Main Service Agreement

This Main Service Agreement (this "Agreement") is entered into by and between Yama Industrials, Inc., a Wyoming corporation ("Yama"), and the customer identified in the applicable Order Form ("Customer").

By signing an Order Form, Statement of Work, quote, proposal, invoice, credit application, renewal, or other ordering document referencing this Agreement, by providing verbal authorization for Yama to begin work, or by using, receiving, or paying for any Services or Products, Customer agrees to be bound by this Agreement.

Terminology Note — Solutions Provider and Service Provider. Throughout this Agreement, the terms "solutions provider," "service provider," and "technology solutions provider" are used interchangeably and refer solely to Yama in its capacity as a solutions provider that designs, implements, configures, and integrates multi-vendor technology solutions for its customers. The use of any such term in this Agreement does not characterize Yama as a managed service provider (MSP), managed security service provider (MSSP), or any other provider category carrying implied ongoing monitoring, remediation, or duty-of-care obligations beyond those expressly stated in a signed Order Form.

Third-Party and Brokered Services Notice: Where Yama resells, brokers, procures, or arranges any third-party product, service, subscription, license, or platform on Customer's behalf, Yama acts solely as a reseller or intermediary and not as the primary provider or obligor. All such brokered and resold offerings are subject to the applicable third-party vendor's own terms, warranties, and support commitments. Yama makes no warranty and assumes no liability with respect to any third-party or brokered offering except as expressly stated herein. See Article 21 (Brokered and Resold Third-Party Services) for the full terms governing such arrangements.

1. Overview and Agreement Structure

1.1 Master Framework

This Agreement establishes the master terms governing all Services, Products, Deliverables, subscriptions, support, consulting, implementation, advisory work, equipment, software, and other offerings provided by Yama to Customer.

1.2 Incorporated Documents

The following documents are incorporated into and form part of this Agreement, to the extent applicable:

• Any Order Form.

• Any Statement of Work.

• Any Service Level Agreement expressly signed by Yama.

• Any Yama policy published at resources.yamaindustrials.com and expressly incorporated by reference.

• Any written implementation plan, renewal, invoice, or Written Confirmation accepted under this Agreement.

• The Post-Agreement & Ad-Hoc Support Policy, where applicable.

1.3 Broad Definition of Order Form; Acceptance

For purposes of this Agreement, an "Order Form" includes any statement of work, quote, proposal, estimate, invoice, renewal, email authorization, ticket, checkout flow, text message, messaging-platform communication, or other written or electronic authorization requesting, approving, or confirming the provision of Services or Products.

If Customer gives verbal authorization for Yama to begin work, Yama's subsequent commencement of work constitutes conclusive evidence of Customer's authorization for the requested work and strong evidence of Customer's acceptance of this Agreement. A reference to, or link to, this Agreement included on any invoice, estimate, proposal, ticket, or other documentation delivered to Customer in connection with the Services constitutes sufficient notice of this Agreement's terms.

All Services performed are subject to the fees, payment terms, and incorporated policies of this Agreement, regardless of whether every applicable fee is itemized in the initial Order Form.

1.4 Order of Precedence

In the event of any conflict among the documents comprising this Agreement, the following order of precedence applies unless a later document expressly overrides a specific provision of an earlier document in a writing signed by an authorized officer of Yama:

1. Article 8 (Fees, Billing, and Payment).

2. Article 15 (Limitation of Liability).

3. Article 18 (Dispute Resolution).

4. This Agreement.

5. Incorporated Yama policies.

6. The applicable Order Form.

7. The applicable Statement of Work.

8. Any Customer purchase order, procurement portal term, click-through term, vendor onboarding term, or other Customer paper.

Any Customer term that is additional to, inconsistent with, or different from this Agreement is rejected and shall have no force or effect unless expressly accepted in a signed writing by an authorized officer of Yama.

1.5 No Reliance on Customer Internal Processes

Customer's internal purchasing, vendor onboarding, invoice-routing, budgeting, approval, accounting, compliance, payment, or purchase-order procedures do not modify or defer Customer's obligations under this Agreement unless expressly agreed in a signed writing by an authorized officer of Yama.

1.6 Service Changes

Yama reserves the right to modify, suspend, or discontinue any Service or Product at any time, with or without notice, in its discretion, subject only to any non-waivable commitment expressly stated in a signed Order Form.

2. Definitions

For purposes of this Agreement:

"Ad-Hoc Services" means ad hoc, emergency, reactive, supplemental, out-of-scope, break-fix, time-and-materials, or similar services requested by Customer outside the fixed scope of an active subscription, SOW, or managed service commitment.

"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.

"Confidential Information" means non-public technical, business, financial, legal, operational, security, customer, personnel, or commercial information disclosed by one party to the other in any form that is designated as confidential or that reasonably should be understood to be confidential.

"Customer Data" means all data, files, content, records, credentials, configurations, information, and materials submitted, uploaded, transmitted, stored, processed, or otherwise made available by or on behalf of Customer in connection with the Services.

"Customer Equipment" means all hardware, software, systems, accounts, facilities, platforms, networks, licenses, and third-party environments owned, leased, licensed, or controlled by Customer.

"Deliverables" means specific work product expressly identified in an applicable Order Form or Statement of Work as deliverable by Yama to Customer.

"Documentation" means Yama's standard user manuals, setup guides, technical instructions, onboarding materials, and related written materials, if any, provided by Yama in connection with the Services or Products.

"Micro-SOW" means a binding mini statement of work formed pursuant to a Written Confirmation under Section 4.2.

"Order Form" has the meaning set forth in Section 1.3.

"Products" means any hardware, software, appliances, subscriptions, licenses, platforms, tools, or other items sold, licensed, leased, rented, provisioned, or supplied by Yama.

"Services" means all services provided by Yama, including support, managed services, implementation, consulting, advisory, installation, monitoring, remediation, training, cybersecurity, hosted services, and related professional services.

"Statement of Work" or "SOW" means a written scope document, project schedule, or similar document describing specific Services, Deliverables, assumptions, pricing, milestones, or responsibilities.

"Written Confirmation" means a written confirmation by Yama of Ad-Hoc Services or scope modifications, including via email, SMS, ticketing system, messaging platform, direct message, or other written communication channel.

"Yama Equipment" means any hardware, devices, appliances, software agents, access methods, credentials, subscriptions, or other items provided, deployed, leased, rented, licensed, or controlled by Yama in connection with the Services, excluding Customer Equipment.

"Yama Materials" means the Services, Deliverables, Documentation, reports, templates, software, scripts, workflows, methods, tools, know-how, and other materials provided or made available by Yama.

3. Orders, Scope, Renewals, and Ad-Hoc Status

3.1 Orders and SOWs

Yama will provide Services and Products as described in one or more Order Forms or SOWs. Each Order Form or SOW is incorporated into this Agreement upon execution, electronic acceptance, email confirmation, payment, or other authorization accepted by Yama.

3.2 Service Terms

Services may be provided on a term basis, subscription basis, ad-hoc basis, project basis, prepaid basis, or time-and-materials basis, as specified in the applicable Order Form or invoice.

3.3 Renewals

If an Order Form provides for an initial term, renewal term, or automatic renewal, such terms govern unless otherwise stated in that Order Form.

If Customer renews or continues Services after expiration of a prior term, the renewal may be documented through a new Order Form, amendment, email confirmation, invoice payment, or other authorization accepted by Yama. Any renewal incorporates the then-current version of this Agreement and incorporated policies published at resources.yamaindustrials.com at the time of renewal.

3.4 Courtesy Expiration Notice

Yama may provide Customer with advance notice of an upcoming service expiration as a courtesy. Failure to provide any reminder does not extend any service term, does not create liability for Yama, and does not prevent expiration, non-renewal, or transition to Ad-Hoc Support Status. Customer is solely responsible for monitoring its service expiration dates and timely communicating renewal decisions.

3.5 Transition to Ad-Hoc Support Status

At the end of an applicable service term, or upon termination of subscription-based Services, Services may automatically transition to Ad-Hoc Support Status under Yama's then-current Post-Agreement & Ad-Hoc Support Policy unless Customer renews under a new service commitment.

Upon transition to Ad-Hoc Support Status, all proactive monitoring, patching, optimization, included support, warranty coordination, and similar subscription-based services cease immediately, and any further work is reactive, discretionary, and billable at Yama's then-current rates.

3.6 No Obligation to Continue Ad-Hoc Support

Yama may discontinue, decline, terminate, or disengage Ad-Hoc Support Status at any time, in its discretion, including for nonpayment, inactivity, operational reasons, risk reduction, unsupported environments, or legacy-system concerns. Retention of credentials or prior administrative access does not create any implied service agreement or ongoing duty to provide support.

4. Ad-Hoc Services, Change Orders, and Acceptance

4.1 Deemed Acceptance of Deliverables

Customer shall review each Deliverable promptly upon delivery. If Customer does not reject a Deliverable in writing within ten (10) business days after delivery, with reasonable detail describing the specific nonconformity, the Deliverable shall be deemed accepted.

Any use of a Deliverable in production, operational reliance on a Deliverable, payment of an invoice covering the Deliverable, failure to timely identify a material nonconformity, or direction to proceed to the next phase of work constitutes final and irrevocable acceptance of that Deliverable.

4.2 Ad-Hoc Services and Micro-SOWs

Customer may request Ad-Hoc Services. Yama may confirm such Ad-Hoc Services through a Written Confirmation, including by email, SMS, ticket, or other written electronic communication. A Written Confirmation becomes a binding Micro-SOW upon the earliest of: (a) Customer's written approval; (b) Customer's direction that Yama proceed; (c) Customer's provision of access, scheduling, credentials, or other cooperation reasonably necessary for Yama to begin the requested work; or (d) Customer's knowing acceptance of the benefit of the Ad-Hoc Services.

Each Written Confirmation shall state the applicable rate, fixed fee, estimate, pricing basis, or an express incorporation of Yama's then-current rate card or price sheet. If a Written Confirmation does not state a specific rate or fixed fee, the applicable pricing basis shall be Yama's then-current rate card or price sheet for the requested work, which shall constitute the agreed rate for purposes of this Agreement, including Section 8.9. All Ad-Hoc Services are billable at the pricing stated in, or incorporated by, the applicable Written Confirmation unless otherwise expressly stated in a signed writing by Yama.

4.3 Change Orders

Any request by Customer to modify the scope, timing, assumptions, site conditions, service levels, Deliverables, integrations, equipment, dependencies, or work sequence of existing Services may be treated by Yama as a change order and may result in revised pricing, revised milestones, additional fees, or a revised Order Form, SOW, or Micro-SOW.

Yama has no obligation to perform out-of-scope work unless and until it elects to do so.

4.4 On-Site and Apparent Authority

Customer represents and warrants that any of its owners, officers, employees, agents, representatives, project managers, IT personnel, facilities personnel, dispatchers, or on-site contacts who request, approve, authorize, direct, or permit Ad-Hoc Services, emergency work, on-site work, or scope changes have full authority to bind Customer with respect to such request, authorization, or direction.

Customer assumes all risk of internal miscommunication, lack of internal approval, or alleged lack of authority of its personnel, and Customer waives any defense based on a claim that Yama relied on instructions from the wrong Customer representative. Nothing in this Section limits any defense based on Yama's actual knowledge of fraud or forgery by a purported Customer representative.

