Operational Resilience Checkup — Engagement Agreement

Version 1.0 — March 2026

Engagement Summary

Client


Legal Name	[Client Legal Name]
Address	[Client Address]
Point of Contact	[Name, Title, Email, Phone]

Provider


Legal Name	Solanasis LLC (DBA Solanasis)
Address	[ADDRESS PLACEHOLDER]
Contact	Dmitri Sunshine, hi@solanasis.com

Engagement Details


Effective Date	[Date]
Engagement	Operational Resilience Checkup
User Count	[X] users
Pricing Tier	[S / M / L / XL]
Fixed Fee	$[Amount]
Payment Schedule	50% upon signing ( $[A m o u n t]) /50$ [Amount])
Timeline	10 business days from receipt of required access

This Engagement Agreement (“Agreement”) is entered into as of the Effective Date by and between:

Solanasis LLC (DBA Solanasis), a Colorado limited liability company (“[ADDRESS PLACEHOLDER]”), (“Solanasis”)

and

[Client Legal Name], a [State] [entity type] (“[Client Address]”), (“Client”)

(each a “Party,” together the “Parties”).

1. What We’re Doing

In plain terms: Solanasis will spend 10 business days assessing your organization’s operational resilience — covering identity and access, email security, endpoints, backups, and operational readiness. This includes at least one real restore test to verify your backups actually work. You’ll receive a clear set of deliverables with prioritized next steps.

1.1 Scope of Services

Solanasis will perform the following services (“Services”):

(a) Discovery and Intake — Kickoff call with your team, intake review, stakeholder alignment, and access setup.

(b) Baseline Assessment across these domains:

Identity and Access Management — Admin roles, MFA/2FA enforcement, SSO status, shared accounts
Email and Collaboration Security — Configuration baseline, external forwarding controls, external sharing settings
Endpoint Baseline — Device inventory, patch and update posture, disk encryption status (as available based on tools in use)
SaaS Posture — Admin access patterns and configurations across your primary business tools
Backup and Restore Readiness — Coverage overview, retention settings, backup solution review
Operational Readiness — Roles, escalation procedures, critical workflow mapping

(c) Restore Verification — At least one real restore test, executed to a safe or sandbox location, with documented results including time-to-restore measurement. The specific restore target (file restore, mailbox recovery, VM/server, or SaaS dataset) will be agreed upon during the kickoff call.

(d) Quick Wins — Up to four (4) hours total of safe, reversible improvements, performed only with mutual written agreement. Examples include:

Enforcing MFA for admin accounts
Disabling or tightening external auto-forwarding rules
Reducing over-privileged admin roles
Configuring backup alerts to a shared mailbox or channel
Creating a basic incident contact tree and escalation sheet
Drafting or updating a restore runbook based on the test

Any work beyond this four-hour allowance requires a separate Change Order (see Section 6.4).

(e) Synthesis and Delivery — Analysis of all findings and production of the deliverables listed in Section 2.

1.2 What’s NOT Included

The following are explicitly outside the scope of this engagement:

Penetration testing, red teaming, or active exploitation of vulnerabilities
Formal compliance audits or certifications (SOC 2, HIPAA, PCI DSS, ISO 27001, CMMC, or any other framework)
Large-scale remediation, system migrations, or implementation projects
Application security testing or source code review
Ongoing monitoring, managed security services, or managed IT services
Legal, regulatory, or compliance advice
Incident response services (see Section 11 for the breach discovery protocol)
Any work beyond the domains and quick-win allowance described above

Additional services may be engaged under a separate agreement or Change Order.

2. What You’ll Receive

In plain terms: You’ll get five deliverables — an executive summary for leadership, a prioritized risk register, a 90-day action plan, a maturity scorecard, and a documented restore runbook proving your backup actually works.

Solanasis will deliver the following upon completion of the Services:

#	Deliverable	Format	Primary Audience
1	Executive Summary — Overall posture ratings, restore test result, top risks, top 30-day actions, and decisions needed from leadership	PDF (1–2 pages)	Leadership / Board
2	Risk Register — Prioritized findings with impact, likelihood, evidence summary, recommendations, effort estimates, and target timeframes	Spreadsheet	IT / Operations
3	30/60/90 Action Plan — Time-phased roadmap with priorities, owner types, dependencies, and rationale	Spreadsheet	IT / Operations / Leadership
4	Maturity Scorecard — Current-state rating per domain (1–5 scale) with observations and description of target maturity	Spreadsheet	IT / Leadership
5	Restore Verification Report and Runbook — Documented restore test execution, results (pass/partial/fail), findings, and repeatable procedure for future drills	Document + Spreadsheet	IT / Operations

All deliverables are based on conditions observed during the assessment period and the information and access provided by the Client.

2.1 Professional Standards

Solanasis will prepare all deliverables in a professional and workmanlike manner consistent with generally accepted practices in the cybersecurity and IT consulting industry. If the Client identifies factual errors in the deliverables within thirty (30) days of delivery, Solanasis will correct them at no additional charge. This is not a warranty that the findings are complete or that following recommendations will prevent incidents (see Section 9).

