request and is refreshed regularly.

Function Typical Vendors
Remote Monitoring & Management ConnectWise, Datto, NinjaRMM, or similar
Endpoint Security & Threat Hunting SentinelOne, Huntress, CrowdStrike, or similar
Backup & Continuity Datto, Veeam, Axcient, or similar
Cloud Productivity Microsoft 365, Azure, Google Workspace, or similar
Email Threat Prevention Avanan, Proofpoint, Barracuda, or similar
Ticketing & Documentation HaloPSA, Hudu, IT Glue, ConnectWise, or similar
Networking Infrastructure Cisco, Ubiquiti, Fortinet, or similar
Identity & Access Control Microsoft Entra ID, Okta, Duo, or similar
Governance, Risk & Compliance ScalePad, Compliance Manager GRC, or similar

Client accepts that: (i) Provider may rotate vendors in and out as business needs evolve, and will let Client know when a swap materially changes how the Services operate; (ii) some vendor products carry their own end-user agreements that bind Client directly; and (iii) Provider's exposure for vendor-side failures is governed by the liability framework in the MSA (Articles 8 and 2.3 of the MSA).

Part VIII — Industry-Specific Considerations

8.1 Manufacturing

Provider has deep experience supporting production environments. For manufacturing Clients, Provider's work may encompass operational-technology networks alongside traditional IT, engineering workstations running CAD/CAM software, ERP and MES platforms, and compliance-readiness consulting for CMMC, ITAR, and related defense-industrial frameworks. The exact scope is defined by the Engagement.

8.2 Construction

For Clients in the construction sector, Provider brings familiarity with project-management platforms (Procore, Buildertrend, PlanGrid, Sage, and the like), mobile-connectivity solutions for job sites, equipment-tracking software, and document-control workflows. Provider will advise on construction-specific cyber threats — wire-fraud schemes, ransomware targeting project archives, and phishing aimed at accounting and project personnel — as part of its security-consulting function.

8.3 Professional Services

Clients in accounting, legal, insurance, and similar professional-services fields can expect Provider to account for the heightened confidentiality standards, workflow dependencies, and regulatory burdens typical of their industries when structuring and delivering the Services.

8.4 Healthcare-Adjacent Practices

Audiology clinics, psychology and psychiatry offices, and other healthcare-adjacent Clients should activate the HIPAA Business Associate Addendum (Part VI) if Provider will come into contact with PHI during the Engagement. It is Client's responsibility to make that determination and to notify Provider before work begins.

Part IX — Closing Provisions

9.1 Hierarchy of Documents

If a provision in these Terms and Conditions conflicts with something in the MSA, the MSA wins. If a conflict arises between these Terms and Conditions and a written Engagement document, the Engagement document wins for the subject it covers. Within these Terms and Conditions, a regulation-specific section (e.g., HIPAA, CMMC) takes precedence over a general data-handling provision to the extent the two are inconsistent.

9.2 Adapting to New Laws

When a relevant data-protection or cybersecurity law is enacted or materially amended, the Parties will collaborate to update these Terms and Conditions accordingly. Neither Party is automatically in breach solely because a new or changed law has just taken effect, provided the Party makes a good-faith effort to comply within ninety (90) days of the law's effective date.

9.3 Export-Control Compliance

Both Parties will abide by all applicable U.S. export-control and economic-sanctions regimes, including the Export Administration Regulations and, where relevant, the International Traffic in Arms Regulations. Neither Party will export, re-export, or transfer any data, software, or technical knowledge received under this Agreement in violation of those rules.

9.4 Anti-Bribery Commitment

In connection with this Agreement, neither Party has made or will make any improper payment or transfer of value — directly or through intermediaries — to any government official, political party, or candidate for the purpose of securing an unlawful advantage, in violation of the Foreign Corrupt Practices Act, the California Political Reform Act, or any other applicable anti-corruption statute.

9.5 Digital Accessibility

Provider makes commercially reasonable efforts to ensure that its client-facing web portals and digital communications meet or approach the Web Content Accessibility Guidelines (WCAG) Level AA standard, to the extent practicable given the nature of the platform.

9.6 Record Retention

Provider will keep copies of these Terms and Conditions, all Engagement documentation, and records of data-processing activities for at least six (6) years after the Agreement concludes, or longer if a law or regulation requires it. For Engagements governed by the HIPAA Business Associate Addendum (Part VI), records will be retained for at least six (6) years from the date of creation or the date the applicable document was last in effect, whichever is later, consistent with 45 C.F.R. §164.530(j). For Engagements involving CUI or DFARS-regulated data, records will be retained for the period required by the applicable federal procurement regulation.

9.7 Where to Direct Questions

Inquiries about these Terms and Conditions — including questions about data processing, security events, or regulatory compliance — should be sent to:

Neuron Computer Services, LLC Attn: Legal / Compliance 453 S Spring St, Ste 400, PMB 437 Los Angeles, California 90013 Email: info@neuroncomputers.com Phone: (909) 418-1410

Contact Us With Questions