4.5 No Implied Free Work

Yama's performance of Ad-Hoc Services, diagnostics, emergency response, field dispatch, temporary remediation, courtesy review, or service restoration does not imply that such work is included within any subscription fee, fixed fee, recurring fee, or prior scope commitment unless expressly stated in a signed writing by Yama.

5. Services and Service Levels

5.1 Service Standard

Yama will perform the Services in a professional and workmanlike manner using commercially reasonable efforts consistent with ordinary industry practice for similar services.

5.2 Estimates Only

Any implementation schedule, completion date, milestone, delivery estimate, response estimate, or project timeline is an estimate only unless expressly stated to be binding in a signed Order Form.

5.3 Implementation and Configuration

Yama will supply, configure, implement, or deploy the Products and Services in accordance with the applicable Order Form, subject to Customer cooperation, site readiness, external dependencies, third-party availability, and commercially reasonable implementation assumptions.

5.4 No Service Level Guarantee Absent SLA

Service level commitments, if any, are defined only in a separate signed Service Level Agreement or signed Order Form. In the absence of a specific signed service level commitment, no uptime guarantee, response commitment, restoration commitment, service credit obligation, or other service-level remedy applies.

5.5 Service Changes

Yama may modify, suspend, replace, discontinue, or otherwise change any Service, Product, feature, functionality, method, tool, platform, integration, support model, or technical requirement at any time, in whole or in part, with or without notice, in its discretion. Without limiting the foregoing, Yama may make immediate changes where reasonably necessary for security, legal, regulatory, vendor, technical, operational, supportability, or business reasons.

If Yama determines that a change materially affects the scope, technical requirements, support model, or economics of continuing Services for Customer, Yama may revise the applicable service model, requirements, delivery assumptions, implementation approach, or technical dependencies by notice to Customer. Any pricing change arising from any such Service change shall be governed exclusively by Section 8.13, and Customer's continued use of the affected Services after the effective date of a Service change constitutes acceptance of the Service change, but not of any pricing change except as expressly provided in Section 8.13, subject in all cases to any non-waivable commitment expressly stated in a signed Order Form.

5.6 Geographic Limitations; Relocation

Yama's onsite obligations, dispatch commitments, response estimates, and location-dependent Services apply only within Yama's then-current service areas and only for the sites, assets, and environments identified in the applicable Order Form, SOW, invoice, or service records.

If Customer relocates any covered site, system, equipment, or environment, or if Customer's actual site details, configuration details, access constraints, or geographic location differ from Yama's service records, Yama may requalify the affected Services, revise response times, revise pricing, impose travel or recertification charges, require inspection, limit service methods to remote or depot-style support, or decline to provide onsite Services until Yama confirms continued supportability.

Yama is not liable for any delay, unavailability, degraded performance, or failure to meet any estimate or service level resulting from Customer relocation, inaccurate site information, or conditions outside Yama's applicable service area.

6. Customer Responsibilities

Customer shall:

• Provide accurate, complete, current, and timely information reasonably required for Yama to perform.

• Provide timely access to facilities, systems, networks, platforms, accounts, environments, credentials, and personnel.

• Obtain and maintain all rights, licenses, approvals, and permissions necessary for Yama to access Customer systems and Customer Data.

• Cooperate in good faith and timely make decisions, approvals, elections, and designations.

• Use the Services and Products only for lawful business purposes and in accordance with this Agreement.

• Notify Yama promptly of issues, changes, incidents, risks, or conditions that may affect the Services.

• Monitor expiration dates, licensing requirements, renewal windows, and service transitions.

• Maintain backups, business continuity procedures, disaster recovery measures, cybersecurity controls, and regulatory compliance unless expressly assumed by Yama in a signed Order Form.

• Validate outputs, reports, configurations, and Deliverables before relying on them operationally.

• Provide safe, sufficient, and timely access to Customer facilities, workspaces, power, connectivity, environmental conditions, accurate addresses, loading access, site escorts, and authorized contact personnel reasonably necessary for Yama to perform onsite or location-dependent Services.

• Ensure that work areas are reasonably safe, compliant, and ready for service, and that any required permits, landlord approvals, shutdown windows, and site prerequisites are timely obtained at Customer's expense unless expressly assumed by Yama in a signed writing.

If Yama personnel are unable to perform Services, are materially delayed, or incur additional time or expense due to Customer's act or omission, inaccurate site information, denied or delayed access, unsafe conditions, lack of site readiness, unavailable Customer personnel, missing approvals, incorrect shipping information, "no fault found" determinations, or issues caused by Customer Equipment or third-party environments, then all resulting time and expense are billable and Yama may charge abortive-visit, rescheduling, waiting-time, diagnostics, and no-fault-found fees at Yama's then-current rates.

Customer is responsible for all use of the Services through Customer-controlled accounts, systems, or credentials by Customer or its employees, contractors, agents, and representatives, and for unauthorized use resulting from Customer's failure to maintain reasonable security or administrative control over such access.

7. Equipment, Access, and Third-Party Dependencies

7.1 Customer Equipment

Customer is solely responsible for all Customer Equipment, including maintenance, support, configuration, compatibility, licensing, lawful use, security, and backups.

Yama disclaims any warranty, maintenance, repair, support, or compatibility obligation for Customer Equipment unless expressly stated in a signed Order Form.

Yama is not responsible for delay, outage, degradation, incompatibility, re-work, or failure caused by Customer Equipment malfunction, configuration errors, incompatibility, end-of-life status, unsupported status, or third-party environment issues. Any delays, additional labor, or re-work caused by Customer Equipment issues are billable.

7.2 Yama Equipment

All Yama Equipment remains the sole and exclusive property of Yama or its licensors unless expressly sold in a signed Order Form.

Customer receives only a limited, revocable, non-exclusive, non-transferable right to use Yama Equipment during the applicable service term solely as necessary to receive the Services.

7.3 Return of Yama Equipment

Upon expiration, termination, replacement, or Yama's written demand, Customer shall, at Customer's sole cost and expense, deinstall if requested by Yama, package, protect, and return all Yama Equipment in good working condition, ordinary wear and tear excepted, to the location designated by Yama, within fifteen (15) business days of the date of expiration, termination, or replacement, or within fifteen (15) calendar days of Yama's written demand, whichever is earlier.

If Customer fails to timely return Yama Equipment as required under this Section, Yama may invoice Customer for the full replacement value of the equipment, together with all shipping, handling, deinstallation, recovery, testing, refurbishment, disposition, and related expenses.

7.4 Recovery Rights; Continued Charges

Access and Recovery. Customer shall provide Yama and its designees reasonable access during normal business hours, or at such other times as reasonably necessary, to inspect, deinstall, recover, replace, service, or repossess Yama Equipment. If Customer fails to return Yama Equipment when required, fails to provide access for recovery, relocates Yama Equipment without Yama's prior written consent, or otherwise interferes with Yama's rights in Yama Equipment, Yama may exercise any lawful remedy available to recover such equipment or its value, including self-help where permitted by applicable law, replevin, injunctive relief, or other judicial or administrative process.

Late Return Fee. Without limiting Yama's right to invoice for full replacement value under Section 7.3, if Customer fails to return Yama Equipment by the applicable deadline under Section 7.3 and subsequently returns such equipment after that deadline, Customer shall pay Yama a late return fee equal to one and one-half times (1.5x) the pro-rated daily rental, subscription, or management fee applicable to such equipment as set forth in the applicable Order Form, or if no such rate is specified, as reasonably determined by Yama based on the then-current fair market daily rental value of comparable equipment (the "Late Return Fee"), for each calendar day from the first day following the missed deadline through and including the date Yama physically receives the equipment in the condition required by Section 7.3. The Late Return Fee accrues automatically and without further notice. The parties acknowledge that the Late Return Fee represents a reasonable estimate of Yama's damages arising from the unauthorized continued possession of its equipment, including lost redeployment opportunity and carrying costs, and constitutes liquidated damages and not a penalty. Payment of the Late Return Fee does not preclude Yama from invoking the replacement-value remedy under Section 7.3 if the returned equipment fails to meet the condition standard set forth therein.

Continued Charges. Any recurring charges, rental charges, subscription charges, management charges, monitoring charges, or other equipment-related fees associated with Yama Equipment continue to accrue until the earliest of: (a) Yama's actual receipt of the returned equipment; (b) Yama's written confirmation that the equipment is no longer recoverable and replacement-value charges under Section 7.3 have been paid in full; or (c) Yama's written release of such charges; provided, however, that to the extent the Late Return Fee accrues for any calendar day, any recurring rental, subscription, or management charges for the same equipment and same calendar day that form the basis of the Late Return Fee are included within, and not in addition to, the Late Return Fee, and any such overlapping charges invoiced separately shall be credited against the Late Return Fee.

No Double Recovery. Yama's remedies under Section 7.3 and this Section 7.4 are cumulative and in addition to any other remedies available at law or in equity; provided, however, that (i) any Late Return Fees paid by Customer shall be credited against any replacement-value invoice subsequently elected by Yama under Section 7.3, and (ii) Yama shall not recover duplicative compensation for the same calendar day of non-return under the Late Return Fee, overlapping Continued Charges, and the replacement-value remedy.

7.5 Administrative Access

Where technically necessary, Yama may retain administrative credentials or access methods for devices or systems under its management. Following expiration, termination, or transition to Ad-Hoc Support Status, such access may be retained solely for client-initiated billable support, security disengagement, or administrative transition, and shall not be construed as proactive monitoring, ongoing support, or an implied service obligation.

7.6 Third-Party Products and Services

Yama may resell, recommend, configure, or integrate third-party products or services. All such third-party items are subject to the third party's own terms, policies, warranties, and support commitments.

Yama makes no warranty regarding third-party products or services and is not liable for defects, outages, vulnerabilities, delays, incompatibilities, or failures attributable to third parties.

8. Fees, Billing, and Payment

8.1 Fees

Customer shall pay all fees, charges, expenses, taxes, and other amounts stated in the applicable Order Form, invoice, billing communication, Micro-SOW, or other authorization accepted by Yama.

8.2 Payment Terms

Unless otherwise stated in the applicable Order Form, all invoices are due within seven (7) days after the invoice date. Invoices may be delivered electronically to the email address designated by Customer.

8.3 No Setoff or Withholding

All amounts owed to Yama are payable without setoff, recoupment, deduction, counterclaim, withholding, or reduction of any kind except to the extent required by non-waivable law.

8.4 Late Charges

All unpaid amounts accrue simple interest at the rate of one and one-half percent (1.5%) per month, or the maximum lawful rate permitted by applicable law for the applicable Customer entity type, whichever is less.

Notwithstanding the foregoing, if Customer is a natural person, sole proprietorship, general partnership, or other entity type as to which a lower rate is required by applicable law, the applicable interest rate shall not exceed the maximum lawful rate permitted for such Customer entity type.

8.5 Collection Costs and Legal Fees

Customer shall reimburse Yama for all costs of collection and recovery, including court costs, filing fees, reasonable attorneys' fees, expert fees, skip-tracing costs, administrative charges, and related recovery expenses, to the fullest extent permitted by applicable law.

8.6 Dishonored Payments; Chargebacks; Collection Costs

If any check, ACH, wire, credit card payment, debit card payment, or other payment instrument tendered by Customer is returned, reversed, rejected, declined, charged back, or dishonored for any reason, Customer shall pay Yama, in addition to the underlying amount due, a returned-payment fee of thirty dollars ($30.00) per item or the maximum amount permitted by applicable law, whichever is less.