3. Timeline

In plain terms: The engagement takes 10 business days, starting when you give us the access we need. If access is delayed, the timeline shifts accordingly — but the fee stays the same.

3.1 Start Date

The 10-business-day engagement period (“Engagement Period”) begins on the date Solanasis confirms receipt of sufficient access to perform the Services (“Start Date”). Solanasis will confirm the Start Date in writing (email is sufficient).

3.2 Engagement Calls

The Client agrees to make the following personnel available during the Engagement Period:

Call	When	Duration	Required Attendees
Kickoff	Day 1	45–60 min	Client POC + relevant stakeholders
Mid-Check	Days 3–4	20–30 min	Client POC (minimum)
Leadership Readout	Day 10	45–60 min	Client POC + leadership (CEO/ED and operations lead, at minimum)

The Leadership Readout is the primary delivery event. Solanasis strongly recommends booking this date at the start of the engagement to secure leadership attendance.

3.3 Delays

If the Client does not provide required access or scheduling availability within five (5) business days of the Effective Date, Solanasis may adjust the timeline by written notice. Delays caused by the Client do not reduce the Fixed Fee or extend the quick-win allowance. If access has not been provided within fifteen (15) business days of the Effective Date, either Party may terminate this Agreement under Section 14.

4. Your Responsibilities

In plain terms: For us to do our best work, we need a few things from you — a main point of contact, timely access to your systems, honest information, and leadership attendance at the final readout. The quality of our findings depends directly on the quality of the information and access you provide.

The Client agrees to:

(a) Designate a Point of Contact (“POC”) identified in the Engagement Summary, who has the authority to grant system access, answer questions, schedule meetings, and make day-to-day decisions on the Client’s behalf during the engagement.

(b) Provide access to the systems, tools, platforms, and information reasonably necessary for the Services, as described in the Access Checklist provided by Solanasis (see Exhibit A). Access should be granted within five (5) business days of the Effective Date.

(c) Attend all three engagement calls (kickoff, mid-check, and leadership readout) or provide qualified alternates with reasonable advance notice.

(d) Ensure leadership attendance at the Day 10 readout. This is the primary delivery event where findings, risks, and recommended actions are presented. Decisions captured during this meeting shape the 30/60/90 plan.

(e) Provide accurate and complete information to the best of the Client’s knowledge. Solanasis’s findings are only as reliable as the information and access provided by the Client.

(f) Maintain backups of the Client’s own systems before any restore test or quick-win activity is performed. Solanasis will coordinate timing but is not responsible for data loss resulting from the Client’s failure to maintain adequate backups.

(g) Notify Solanasis promptly of any changes in personnel, systems, or circumstances that may affect the engagement.

5. Access and Data Handling

In plain terms: We’ll use the minimum access needed, keep everything secure, and remove all access when we’re done. Any evidence in your deliverables will have sensitive details redacted. We don’t keep your data any longer than necessary.

5.1 Access Model

(a) Solanasis will request only the access necessary to perform the Services described in Section 1.

(b) The default access level is read-only. Temporary elevated access (e.g., for executing a restore test) will only be requested when necessary and requires the Client’s written approval (email is sufficient).

(c) All access credentials will be shared through a secure method — password manager, encrypted channel, or equivalent. Credentials will never be transmitted via unencrypted email or text message.

(d) All access will be time-limited to the Engagement Period plus five (5) business days for closeout. The Client and Solanasis will cooperate to revoke all access promptly at the conclusion of the engagement.

(e) Solanasis personnel accessing Client systems will use multi-factor authentication where supported by the Client’s environment.

5.2 Data Handling

(a) Solanasis will not extract, copy, or store Client data beyond what is necessary to produce the deliverables and support the Services.

(b) All evidence included in deliverables will be sanitized — credentials, personally identifiable information (PII), detailed system logs, and other sensitive details will be redacted, obscured, or summarized.

(c) Solanasis will not sell, share, license, or use Client data for any purpose other than performing the Services under this Agreement.

(d) Upon completion of the engagement, Solanasis will securely delete working copies of Client data (including notes, screenshots, exports, and temporary files) within thirty (30) days of delivering the final deliverables. The Client may request earlier deletion in writing.

(e) If the Client’s environment contains personal data subject to the Colorado Privacy Act (C.R.S. §6-1-1301 et seq.) or other data protection regulations, the Parties will execute an appropriate Data Processing Addendum before Solanasis accesses such data.

(f) If the Client is a Covered Entity or Business Associate under the Health Insurance Portability and Accountability Act (HIPAA), the Parties will execute an appropriate Business Associate Agreement (BAA) before Solanasis accesses any Protected Health Information (PHI).

(g) Solanasis will not submit Client Confidential Information — including system configurations, credentials, security findings, or personal data — to third-party AI, machine learning, or large language model services without the Client’s prior written consent. Internal use of AI tools for drafting and synthesis is permitted only with anonymized or de-identified data.