If any delinquent amount is referred to a collection agency or other collections provider, Customer shall reimburse Yama for all resulting collection costs, including any contingent or fixed collection-agency compensation, in an amount not to exceed thirty percent (30%) of the delinquent amount, to the fullest extent permitted by applicable law.

If the same delinquent amount is thereafter, or simultaneously, referred to legal counsel, pursued in arbitration, litigation, or other formal recovery proceedings, or collected through a collection agency that retains or works with legal counsel, Customer shall also reimburse Yama for all additional court costs, filing fees, and reasonable attorneys' fees and expenses actually incurred in collecting the delinquent amount, to the fullest extent permitted by applicable law.

For the avoidance of doubt, collection-agency compensation and attorneys' fees, court costs, filing fees, and other legal recovery expenses are cumulative and separately recoverable to the extent actually incurred by Yama; provided, however, that the thirty percent (30%) cap applies only to collection-agency compensation and does not limit separately recoverable attorneys' fees, court costs, filing fees, or other legal expenses. Yama shall not recover both collection-agency compensation and attorneys' fees to the extent they compensate Yama for the same services performed by the same provider.

Customer acknowledges and agrees that this Agreement is a commercial contract entered into solely for business purposes and not for personal, family, or household purposes.

8.7 Suspension for Nonpayment

Yama may suspend, restrict, or disable some or all Services immediately if Customer fails to pay any amount when due. Suspension does not relieve Customer of payment obligations and does not waive Yama's right to terminate, accelerate charges, assess an early termination charge where permitted, or pursue collections.

If Customer fails to pay invoices or does not renew at the end of a service term, Yama may automatically transition the account to Ad-Hoc Support Status or may instead fully disengage the account, in either case without waiving any payment or collection rights.

8.8 No Refunds

All fees paid are non-refundable except as expressly stated in a signed Service Level Agreement, signed Order Form, or to the extent required by non-waivable law.

8.9 Billing Disputes; Dispute Window; Form Requirements

Dispute Window. Customer must notify Yama in writing of any billing dispute within the later of: (a) thirty (30) days after the invoice date; or (b) fifteen (15) days after the date on which the Services, work, or Deliverables to which the invoice relates were completed, delivered, or accepted under Section 4.1 (the "Dispute Window"). Failure to submit a conforming billing dispute notice within the Dispute Window constitutes a waiver of any right to dispute the invoice or any portion thereof as a billing dispute, except to the extent prohibited by non-waivable law.

Form of Dispute Notice. A billing dispute is validly initiated only if submitted in one of the following two forms, and no other form shall be recognized or given legal effect for purposes of invoking this Section 8.9: (a) a written email sent directly to Yama's designated billing contact email address as stated on the applicable invoice, transmitted from an email address belonging to an authorized representative of Customer as identified in Yama's account records; or (b) a written letter sent by certified mail, return receipt requested, to Yama's designated notice address as stated on the applicable invoice or pursuant to Section 20.4.

Excluded Channels. The following shall not constitute a valid billing dispute notice and shall not toll any deadline, extend any payment obligation, or preserve any billing-dispute right, regardless of content or timing: verbal communications of any kind, including in-person, by telephone, or by voicemail; SMS, text message, instant message, chat, or messaging platform communications of any kind; communications submitted through any ticketing system, support portal, or helpdesk channel; communications made in passing, incidentally, or as part of a broader service or support conversation; communications made by any person not expressly authorized in Yama's account records to bind Customer on billing matters; and any communication that does not expressly state (i) the specific invoice number being disputed, (ii) the specific line item or dollar amount disputed, (iii) the precise arithmetic, clerical, or rate/quantity discrepancy alleged, and (iv) the amount Customer contends is correctly owed.

Scope of Valid Disputes. Billing disputes are limited solely to demonstrable arithmetic or clerical errors in the amount invoiced, or demonstrable discrepancies between the invoiced rate or quantity and the rate or quantity expressly stated in, or expressly incorporated by rate card or price sheet into, the applicable Order Form, SOW, Micro-SOW, Written Confirmation, renewal, or other written pricing communication issued by Yama. Billing disputes do not include the quality, sufficiency, outcome, or performance of any Services or Deliverables; whether work was necessary, appropriate, or effective; invoice format, invoice detail, billing presentation, or billing methodology; internal approval workflows, vendor onboarding status, or missing purchase-order numbers; demands for hourly, time-entry, or task-level breakdowns not expressly required by the applicable Order Form; or any other administrative, procedural, or subjective matter. For the avoidance of doubt, this Section 8.9 limits only what constitutes a billing dispute and does not eliminate a separate warranty claim properly asserted under Article 14 or any other non-billing claim otherwise permitted under this Agreement.

Work Acceptance Precludes Re-Opening. Customer's acceptance of any Deliverable or Services under Section 4.1 — whether express or deemed — constitutes final acceptance of the work performed and the obligation to pay the corresponding fees as invoiced, subject only to a valid billing dispute under this Section 8.9 or a separate claim expressly permitted elsewhere in this Agreement. A billing dispute submitted after deemed acceptance under Section 4.1 is limited exclusively to arithmetic, clerical, or rate/quantity discrepancies as described above and may not be used to re-open, relitigate, recharacterize, or otherwise challenge any aspect of the accepted work, scope, methodology, outcome, or pricing basis other than the specific discrepancy asserted.

Payment Obligation Unaffected. Customer must pay the full invoice amount by the due date, including any disputed amount. Submission of a purported billing dispute does not suspend, delay, reduce, or otherwise affect Customer's obligation to pay. If Yama determines that Customer is entitled to an adjustment, Yama may issue a credit memo, service credit, or refund at Yama's sole election.

8.10 Determination of Invalid Billing Disputes; Referral to Collections

Yama may determine, acting reasonably and in good faith, whether any Customer communication constitutes a valid billing dispute under Section 8.9 for purposes of internal billing administration and collections handling. Any such determination by Yama is not conclusive in any court, arbitration, or other formal proceeding, and a good-faith Dispute Notice asserting a non-billing claim shall not fail solely because the same communication also references an amount that Yama contends is not a valid billing dispute under Section 8.9.

If Customer fails to pay any amount when due and Yama determines that the asserted dispute is not a valid billing dispute under this Agreement, Yama may, without further obligation to continue internal billing review, declare the amount immediately delinquent, suspend or terminate Services, revoke any conditional license or access rights, accelerate any available remedies, and refer the account to a collection agency, collections provider, or legal counsel.

For the avoidance of doubt, any amount subject only to an invalid billing dispute shall be treated as unpaid and overdue for all purposes under this Agreement, including interest accrual, suspension, termination, collections activity, recovery of collection costs, and recovery of attorneys' fees and expenses.

8.11 Bankruptcy Preference Intent; Contemporaneous Exchange for New Value

To the extent any payment by Customer corresponds to Services, Products, Deliverables, equipment, software, access, support, labor, provisioning, goods, or other value provided contemporaneously or substantially contemporaneously by Yama, the parties intend such payment to constitute a contemporaneous exchange for new value within the meaning of 11 U.S.C. § 547(c)(1).

The parties further acknowledge and agree that Yama provides new value through, among other things, services, labor, access, provisioning, support, Deliverables, goods, software, equipment, and other value furnished to Customer in connection with this Agreement.

Nothing in this Section limits Yama's right to apply payments to outstanding amounts owed by Customer, invoice in arrears, require advance payment, require deposits, suspend Services for nonpayment, or rely on any other defense, offset, or protection available under applicable law, including ordinary-course-of-business and subsequent-new-value defenses, to the fullest extent permitted by law.

8.12 Conditional Suspension and Revocation of Licensed Rights for Nonpayment

Any license, access right, or use right granted by Yama under this Agreement or any Order Form with respect to Deliverables, Documentation, reports, software, scripts, templates, portals, dashboards, hosted environments, subscriptions, or other Yama Materials is expressly conditioned on Customer's timely payment of all amounts due under this Agreement.

If Customer fails to pay any invoice or other amount when due, Yama may, in addition to any other rights or remedies, immediately suspend, restrict, or revoke some or all such license, access, or use rights, in whole or in part, until all delinquent amounts, applicable interest, and recovery costs are paid in full or until Yama otherwise elects in writing to reinstate such rights.

Upon any such suspension or revocation, Customer shall immediately cease the affected use, access, copying, distribution, deployment, display, and exploitation of the affected Yama Materials and shall, upon Yama's request, certify in writing compliance with this Section.

8.13 Price Adjustments; Price Sheets; Pass-Throughs; Market and Regulatory Changes

Unless expressly stated otherwise in a signed Order Form, quoted pricing, recurring service pricing, and standard rate-sheet pricing for a committed service term shall remain fixed during that committed term. Standard annual price increases for recurring Services, including without limitation managed services, firewall services, support plans, monitoring, licensing renewals, and similar recurring offerings, may be implemented only upon renewal or the start of a new service term through a renewal quote, renewal invoice, written price sheet, or other written pricing communication issued by Yama. Customer acknowledges that Yama may maintain and update standard price sheets, rate cards, and pricing guides from time to time, and that such updated pricing shall apply to renewals, new Orders, Ad-Hoc Services, out-of-scope work, and any Services not subject to a then-current fixed committed term.

Notwithstanding the foregoing, Yama may adjust pricing during a current term upon written notice to Customer to reflect: (a) Customer-requested scope changes; (b) inaccurate assumptions, site-condition differences, customer-caused delays, denied access, unavailable personnel, incorrect information, unsafe conditions, or other Customer-caused cost increases; (c) documented increases imposed on Yama by third-party vendors, licensors, carriers, utilities, distributors, manufacturers, or cloud providers; (d) sudden, material, or extraordinary increases in hardware, component, freight, fuel, cloud, power, cooling, labor, insurance, tariff, duty, sanction, compliance, cybersecurity, or regulatory costs that materially affect Yama's cost of service delivery; or (e) governmental prohibitions, import restrictions, export controls, equipment bans, authorization withdrawals, sanctions measures, or other regulatory events affecting the procurement, deployment, replacement, or continued use of technology used in the Services.

If an increase described in clause (c), (d), or (e) is imposed on Yama without advance notice, Yama may implement the corresponding adjustment effective upon the date such increase takes effect for Yama or as soon thereafter as commercially practicable, and any otherwise applicable advance notice period shall not apply. Upon written request, Yama shall provide reasonable supporting documentation for any such mid-term adjustment.

Customer's continued use of the affected Services after the effective date of any permitted adjustment under this Section constitutes acceptance of the adjusted pricing. Verbal discussions regarding renewal or pricing are non-binding and for business convenience only; only pricing stated in a written quote, invoice, price sheet, Order Form, Written Confirmation, or other written pricing communication issued by Yama shall have contractual effect.

For the avoidance of doubt, nothing in this Section limits Yama's right to charge then-current rates for Ad-Hoc Services, out-of-scope work, emergency work, or any Services performed after expiration, termination, non-renewal, or transition to Ad-Hoc Support Status.

9. Intellectual Property and Use Rights

All Yama Materials, including without limitation any software, scripts, templates, tools, methods, processes, documentation, reports, dashboards, and other deliverables created, developed, or provided by Yama, are and shall remain the sole and exclusive property of Yama or its licensors.

No title to or ownership of any Yama Materials is transferred to Customer under this Agreement or any Order Form. Customer receives only the limited use right expressly granted in the applicable Order Form or this Agreement, which is non-exclusive, non-transferable, non-sublicensable, revocable, and limited to Customer's internal business use during the applicable service term.

Customer shall not reverse engineer, decompile, disassemble, copy, reproduce, distribute, modify, create derivative works of, sublicense, sell, resell, assign, or transfer any Yama Materials except as expressly permitted in a signed writing by Yama.

Customer retains all rights to Customer Data. Customer grants Yama a limited, non-exclusive, royalty-free license to access, use, process, and store Customer Data solely as necessary to perform the Services and fulfill Yama's obligations under this Agreement.

10. Confidentiality and Data Handling

Each party shall hold the other party's Confidential Information in strict confidence using at least the same degree of care it uses to protect its own confidential information of a similar nature, but in no event less than reasonable care.

Neither party shall disclose the other party's Confidential Information to any third party without the disclosing party's prior written consent, except to its employees, contractors, advisors, or agents who have a need to know and are bound by confidentiality obligations at least as protective as those set forth herein.

Confidentiality obligations do not apply to information that: (a) is or becomes publicly known through no breach of this Agreement; (b) was rightfully known to the receiving party before disclosure without restriction; (c) is rightfully received from a third party without restriction; or (d) is required to be disclosed by applicable law, regulation, or court order, provided the receiving party gives the disclosing party prompt prior written notice to the extent permitted by law and cooperates reasonably in seeking a protective order.

Yama shall handle Customer Data in accordance with its published Privacy Policy at resources.yamaindustrials.com and any applicable data processing addendum signed by the parties. Customer is solely responsible for ensuring that its use of the Services and its instructions to Yama comply with applicable data protection and privacy laws.

11. Security, Compliance, and Customer Environment

Yama will implement and maintain reasonable administrative, technical, and physical safeguards consistent with industry-standard practices for comparable technology solutions providers to protect Yama's own systems and infrastructure. Such safeguards do not extend to Customer's environment, network, systems, devices, or data except as expressly stated in a signed Order Form.

Customer is solely responsible for the security, configuration, patching, updating, backup, and compliance of Customer's own environment, network, systems, devices, accounts, and data. Customer shall implement and maintain appropriate security controls, access restrictions, backup procedures, and compliance measures applicable to Customer's business, industry, and regulatory obligations. Yama's provision of any Services does not transfer to Yama any obligation to maintain, monitor, or enforce Customer's security posture or regulatory compliance unless expressly assumed in a signed Order Form.

Yama is not responsible for security incidents, data breaches, data loss, unauthorized access, ransomware, malware, or other security events affecting Customer's environment that arise from Customer's failure to maintain adequate security controls, from Customer Equipment vulnerabilities, from third-party platform failures, or from conditions outside the scope of Yama's then-current Services.

Client Waiver of Reports; SKU-Based Scope Elections; Effect on Notice. Where Customer selects, purchases, or authorizes any Service, engagement type, or SKU that, by its description in Yama's then-current pricing sheet, rate card, Order Form, or service catalog, excludes the preparation or delivery of any firewall log, traffic report, security event report, system diagnostic, or similar technical documentation, Customer's selection of such SKU or service tier constitutes Customer's express, informed waiver of: (a) any right to receive such report or the information it would have contained; (b) any right to receive written notice of any security condition, anomaly, indicator of compromise, or network event that would have been visible in such report; and (c) any claim against Yama arising from Yama's non-disclosure of any condition that would have been documented in the excluded report. Yama shall have no liability for any security condition or threat vector observable in any report that Customer's SKU selection excluded, regardless of whether Yama's personnel were aware of such condition during the engagement.

No Duty to Monitor, Warn, or Act; Incidental Security Observations. Yama does not provide security monitoring, threat detection, Security Operations Center (SOC) services, or continuous network surveillance as part of any engagement unless such services are expressly identified and separately scoped in a signed Order Form. The performance of any Services — including without limitation firewall configuration, deployment, implementation, and support, VOIP implementation, network configuration, equipment installation, or Ad-Hoc support — does not impose on Yama any duty to monitor, scan, assess, analyze, detect, identify, or report security threats, anomalies, compromises, or indicators of malicious activity present in Customer's environment, whether or not such conditions would be visible or apparent during the performance of the authorized Services. Yama has no obligation — contractual, tortious, or otherwise — to notify Customer of any security condition, anomaly, indicator of compromise, suspicious traffic pattern, or potential threat that Yama's personnel may incidentally observe while performing any Services, regardless of the apparent severity of the observed condition. Any informal, verbal, or incidental communication by Yama personnel regarding an observed condition: (a) does not constitute a professional security assessment, threat analysis, or forensic determination; (b) does not represent a complete or authoritative characterization of Customer's security posture; (c) does not create any duty on Yama's part to investigate further, take protective action, or provide follow-up notice; and (d) shall not be construed as an assumption of any security monitoring, advisory, or remediation obligation. Yama shall have no liability to Customer for failing to observe, identify, report, escalate, or act upon any security condition, threat, anomaly, or indicator of compromise — including without limitation malware, ransomware, command-and-control traffic, data exfiltration, lateral movement, or unauthorized access — that was or may have been present in Customer's environment at any time, regardless of whether Yama personnel were performing Services in Customer's environment at the time such condition existed. Customer is solely responsible for the ongoing security of its own network, systems, devices, and data, and acknowledges that Yama's engagement as a solutions provider for specific implementation, configuration, or support tasks does not substitute for, and is entirely distinct from, dedicated security monitoring, SOC services, or managed threat detection, which are separately priced third-party professional service categories. Nothing in this paragraph prohibits Yama from voluntarily providing Customer with informal notice of an observed security condition as a courtesy; however, where Yama elects to provide such voluntary notice, whether verbally or in writing, such notice: (a) does not obligate Yama to provide any further notice, investigation, or follow-up; (b) does not create any ongoing duty to monitor for the same or similar conditions; and (c) does not expand the scope of any then-current engagement.

12. Term, Termination, and Effects of Termination

12.1 Agreement Term

This Agreement commences on the date of first execution, acceptance, or use of Services and continues until all active Order Forms and SOWs have expired or been terminated, unless earlier terminated as provided herein.

12.2 Termination for Cause

Either party may terminate this Agreement or any Order Form immediately upon written notice if the other party materially breaches this Agreement and fails to cure such breach within thirty (30) days after receiving written notice of the breach, except that breaches involving non-payment, intellectual property infringement, confidentiality violations, or unauthorized use may be terminated immediately without a cure period.

12.3 Termination for Convenience

Yama may terminate this Agreement or any Order Form for convenience upon thirty (30) days' prior written notice to Customer. Customer may terminate for convenience only if and to the extent expressly permitted in the applicable signed Order Form.

12.4 Effects of Termination

Upon expiration or termination of this Agreement or any Order Form: (a) all licenses and use rights granted to Customer terminate immediately; (b) Customer shall immediately cease all use of Yama Materials and return or destroy all Yama Confidential Information in its possession; (c) Customer shall return all Yama Equipment as required by Section 7.3; (d) all accrued and unpaid payment obligations survive and become immediately due; and (e) Sections that by their nature should survive termination shall survive, including without limitation Articles 8, 9, 10, 14, 15, 16, 18, and 20.

13. Acceptance, Disclaimers, and Reliance Limits

Customer acknowledges that it has independently evaluated the Services and Products, has not relied on any oral or written representation, promise, guarantee, or warranty not expressly set forth in this Agreement or a signed Order Form, and has made its own determination that the Services and Products are suitable for its needs.

No employee, agent, or representative of Yama has authority to make representations, warranties, or commitments beyond those expressly set forth in this Agreement or a signed Order Form, and any such representations, if made, are not binding on Yama.

14. Limited Warranty and Disclaimer

14.1 Limited Warranty

Yama warrants that it will perform the Services in a professional and workmanlike manner using commercially reasonable efforts consistent with ordinary industry practice for similar services.

14.2 Warranty Limitations

The warranty in Section 14.1 does not apply to: (a) issues caused by Customer Equipment, Customer configurations, or Customer-controlled environments; (b) issues caused by Customer's failure to follow Yama's recommendations, instructions, or documented requirements; (c) issues caused by third-party products, services, or platforms not under Yama's direct control; (d) issues resulting from unauthorized modifications to Yama's work; (e) issues caused by Force Majeure events; or (f) Ad-Hoc Services or time-and-materials work performed at Customer's specific direction.

14.3 Exclusive and Sole Remedy

Customer's sole and exclusive remedy, and Yama's sole and exclusive obligation, for any alleged breach of Section 14.1 is, at Yama's option, to re-perform the affected Services or terminate the affected Services and issue a prorated credit or refund for the unused portion of the fees actually paid for the materially nonconforming Services.

Customer must notify Yama in reasonable detail of the alleged nonconformity within thirty (30) days after Customer discovers it and, except for latent nonconformities not reasonably discoverable earlier, no later than ninety (90) days after delivery of the affected Services or Deliverables. Any latent nonconformity claim must be asserted within fifteen (15) days after discovery and in all events no later than one hundred eighty (180) days after such delivery.

For the avoidance of doubt, nothing in Section 4.1 or Section 8.9 eliminates Customer's ability to assert a timely warranty claim under this Section 14.3, although acceptance under Section 4.1 and payment obligations under Article 8 remain effective except to the limited extent of the remedy expressly provided in this Section.

Customer waives all other remedies arising from or relating to any alleged breach of warranty, to the fullest extent permitted by applicable law.

14.4 General Disclaimer

EXCEPT AS EXPRESSLY SET FORTH IN SECTION 14.1, YAMA PROVIDES ALL SERVICES, PRODUCTS, AND YAMA MATERIALS "AS IS" AND "AS AVAILABLE," WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, ACCURACY, RELIABILITY, COMPLETENESS, OR SECURITY. YAMA DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED, ERROR-FREE, FREE OF VULNERABILITIES, OR THAT ANY PARTICULAR RESULT WILL BE ACHIEVED.

15. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL YAMA, ITS AFFILIATES, OR THEIR RESPECTIVE OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, OR CONTRACTORS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, EXEMPLARY, PUNITIVE, OR ENHANCED DAMAGES, INCLUDING WITHOUT LIMITATION LOSS OF REVENUE, LOSS OF PROFITS, LOSS OF BUSINESS, LOSS OF DATA, LOSS OF GOODWILL, BUSINESS INTERRUPTION, COST OF SUBSTITUTE SERVICES, OR ANY OTHER ECONOMIC LOSS, ARISING OUT OF OR RELATED TO THIS AGREEMENT, REGARDLESS OF THE THEORY OF LIABILITY AND EVEN IF YAMA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, YAMA'S TOTAL CUMULATIVE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT, ANY ORDER FORM, OR ANY SERVICES OR PRODUCTS PROVIDED HEREUNDER SHALL NOT EXCEED THE TOTAL FEES ACTUALLY PAID BY CUSTOMER TO YAMA IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

THE LIMITATIONS IN THIS ARTICLE 15 APPLY TO ALL CLAIMS, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY, WARRANTY, OR ANY OTHER LEGAL OR EQUITABLE THEORY, AND SHALL APPLY EVEN IF A LIMITED REMEDY FAILS OF ITS ESSENTIAL PURPOSE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF CERTAIN DAMAGES; IN SUCH JURISDICTIONS, YAMA'S LIABILITY SHALL BE LIMITED TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW.

16. Indemnity

Customer shall defend, indemnify, and hold harmless Yama and its affiliates, officers, directors, employees, agents, successors, and assigns from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or related to: (a) Customer's breach of this Agreement; (b) Customer's use of the Services or Products in violation of applicable law or third-party rights; (c) Customer Equipment or Customer-controlled environments; (d) Customer Data, including any claim that Customer Data infringes or misappropriates any third-party right or violates applicable law; (e) Customer's acts or omissions, including unauthorized use of Yama's credentials, access methods, or systems; or (f) any claim by a third party arising from Customer's business operations or Customer's use of the Services.

17. Force Majeure and External Dependencies

Yama shall not be liable for any delay or failure in performance caused by circumstances beyond Yama's reasonable control, including without limitation acts of God, natural disasters, pandemic, epidemic, government action, regulatory change, war, terrorism, civil unrest, labor disputes, internet or telecommunications outages, power failures, third-party vendor failures, supply chain disruptions, cyberattacks on infrastructure outside Yama's reasonable control, or any other event beyond Yama's reasonable control (each, a "Force Majeure Event").

If a Force Majeure Event occurs, Yama shall notify Customer as soon as reasonably practicable and shall use commercially reasonable efforts to resume performance. Fees continue to accrue during any Force Majeure Event for Services that remain partially or fully available.

18. Dispute Resolution

18.1 Informal Escalation Requirement

Before initiating any formal legal proceeding, the party asserting a dispute shall provide the other party with a written Dispute Notice identifying in reasonable detail the nature of the dispute and the relief sought. The parties shall attempt in good faith to resolve the dispute through senior management escalation within fifteen (15) business days after delivery of the Dispute Notice (or such longer period as the parties may mutually agree in writing).

18.2 Venue, Forum, and Election of Remedies

If the parties are unable to resolve a dispute through informal escalation, either party may pursue resolution through binding arbitration or litigation as permitted under this Agreement. The parties irrevocably submit to the exclusive jurisdiction of the state and federal courts located in Wyoming for any dispute not submitted to arbitration, and each party waives any objection to the laying of venue in such courts.

This Agreement shall be governed by and construed in accordance with the laws of the State of Wyoming, without regard to its conflict-of-laws provisions.

18.3 Provisional and Equitable Relief

Notwithstanding any other provision of this Agreement, either party may seek provisional, injunctive, or other equitable relief in any court of competent jurisdiction to prevent irreparable harm pending resolution of a dispute, without waiving the right to pursue any other remedy.

18.4 Time to Bring Claims

Any claim, action, or proceeding arising out of or related to this Agreement must be brought within one (1) year after the date the claiming party knew or reasonably should have known of the facts giving rise to the claim, except to the extent a shorter period is provided elsewhere in this Agreement. Any claim not brought within this period is permanently barred.

18.5 Pre-Filing Dispute Notice

Compliance with the informal escalation requirement in Section 18.1 is a condition precedent to filing any formal legal proceeding. A Dispute Notice that asserts only an invoice objection that does not constitute a valid billing dispute under Section 8.9 shall not toll any payment deadline or preserve any billing-dispute right under Article 8; however, a good-faith Dispute Notice asserting an otherwise permitted non-billing claim shall not fail solely because the same notice also references an amount that Yama contends is not a valid billing dispute under Section 8.9.

18.6 Tolling and Non-Tolling Matters

Delivery of a Dispute Notice under Section 18.1 tolls the limitations period in Section 18.4 solely with respect to the specific claim identified in that Dispute Notice for the duration of the informal escalation period. Delivery of a Dispute Notice does not toll, suspend, or extend: (a) any billing-dispute Dispute Window under Section 8.9; (b) any payment deadline under Article 8; (c) any deemed-acceptance period under Section 4.1; or (d) any warranty-notice period under Section 14.3.

19. Notices

All notices, demands, consents, approvals, and other communications required or permitted under this Agreement shall be in writing and delivered by: (a) certified mail, return receipt requested, postage prepaid; (b) nationally recognized overnight courier; or (c) email with confirmed delivery to the designated notice email address of the receiving party, as set forth in the applicable Order Form or updated by written notice.

Notices are effective upon receipt. Either party may update its notice address by providing written notice to the other party in accordance with this Article 19.

20. Miscellaneous

20.1 Entire Agreement

This Agreement, together with all incorporated documents, constitutes the entire agreement between the parties with respect to its subject matter and supersedes all prior and contemporaneous negotiations, representations, proposals, understandings, and agreements, whether oral or written, relating to such subject matter.

20.2 Amendments

Yama may amend this Agreement by posting a revised version at the designated Yama terms URL or by otherwise providing written notice to Customer.

Unless otherwise expressly stated, any amendment becomes effective upon posting or notice for new Orders, renewals, and Services provided after expiration, termination, or transition to Ad-Hoc Support Status.

For a Customer then in an active committed service term, any material amendment to Article 8, Article 14, Article 15, Article 18, or this Article 20 shall apply prospectively only upon renewal or upon at least thirty (30) days' prior written notice, and shall not alter committed-term pricing or any non-waivable commitment expressly stated in a signed Order Form during the then-current committed term, except as expressly permitted by Section 8.13 or another express provision of this Agreement already in effect on the applicable Order Form effective date. No amendment adopted after the effective date of a committed Order Form shall expand the circumstances under which Yama may implement a mid-term price increase for that committed Order Form beyond those expressly set forth in Section 8.13 as in effect on that effective date; provided, however, that nothing in this Section limits Yama's right to implement any price adjustment, surcharge, pass-through, substitution, or service-model change expressly permitted by Section 8.13 or by the applicable signed Order Form as in effect on that effective date.

Customer has a continuing obligation to review the then-current Agreement before entering into new Orders, renewals, or requests for additional Services. Customer's continued use of Services after the effective date of an applicable amendment constitutes acceptance of that amendment.

20.3 Assignment

Customer may not assign, transfer, delegate, or sublicense this Agreement, any Order Form, or any rights or obligations hereunder, whether by operation of law, merger, acquisition, change of control, asset sale, or otherwise, without Yama's prior written consent. Any purported assignment without such consent is void.

Yama may assign, transfer, or delegate this Agreement, any Order Form, or any rights or obligations hereunder at any time without Customer's consent, including in connection with a merger, acquisition, reorganization, or sale of all or substantially all of Yama's assets or the business unit to which this Agreement relates.

20.4 Notice Address and Notice Mechanics

Yama's current designated notice address and billing contact email address are published at resources.yamaindustrials.com or as stated on the applicable invoice or Order Form. Customer is responsible for ensuring its notice information in Yama's account records remains current.

20.5 Waiver

No waiver of any provision of this Agreement shall be effective unless in writing and signed by an authorized officer of the waiving party. No waiver of any breach or default constitutes a waiver of any subsequent breach or default, and no course of dealing or trade usage shall constitute a waiver of any right.

20.6 Severability and Reformation

If any provision of this Agreement is held invalid, illegal, or unenforceable by a court of competent jurisdiction, such provision shall be reformed to the minimum extent necessary to make it enforceable, and the remaining provisions shall continue in full force and effect.

20.7 Survival

The following provisions survive expiration or termination of this Agreement for any reason: Article 2 (Definitions), Article 8 (Fees, Billing, and Payment), Article 9 (Intellectual Property and Use Rights), Article 10 (Confidentiality and Data Handling), Section 12.4 (Effects of Termination), Article 13 (Acceptance, Disclaimers, and Reliance Limits), Article 14 (Limited Warranty and Disclaimer), Article 15 (Limitation of Liability), Article 16 (Indemnity), ...Article 18 (Dispute Resolution), Article 20 (Miscellaneous), and Article 21 (Brokered and Resold Third-Party Services), and Article 22 (Customer-Introduced Devices; Internal Network Security; Scope Limitations), Article 23 (Subcontractors; Third-Party Personnel; Unauthorized and Rogue Acts), Article 24 (Administrative Accounts; Credentials; Migration and Handover), and Article 25 (Supply Chain Security; Vendor-Introduced Compromise; Zero-Day Vulnerabilities; Nation-State and Advanced Persistent Threat Events)

20.8 Independent Contractors

The parties are independent contractors. Nothing in this Agreement creates a partnership, joint venture, agency, franchise, employment, or fiduciary relationship between the parties. Neither party has authority to bind the other party to any obligation.

20.9 No Third-Party Beneficiaries

This Agreement is for the sole benefit of the parties and their respective permitted successors and assigns. Nothing in this Agreement creates or is intended to create any rights, claims, or remedies in any third party.

20.10 Counterparts; Electronic Acceptance; Signatures

This Agreement may be executed in counterparts, each of which shall be deemed an original and all of which together shall constitute one agreement. Electronic signatures, digital signatures, and click-through or other electronic acceptances shall be deemed legally binding to the same extent as original signatures.

20.11 Interpretation

This Agreement shall be construed without regard to any presumption or rule requiring construction against the party causing this Agreement to be drafted. Section headings are for convenience only and shall not affect the interpretation of this Agreement. The words "include," "includes," and "including" are deemed to be followed by the words "without limitation." Unless the context otherwise requires, references to a statute or regulation include all amendments thereto and successor provisions.

20.12 Publicity and Reference Rights

Yama may reference Customer's name and general description of the nature of Services provided as a customer reference for marketing, promotional, and business development purposes, unless Customer provides written objection to Yama's designated notice address within thirty (30) days after the effective date of Customer's first Order Form.

20.13 Priority of Business Records

In the event of any ambiguity or dispute regarding the scope, pricing, or terms of Services performed, Yama's internal service records, ticketing records, billing records, account records, and business records shall constitute presumptive evidence of the services performed, amounts invoiced, and terms applicable.

21. Brokered and Resold Third-Party Services

21.1 Reseller and Intermediary Status

Where Yama resells, brokers, procures, arranges, or passes through any third-party product, service, subscription, license, platform, or other offering on Customer's behalf (each, a "Brokered Service"), Yama acts solely as a reseller, intermediary, or procuring agent and not as the primary provider, manufacturer, developer, or obligor with respect to such Brokered Service. Customer acknowledges that the underlying third-party vendor, licensor, carrier, or platform provider (the "Upstream Vendor") is the primary obligor for all performance, availability, security, functionality, support, and warranty obligations relating to the Brokered Service.

21.2 No Yama Warranty on Brokered Services

Yama makes no representation or warranty, express or implied, regarding any Brokered Service, including without limitation any warranty of merchantability, fitness for a particular purpose, accuracy, uptime, security, non-infringement, or suitability for Customer's requirements. Any warranty claim with respect to a Brokered Service must be asserted directly against the applicable Upstream Vendor under that vendor's then-current terms and warranty policy. The warranty in Section 14.1 does not apply to Brokered Services.

21.3 Vendor EULA Compliance; Flow-Down

All Brokered Services are subject to the applicable Upstream Vendor's end-user license agreement, terms of service, acceptable use policy, privacy policy, and support terms (collectively, "Vendor Terms"), which are binding on Customer as a condition of receiving the Brokered Service. Customer is solely responsible for reviewing, accepting, and complying with all applicable Vendor Terms. Yama shall have no obligation or liability arising from Customer's failure to comply with any Vendor Terms, and any suspension, termination, restriction, or modification of a Brokered Service resulting from Customer's violation of Vendor Terms shall not constitute a breach of this Agreement by Yama. To the extent a Brokered Service requires Customer's direct acceptance of Vendor Terms, Customer shall execute such acceptance upon Yama's request and in any event before using the Brokered Service.

21.4 Vendor-Initiated Changes, Suspension, or Discontinuation

Yama shall have no liability to Customer for any modification, suspension, restriction, price change, feature removal, discontinuation, or termination of any Brokered Service initiated by the Upstream Vendor, including without limitation changes to the vendor's pricing, support model, geographic availability, technical requirements, platform architecture, security posture, or business operations. If an Upstream Vendor modifies or discontinues a Brokered Service, Yama may, in its discretion: (a) pass through the Upstream Vendor's modified terms and pricing upon notice to Customer; (b) substitute a comparable third-party offering; or (c) terminate the affected portion of the applicable Order Form without penalty upon notice to Customer. Any pricing adjustment arising from an Upstream Vendor change is separately governed by Section 8.13.

21.5 Refund and Credit Limitation

Yama's obligation to issue any refund, credit, service credit, or other monetary remedy with respect to any Brokered Service is strictly limited to amounts Yama actually receives from the applicable Upstream Vendor attributable to the Customer account. Yama shall use commercially reasonable efforts to request and pass through any refund or credit to which Customer may be entitled under the Upstream Vendor's then-current refund or credit policy, but Yama shall have no obligation to fund, advance, or guarantee any refund or credit that the Upstream Vendor does not provide.

21.6 Limitation of Liability for Brokered Services

Without limiting Article 15, Yama's total aggregate liability to Customer arising out of or relating to any Brokered Service — including any Upstream Vendor outage, security incident, data breach, feature loss, performance failure, availability failure, or support failure — shall not exceed the amounts actually paid by Customer to Yama for the specific Brokered Service during the three (3) months immediately preceding the event giving rise to the claim. For the avoidance of doubt, this liability limitation applies in addition to, and not instead of, the general liability cap set forth in Section 15.2; the lower of the two caps governs.

21.7 No Agency Relationship with Upstream Vendor

Nothing in this Agreement, any Order Form, or any Brokered Service arrangement creates an agency, partnership, joint venture, or employment relationship between Yama and any Upstream Vendor. Yama does not have authority to bind any Upstream Vendor, to modify any Upstream Vendor's terms, or to make representations on any Upstream Vendor's behalf. Yama shall not be liable for any act, omission, misrepresentation, or failure of any Upstream Vendor.

21.8 Physical Property Damage; On-Site Vendor Activity

Where Yama procures, brokers, or arranges access for any Upstream Vendor or its personnel to perform physical installation, construction, cabling, wiring, or other on-site work at Customer's premises or in proximity to Customer Equipment, Yama acts solely as a coordinating intermediary and not as a general contractor, employer, principal, or supervisor of the Upstream Vendor's personnel. Customer acknowledges that Yama exercises no direction or control over the Upstream Vendor's on-site work methods, personnel, equipment handling, or field execution. In the event of any physical property damage, loss, destruction, personal injury, or other tort arising from the Upstream Vendor's on-site activities, Customer's sole remedy is against the applicable Upstream Vendor directly, and Yama shall have no liability therefor. Yama shall use commercially reasonable efforts, upon request, to assist Customer in asserting a claim against the applicable Upstream Vendor or its insurer, but such assistance does not create any guaranty, co-liability, or assumption of the Upstream Vendor's obligations. Yama makes no representation that any Upstream Vendor maintains any particular level of insurance coverage. Customer is responsible for maintaining its own property and casualty insurance covering Customer Equipment at all times.

22. Customer-Introduced Devices; Internal Network Security; Scope Limitations

22.1 Customer-Introduced Devices

Customer is solely responsible for any device, system, platform, application, or endpoint that Customer, or any third party engaged directly by Customer, installs, connects, activates, provisions, or otherwise introduces to Customer's internal network, whether permanently or temporarily, and whether or not Customer notifies Yama of such introduction. This includes without limitation:

• VoIP systems, telephony platforms, and unified communications equipment;

• IP-based cameras, video surveillance systems, and physical access control systems;

• IoT devices, building automation systems, environmental controls, and smart-facility equipment;

• Networked copiers, printers, multifunction devices, and externally managed print services;

• Point-of-sale systems, payment terminals, and kiosks;

• Personally owned devices, guest devices, and contractor devices connected to any Customer network segment; and

• Any other device, appliance, or platform not expressly identified in the applicable Order Form as within Yama's support scope.

Customer assumes all risk, liability, and responsibility for the security posture, configuration hygiene, patch status, network behavior, and operational impact of all Customer-introduced devices. Yama has no duty to audit, assess, monitor, detect, remediate, or advise with respect to any Customer-introduced device absent a separate written engagement expressly scoped to that device.

22.2 No Pre-Installation Review Obligation

Yama has no obligation to review, assess, approve, or advise on the security implications of any planned third-party installation, device addition, or network change by Customer or Customer's vendors unless Customer submits a written request to Yama prior to such installation and Yama expressly agrees in a signed writing to perform such review as a separately scoped and billable engagement. The absence of a Yama pre-installation review does not create any Yama liability for the security or operational impact of the installation.

22.3 Scope of Yama Firewall and Security Support Services

Where Yama provides subscription support, management, monitoring, or configuration services for a firewall, security appliance, or perimeter security solution, the scope of such services is expressly limited to:

• The WAN-side perimeter and the configured rulesets, interfaces, and zones expressly identified in the applicable Order Form; and

• The supported appliance in its last known stable configuration as of Yama's most recent documented configuration event.

Yama's firewall and security support services expressly exclude and do not extend to:

(a) internal LAN-side security, lateral movement, or east-west traffic between internal network segments; (b) network segmentation, VLAN architecture, or isolation of any device not expressly within scope; (c) detection, containment, or remediation of any threat or breach originating from or propagating through any Customer-introduced device; or (d) any condition, vulnerability, misconfiguration, or threat vector introduced to the network after Yama's last documented configuration, whether by Customer, a third-party vendor, or a Customer-introduced device.

22.4 No Implied Network Security Engagement

Yama's support of any individual appliance, device, or platform under a subscription support plan does not constitute a general network security engagement, a network security assessment, a penetration test, a vulnerability management service, or a managed security service of any kind. No implied duty of broader network security care arises from the existence of any Yama firewall support subscription, security appliance subscription, or related service engagement.

22.5 Breach and Incident Causation; No Liability

In the event of any security breach, incident, intrusion, unauthorized access, ransomware event, data exfiltration, or other security event affecting Customer's systems, networks, or data, Yama shall have no liability for any resulting losses, damages, costs, regulatory penalties, notification obligations, remediation expenses, or third-party claims arising from or attributable to:

(a) any Customer-introduced device as described in Section 22.1; (b) Customer's failure to segregate, isolate, or properly secure any device on its internal network; (c) any threat, attack vector, or unauthorized access originating from within Customer's internal LAN, internal wireless network, or any network segment not expressly within Yama's documented support scope; (d) any third-party vendor's act, omission, negligence, or reckless installation practice; or (e) any condition or vulnerability existing prior to Yama's engagement or introduced after Yama's last documented configuration of the applicable supported system.

The foregoing exclusions apply regardless of whether the affected system or appliance is otherwise covered under an active Yama subscription support plan, and regardless of whether the breach could theoretically have been detected or mitigated by a broader security engagement not expressly authorized under this Agreement.

Nothing in this Article limits Yama's liability for damages caused solely and directly by Yama's own gross negligence or willful misconduct in performing the expressly scoped support services.

22.6 Third-Party Diagnostic Requests; Temporary Security Modifications; Customer Consent Requirements

No Obligation to Comply. Yama shall have no obligation to open any firewall port, create any access rule, disable any security policy, bypass any security inspection, suspend any threat-prevention feature, or otherwise modify the security posture of any Yama-supported device or system at the request of any third-party vendor, installer, contractor, or platform provider, regardless of the stated diagnostic, troubleshooting, or operational purpose. Yama may decline any such request in its sole discretion without liability to Customer or to the requesting third party.

Customer Authorization Required. If Customer wishes Yama to accommodate a third-party vendor's diagnostic or troubleshooting request that requires a temporary security modification, Customer must provide express prior written authorization before Yama will take any such action. Such authorization must:

(a) identify the specific third-party vendor and the stated diagnostic purpose; (b) identify the specific modification requested, including the port, rule, policy, or feature to be temporarily altered; (c) specify the requested duration of the temporary modification; (d) be transmitted in one of the following authorized forms: (i) a written email sent from an email address belonging to an owner, officer, or expressly authorized representative of Customer as identified in Yama's account records, or (ii) if email access is unavailable or impractical at the time of the request, a written text message or messaging platform communication sent directly from the personal device of an owner or officer of Customer, with such individual expressly identifying themselves by name and title in the communication; and (e) include an express acknowledgment by the authorizing individual that they understand the request involves a temporary reduction in network security protections and that Customer accepts all risk of unauthorized access, intrusion, breach, data loss, or other security incident arising during or after the temporary modification period.

No Verbal Authorization. Verbal authorization of any kind — including in-person, by telephone, or by voicemail — shall not constitute valid authorization for any temporary security modification under this Section, regardless of the identity of the requesting individual or the urgency of the diagnostic need.

Yama's Right to Decline Notwithstanding Consent. Even where Customer provides valid authorization under this Section, Yama retains the right, in its sole professional judgment, to decline to make the requested security modification if Yama reasonably determines that the modification presents an unacceptable security risk, is inconsistent with applicable vendor requirements, or conflicts with Yama's professional obligations. Yama shall notify Customer promptly of any such declination.

Release of Liability; Assumption of Risk. Customer's authorization of any temporary security modification under this Section constitutes Customer's express assumption of all risk arising from or related to the modification, including without limitation any unauthorized access, intrusion, malware infection, ransomware event, data breach, data exfiltration, lateral movement, denial-of-service event, or other security incident occurring during the modification window or arising from any vulnerability introduced or exposed as a result of the modification. Yama shall have no liability for any such incident or its consequences, regardless of whether the incident was foreseeable, regardless of whether the third-party vendor's request was the proximate cause, and regardless of whether the incident persists or recurs after the modification is reversed. This release applies in addition to, and not instead of, the liability exclusions set forth in Article 15 and Sections 22.3 through 22.5.

Restoration; Billability. Upon completion of the authorized diagnostic window, or upon Customer's written request, Yama will use commercially reasonable efforts to restore the affected security configuration to its prior state. All time spent by Yama implementing, monitoring, documenting, and reversing any temporary security modification — including any associated testing, change-window coordination, or post-restoration verification — constitutes billable Ad-Hoc Services under Section 4.2, regardless of whether the diagnostic effort resolves the third-party vendor's issue.

Documentation. Yama will retain a record of the authorization received, the modification made, and the restoration performed as part of its internal service records, which shall constitute presumptive evidence of the scope and terms of the authorization under Section 20.13.

22.7 Third-Party and Internal IT Providers; Remote Access Bypass; Parallel IT Environments

No Control Over Parallel IT Providers. Where Customer engages, retains, or permits any third-party IT provider, internal IT department, contractor, consultant, or other technology personnel ("Parallel IT Provider") to perform any work on Customer's systems, networks, devices, or environments concurrently with or at any time during Yama's engagement, Yama has no visibility into, control over, or responsibility for the security practices, access methods, equipment, credentials, or technical protocols of any such Parallel IT Provider.

Remote Access Tool Bypass. Customer acknowledges that remote access tools and software — including without limitation TeamViewer, AnyDesk, LogMeIn, ConnectWise Control, Splashtop, and similar remote desktop, screen sharing, or remote management applications (collectively, "Remote Access Tools") — when installed or authorized on Customer's internal devices, create inbound and outbound connection pathways that operate independently of and outside the protection of any firewall, perimeter security device, geo-blocking rule, or network security control that Yama has deployed or manages on Customer's behalf. Connections established through Remote Access Tools originate from or are received by the endpoint device directly and are not inspected, filtered, blocked, or logged by Yama's perimeter security architecture in the same manner as standard network traffic.

Express Exclusion from Firewall and Security Scope. Yama's firewall management, perimeter security, and network security services — including any geo-blocking, DNS filtering, traffic inspection, or access control services provided under any Order Form — expressly exclude and do not extend to:

(a) any connection, session, transfer, or activity conducted through any Remote Access Tool installed or authorized on any Customer device, regardless of whether such Remote Access Tool was installed by Yama, by a Parallel IT Provider, by Customer, or by any other party;

(b) any malware, ransomware, credential theft, data exfiltration, lateral movement, or other compromise introduced to Customer's internal network through any Remote Access Tool session, regardless of whether such session was authorized by Customer;

(c) any security incident originating from, facilitated by, or introduced through the equipment, devices, credentials, or network connections of any Parallel IT Provider, regardless of whether such Parallel IT Provider was engaged by Customer with or without Yama's knowledge; and

(d) any condition, vulnerability, misconfiguration, or unauthorized access introduced to Customer's environment by any Parallel IT Provider, whether through Remote Access Tools, direct physical access, VPN connections, cloud platform access, or any other access method.

No Liability for Parallel IT Provider Acts or Omissions. Yama shall have no liability to Customer for any security incident, data breach, system compromise, data loss, service disruption, or other loss or damage arising from or related to: (a) the security practices or lack thereof of any Parallel IT Provider; (b) the use of any Remote Access Tool by any Parallel IT Provider or internal IT personnel; (c) any connection to Customer's environment made through unsecured, unpatched, compromised, or otherwise inadequately protected hardware or software operated by any Parallel IT Provider; or (d) the removal, disabling, circumvention, or bypass of any security control deployed by Yama, whether deliberate or inadvertent, by any Parallel IT Provider or internal IT personnel.

Geo-Blocking and Perimeter Controls Are Not Comprehensive Security. Customer acknowledges that geo-blocking, DNS filtering, and perimeter firewall controls deployed by Yama represent one layer of a multi-layered security architecture and do not constitute comprehensive protection against all threat vectors, including without limitation threats introduced through Remote Access Tools, insider threats, physically connected devices, encrypted tunnels, cloud-based access, or supply chain compromise. The presence of active geo-blocking or other perimeter controls does not indicate that Customer's environment is free from compromise or that all threats are being contained.

23. Subcontractors; Third-Party Personnel; Unauthorized and Rogue Acts

23.1 Yama's Right to Use Subcontractors

Yama may engage subcontractors, independent contractors, third-party technicians, field service providers, staffing resources, or other personnel to perform or assist in performing any Services under this Agreement (each, a "Yama Subcontractor"). Yama's engagement of a Yama Subcontractor does not alter Yama's obligations to Customer under this Agreement with respect to the authorized scope of Services, except as otherwise expressly stated herein.

23.2 Scope of Yama's Responsibility for Subcontractor Acts

Yama's responsibility for the acts and omissions of any Yama Subcontractor is limited to acts and omissions occurring within the express scope of the work authorized by Yama for that engagement. Yama shall use commercially reasonable efforts consistent with ordinary industry practice to engage subcontractors that are reasonably qualified for the authorized scope of work.

Yama is not responsible for, and expressly disclaims liability arising from, any act, omission, conduct, or event that:

(a) is outside the authorized scope of the Yama Subcontractor's engagement with Yama; (b) constitutes intentional misconduct, willful wrongdoing, criminal conduct, fraud, theft, sabotage, unauthorized access, unauthorized data exfiltration, or other act committed for personal motives unrelated to the performance of the authorized Services (each, a "Rogue Act"), regardless of whether such person had authorized physical or logical access to Customer's premises, systems, or equipment at the time of the Rogue Act; (c) results from Customer's own grant of access, credentials, permissions, or physical entry to any individual beyond what Yama requested or authorized; or (d) results from Customer's failure to maintain reasonable independent security controls, credential hygiene, access logging, physical security measures, or monitoring for its own premises and systems.

23.3 Upstream Vendor Personnel; Rogue Acts

Where Yama brokers, arranges, or coordinates access for any Upstream Vendor or its personnel under Article 21, or where Customer permits any Upstream Vendor personnel (including without limitation ISP technicians, carrier field technicians, or vendor-dispatched field engineers) to access Customer's premises, systems, networks, or equipment in connection with any Yama-brokered or Customer-arranged engagement:

(a) Yama shall have no liability for any Rogue Act committed by any Upstream Vendor employee, agent, contractor, or technician, including without limitation any unauthorized access to Customer systems or data, physical damage to equipment committed outside the scope of authorized work, data theft, credential compromise, installation of unauthorized software or hardware, network reconfiguration performed without authorization, or any other intentional or criminal act; (b) Yama does not supervise, direct, control, or oversee the conduct, methods, background, or qualifications of Upstream Vendor personnel, and makes no representation regarding any Upstream Vendor's personnel vetting, background check, certification, bonding, or insurance practices; and (c) Customer's sole remedy for any Rogue Act by Upstream Vendor personnel is against the Upstream Vendor directly and, where applicable, against the individual personally. Yama shall use commercially reasonable efforts to assist Customer in identifying the responsible party and relevant insurance or bonding information upon request, but such assistance does not create any Yama liability or co-obligation.

23.4 Customer's Independent Security Obligations

Regardless of whether any Yama Subcontractor or Upstream Vendor personnel has authorized access to Customer's premises or systems, Customer remains solely responsible for:

(a) maintaining independent access logging, credential monitoring, and audit trails for all systems accessible to any third-party personnel; (b) revoking credentials, access keys, VPN profiles, physical access badges, or other access methods issued to or used by any third-party personnel promptly upon completion of the authorized work; (c) maintaining physical security measures, surveillance, and visitor escort policies for its premises; and (d) maintaining its own property, casualty, and cyber insurance coverage adequate to address losses arising from unauthorized acts of third-party personnel, regardless of who engaged such personnel.

Yama's performance of any Services does not relieve Customer of any of the foregoing obligations, and Customer's failure to maintain such controls is an intervening cause that limits or eliminates Yama's liability for any resulting loss.

23.5 Limitation of Liability; No Waiver of Article 15

Nothing in this Article 23 expands Yama's liability beyond the caps and exclusions set forth in Article 15. To the extent any claim arising from a Yama Subcontractor's authorized negligent act (as distinct from a Rogue Act) is cognizable under this Agreement, such claim remains subject to the liability cap in Section 15.2, the consequential damages waiver in Section 15.1, and all other limitations in Article 15.

Yama retains liability solely for damages caused directly and solely by Yama's own gross negligence or willful misconduct in the direct performance of expressly authorized Services, and not for the independent, unauthorized, or criminal conduct of any Yama Subcontractor or Upstream Vendor personnel.

23.6 Incident Reporting; Cooperation

If Customer becomes aware of any suspected or confirmed Rogue Act by any Yama Subcontractor or Upstream Vendor personnel, Customer shall notify Yama in writing within twenty-four (24) hours of discovery. Timely notice allows Yama to preserve evidence, engage its subcontractor's insurer or bonding company, and cooperate with law enforcement or regulatory authorities. Failure to provide timely notice may impair Yama's ability to pursue recovery on Customer's behalf and shall not be used to expand Yama's liability for the underlying incident.

24. Administrative Accounts; Credentials; Migration and Handover

24.1 Yama Administrative Accounts; No Transfer of Yama Credentials

Where Yama creates, maintains, or uses administrative accounts, credentials, API keys, management consoles, or other privileged access methods on any Customer system, platform, network, or device in connection with the Services ("Yama Admin Accounts"), such accounts are the sole and exclusive property of Yama and constitute Yama's internal operational tools for delivering the Services. Yama Admin Accounts are not Customer Equipment, are not subject to Customer's control or direction, and are not transferable to Customer, any incoming vendor, any successor IT provider, or any other third party under any circumstances.

Customer shall have no right to demand, request, require, or receive the credentials, passwords, API tokens, recovery keys, MFA codes, or any other access component of any Yama Admin Account, regardless of the reason for the request, regardless of the stage of any service transition, and regardless of any claim that such access is necessary for Customer's operations, compliance obligations, or business continuity. Any Customer demand for Yama Admin Account credentials is deemed rejected as a matter of contract and does not constitute a valid basis for a dispute, claim of non-performance, or allegation of breach.

24.2 View-Only and Compliance Secondary Accounts

Where Yama creates or provisions a secondary administrative or monitoring account on a Customer system or platform for compliance, audit, oversight, or regulatory purposes ("Secondary Account"), such Secondary Account is strictly limited to the access level, permissions, and scope expressly defined by Yama at the time of provisioning.

A Secondary Account:

(a) does not expand the scope of Services Yama is obligated to perform under any Order Form or this Agreement; (b) does not create any monitoring, alerting, remediation, incident response, or reporting obligation beyond those expressly stated in a signed Order Form or Service Level Agreement; (c) does not constitute access to or control over any Yama Admin Account; and (d) does not create any implied duty of Yama to act on any information accessible through the Secondary Account unless Yama has expressly assumed that duty in a signed Order Form.

All time spent by Yama creating, configuring, maintaining, modifying, or removing any Secondary Account constitutes billable Ad-Hoc Services under Section 4.2.

24.3 Migration Services; Handover Admin Account

Where Yama performs migration services — whether migrating Customer to an in-house IT function, to a successor service provider, to a different platform or environment, or to any other configuration ("Migration") — the following terms govern:

(a) Scope. Migration Services constitute Ad-Hoc Services under Section 4.2 and are billable at Yama's then-current rates unless a fixed Migration fee is expressly stated in a signed Order Form or Micro-SOW. Migration Services are out of scope under any existing subscription or managed service commitment unless expressly included in writing.

(b) Handover Admin Account. As part of a Migration, Yama will create a new, separate administrative account ("Handover Admin Account") with the permissions and access levels reasonably necessary for the incoming party to assume management of the applicable systems, platforms, or environments. The Handover Admin Account is distinct from and does not constitute any Yama Admin Account.

(c) Customer and Incoming Vendor Responsibility. The Handover Admin Account becomes Customer's sole responsibility immediately upon creation and delivery of credentials to Customer or Customer's designated successor. Customer is solely responsible for securing, rotating, auditing, and managing the Handover Admin Account credentials from the moment of delivery. Yama has no responsibility for any act, omission, breach, compromise, or misuse of the Handover Admin Account after delivery.

(d) Deletion of Yama Admin Account. Following completion of the agreed Migration scope and Yama's reasonable confirmation that the Handover Admin Account is operational, Yama will delete or deactivate all Yama Admin Accounts associated with the migrated systems, platforms, or environments. Deletion of the Yama Admin Account constitutes Yama's completion of the access transition component of the Migration.

(e) Post-Deletion Liability Cutoff. Upon deletion or deactivation of all applicable Yama Admin Accounts, Yama's obligations with respect to the migrated systems, platforms, and environments terminate. Yama has no liability for any condition, configuration, vulnerability, breach, incident, outage, data loss, or failure arising from or relating to the migrated environment after the deletion date, regardless of whether such condition pre-existed the Migration or was introduced during or after the Migration by Customer, the incoming vendor, or any third party.

(f) No Obligation to Retain Access. Yama has no obligation to maintain any access, credentials, or administrative capability with respect to any migrated system or environment following completion of the Migration, and Customer may not require Yama to retain or escrow any access method, credential, or recovery key for any migrated system.

24.4 Configuration Documentation; Data Export

Where Yama's Migration Services include export of configuration data, network topology documentation, system inventory, or similar technical documentation ("Configuration Export"), such Configuration Export constitutes a Deliverable under this Agreement and is subject to the acceptance and warranty provisions of Sections 4.1 and 14.1 respectively.

Yama's obligation is limited to providing a commercially reasonable Configuration Export in Yama's standard format or in a mutually agreed format stated in the applicable Order Form. Yama makes no warranty that any Configuration Export will be fully compatible with, or sufficient for import into, any platform, tool, or environment operated by Customer or any incoming vendor. All time spent preparing, formatting, validating, or transmitting any Configuration Export is billable.

24.5 Timing; Customer Cooperation

Customer shall cooperate fully and timely with all Migration activities, including by providing access, scheduling windows, approvals, and designated points of contact. Yama's Migration obligations are conditioned on Customer's timely cooperation and on the incoming vendor's (if any) timely readiness to receive the Handover Admin Account and associated configurations.

Any delay caused by Customer's lack of cooperation, the incoming vendor's unavailability or unreadiness, scheduling conflicts, system incompatibilities, or third-party dependencies shall not constitute a breach by Yama, and all resulting additional time and expense are billable as Ad-Hoc Services under Section 4.2.

24.6 No Implied Post-Migration Support

Yama's completion of a Migration does not create any obligation to provide post-migration support, monitoring, troubleshooting, validation, or assistance unless expressly agreed in a signed Order Form or Micro-SOW. Any post-migration support requested by Customer or the incoming vendor is reactive, discretionary, and billable as Ad-Hoc Services under Section 4.2.

25. Supply Chain Security; Vendor-Introduced Compromise; Zero-Day Vulnerabilities; Nation-State and Advanced Persistent Threat Events

25.1 Scope and Purpose

This Article addresses Yama's liability — and the allocation of risk between the parties — with respect to security incidents, data breaches, system compromises, and related losses arising from: (a) supply chain attacks targeting software or hardware manufacturers, developers, distributors, or vendors whose products or services Yama deploys, supports, recommends, or procures on Customer's behalf; (b) zero-day and undisclosed vulnerabilities in third-party products; (c) compromised firmware, hardware implants, or hardware-level backdoors introduced by a manufacturer or distributor prior to Yama's possession, deployment, or recommendation; and (d) nation-state, state-sponsored, advanced persistent threat, or other sophisticated cyberattack campaigns targeting shared infrastructure, vendor ecosystems, or industry-wide platforms (collectively, "Supply Chain and Advanced Threat Events").

25.2 No Warranty Against Supply Chain Compromise

Yama makes no representation, warranty, or guarantee that any software, firmware, hardware, appliance, platform, subscription service, monitoring tool, management console, security product, or other technology that Yama deploys, installs, configures, recommends, procures, or manages on Customer's behalf is free from supply chain compromise, manufacturer-introduced vulnerabilities, developer-level backdoors, firmware-level implants, compromised update mechanisms, or any other condition introduced into the product or service prior to, during, or after Yama's engagement with such product or service.

This disclaimer applies regardless of:

(a) the reputation, market standing, or certification status of the vendor, developer, or manufacturer; (b) whether Yama recommended, specified, procured, or installed the affected product or service; (c) whether the affected product or service was under an active Yama-support subscription at the time of compromise; or (d) whether the supply chain compromise was publicly known, privately disclosed, or undisclosed at the time of Yama's deployment or management of the affected product.

25.3 Vendor-Introduced Compromise; Deployed Tools

Where Yama deploys, installs, configures, or manages any third-party software tool, agent, platform, or application on Customer's systems, networks, or devices — including without limitation remote monitoring and management (RMM) agents, network management platforms, unified communications software, security information and event management (SIEM) tools, endpoint detection agents, firewall management consoles, cloud management platforms, or any similar tool — and such tool is subsequently determined to have been compromised at the vendor, developer, distributor, or update-delivery level prior to or during its authorized use ("Vendor-Introduced Compromise"), the following applies:

(a) Yama's deployment, installation, configuration, or support of the compromised tool does not constitute negligence, breach of contract, breach of warranty, or violation of any duty of care owed to Customer, provided that Yama's deployment of the tool was consistent with ordinary industry practice at the time of deployment;

(b) Yama has no liability for any loss, damage, data breach, regulatory penalty, notification obligation, business interruption, or other consequence arising from or relating to a Vendor-Introduced Compromise, regardless of whether such compromise was exploited before or after Yama became aware of the compromise;

(c) Yama's sole obligation upon becoming aware of a confirmed or credible Vendor-Introduced Compromise affecting tools deployed in Customer's environment is to notify Customer within a commercially reasonable time and to use commercially reasonable efforts to assist in remediating or replacing the affected tool, which remediation and replacement constitute billable Ad-Hoc Services under Section 4.2; and

(d) Customer acknowledges that Yama, as a service provider, may deploy the same or similar tools across multiple customer environments, and that a Vendor-Introduced Compromise may simultaneously affect multiple Yama customers; Yama's prioritization of remediation efforts across its customer base in such circumstances shall not constitute a breach of any obligation owed to Customer.

25.4 Hardware Supply Chain; Firmware and Implants

Yama makes no representation or warranty regarding the integrity, authenticity, or security of the hardware, firmware, embedded software, microcode, or manufacturing provenance of any device, appliance, component, or equipment that Yama procures, recommends, deploys, or supports, including without limitation network appliances, firewalls, routers, switches, access points, servers, storage devices, telephony equipment, cameras, IoT devices, or endpoint devices.

Yama has no obligation to perform hardware supply chain audits, firmware integrity verification, component authenticity testing, or manufacturer provenance investigation with respect to any device, unless such obligation is expressly stated in a signed Order Form. Yama is not liable for any loss, compromise, breach, or failure arising from hardware-level supply chain compromise, counterfeit components, backdoored firmware, or implanted hardware introduced by any manufacturer, distributor, reseller, or logistics participant, regardless of whether Yama procured, recommended, or installed the affected hardware.

25.5 Zero-Day and Undisclosed Vulnerabilities

Yama has no obligation to detect, prevent, or remediate any security vulnerability that was not publicly disclosed or otherwise known to the information security community as of the date on which Yama last performed the relevant configuration, support, patching, or security-related service for the affected system ("Zero-Day Vulnerability").

Yama is not liable for any loss, damage, breach, or failure arising from exploitation of a Zero-Day Vulnerability, regardless of whether:

(a) the Zero-Day Vulnerability existed in a product or system under an active Yama support subscription; (b) the Zero-Day Vulnerability was subsequently disclosed and Yama was not immediately aware of such disclosure; (c) a patch, workaround, or mitigation for the Zero-Day Vulnerability was available from the vendor but had not yet been applied by Yama; or (d) exploitation of the Zero-Day Vulnerability occurred during a period when Yama held administrative access to the affected system.

Notwithstanding the foregoing, where Yama has assumed an express patching obligation for a specific system under a signed Order Form or Service Level Agreement, Yama's liability for failure to apply a publicly released patch within the timeframe specified in such Order Form or Service Level Agreement remains governed by Article 14 and Article 15 and is not expanded by this Section.

25.6 Nation-State, State-Sponsored, and Advanced Persistent Threat Events

Yama has no liability for any loss, damage, breach, compromise, data exfiltration, system destruction, or service disruption arising from any cyberattack, intrusion, or campaign attributable to, sponsored by, directed by, or carried out by or on behalf of any national government, government agency, state-sponsored group, military or intelligence organization, or advanced persistent threat ("APT") actor, regardless of:

(a) whether such attack targeted Customer specifically, Yama specifically, or a broader vendor ecosystem of which Customer or Yama is a part; (b) whether Yama held administrative access to the affected systems at the time of the attack; (c) whether the attack exploited a known or unknown vulnerability in a system under Yama's management; (d) whether the attack originated through a supply chain vector, a Vendor-Introduced Compromise, or a direct intrusion; or (e) whether any governmental authority subsequently attributes the attack to a nation-state or APT actor after the fact.

Nation-state and APT attacks constitute Force Majeure Events within the meaning of Article 17 and independently constitute events excluded from Yama's liability under this Article 25, such that both Article 17 and this Article 25 apply concurrently to the same event.

25.7 Customer's Independent Cyber Insurance Obligation

Customer acknowledges that Supply Chain and Advanced Threat Events of the type described in this Article 25 represent a category of risk that is:

(a) beyond the reasonable control of any service provider; (b) industry-wide in scope and not specific to Yama's performance; and (c) appropriately addressed through Customer's own cyber liability insurance, property insurance, and business interruption insurance coverage.

Customer is solely responsible for maintaining cyber liability insurance coverage adequate to address losses arising from Supply Chain and Advanced Threat Events, and Customer's failure to maintain such coverage does not expand Yama's liability under this Agreement.

25.8 Remediation Services; Incident Response

Where Customer requests Yama's assistance in responding to, investigating, containing, or remediating any Supply Chain or Advanced Threat Event, all such assistance constitutes Ad-Hoc Services under Section 4.2 and is billable at Yama's then-current rates unless a specific incident response engagement is separately scoped and signed. Yama has no obligation to provide incident response, forensic investigation, regulatory notification assistance, or remediation services absent a separate written engagement.

25.9 Transitive and Indirect Dependencies

The protections set forth in Section 25.3 apply equally to any compromise, vulnerability, or malicious payload introduced through any dependency, sub-dependency, transitive dependency, or indirect dependency of any software, tool, agent, platform, or application that Yama deploys, installs, configures, or supports, regardless of whether Yama had direct knowledge of the existence, identity, or version of such transitive or indirect dependency at the time of deployment or management.

Customer acknowledges that modern software tools, management platforms, monitoring agents, and development frameworks routinely incorporate complex dependency chains comprising hundreds or thousands of individual packages, libraries, and modules, many of which are maintained by independent third parties outside of any software vendor's direct control. Yama has no obligation to audit, inventory, verify, or monitor the security integrity of any transitive or indirect dependency of any software it deploys or supports, and the compromise of any such transitive or indirect dependency — including without limitation through maintainer account hijacking, malicious package publication, dependency confusion attacks, or poisoned update delivery — constitutes a Vendor-Introduced Compromise within the meaning of Section 25.3, subject to all exclusions and protections set forth therein.