5.3 Security of Solanasis Systems

Solanasis will use commercially reasonable security measures to protect Client information stored on or transmitted through Solanasis’s own systems, including encryption in transit and at rest, access controls, and secure disposal practices.

5.4 Solanasis Breach Notification

If Solanasis becomes aware of a security incident affecting its own systems that results in unauthorized access to, disclosure of, or loss of Client Confidential Information, Solanasis will:

(a) Notify the Client’s POC within forty-eight (48) hours of becoming aware of the incident;

(b) Provide a written description of the incident, the types of Client information affected, and the steps being taken to contain and remediate the incident;

(c) Cooperate with the Client’s response efforts, including supporting the Client’s obligations under Colorado’s breach notification statute (C.R.S. §6-1-716) or other applicable law; and

(d) Take commercially reasonable steps to prevent recurrence.

This obligation survives termination or expiration of this Agreement.

6. Fees and Payment

In plain terms: The fee is fixed at the amount in the Engagement Summary. Half is due when you sign this agreement, half when we deliver the final deliverables. If we discover unexpected complexity in the first two days, we’ll discuss a scope adjustment — but the price only changes if you agree in writing.

6.1 Fixed Fee

The total fee for the Services is the Fixed Fee stated in the Engagement Summary. This fee includes all standard costs of performing the Services.

6.2 Payment Schedule

Milestone	Amount	When Due
Execution of this Agreement	50% of Fixed Fee	Due upon signing
Delivery of final deliverables	50% of Fixed Fee	Net 15 (within 15 calendar days of invoice date)

“Delivery” means the date Solanasis delivers the final deliverables to the Client, which typically occurs on or shortly after the Day 10 leadership readout. Solanasis will issue an invoice for each milestone.

Payment may be made by ACH bank transfer, wire transfer, check, or credit card. The Client is responsible for any transaction fees charged by the Client’s payment processor.

6.3 Late Payment

Invoices not paid within the stated terms will accrue interest at the rate of 1.5% per month (18% annually), or the maximum rate permitted by Colorado law, whichever is lower, calculated from the original due date until paid in full.

If any invoice is more than thirty (30) days overdue, Solanasis may, at its discretion: (a) suspend work until payment is received, or (b) terminate this Agreement under Section 14.2. Suspension of work due to nonpayment does not extend the Engagement Period or reduce the Fixed Fee.

6.4 Complexity Adjustments

If Solanasis identifies material additional complexity during the first two (2) business days of the Engagement Period — such as hybrid or on-premises infrastructure, multi-tenant environments, acquisition-related complications, or extensive compliance documentation expectations — Solanasis may propose a fee adjustment via a written Change Order.

The Change Order will specify: (a) the nature of the additional complexity, (b) the adjusted fee, and (c) any scope or timeline changes.

If the Client does not approve the Change Order by end of Day 3, the original Fixed Fee and scope apply without modification. If complexity is confirmed but the Client declines the fee adjustment, Solanasis may propose an alternative Change Order that reduces scope to match the original Fixed Fee.

6.5 Expenses

The Fixed Fee includes all standard costs. Any travel or out-of-pocket expenses (if applicable) must be pre-approved by the Client in writing and will be invoiced at actual cost with supporting receipts.

7. Confidentiality

In plain terms: We both keep each other’s information confidential. If you’ve already signed our Mutual NDA, those terms apply here too — and this section reinforces them with additional protections specific to the engagement.

7.1 Mutual NDA

If the Parties have executed a separate Mutual Non-Disclosure Agreement (“NDA”), the terms of that NDA are incorporated into this Agreement by reference and apply to all Confidential Information exchanged in connection with the Services. In the event of a conflict between the NDA and this Section, the more protective provision will control.

7.2 Additional Confidentiality Obligations

In addition to any NDA, both Parties agree that:

(a) All findings, reports, deliverables, work product, and communications related to the Services are confidential.

(b) Neither Party will publicly disclose the specific terms of this engagement (including fees) without the other Party’s prior written consent.

(c) Solanasis may reference the Client as a customer in general terms (e.g., “a professional services firm in Colorado”) for marketing purposes, but will not use the Client’s name, logo, specific findings, or engagement details without prior written consent.

(d) The Client will not share Solanasis’s deliverables, methodologies, or proprietary frameworks with third parties (other than the Client’s own legal and professional advisors) without Solanasis’s prior written consent.

7.3 Permitted Disclosures

Either Party may disclose Confidential Information: (a) to its employees, contractors, and professional advisors who need to know the information and who are bound by obligations of confidentiality at least as protective as this Section; or (b) as required by law, regulation, or court order, provided the disclosing Party gives reasonable prior written notice (where legally permitted) to allow the other Party to seek a protective order.

7.4 Survival

Confidentiality obligations under this Section survive termination or expiration of this Agreement for three (3) years. For trade secrets, confidentiality obligations continue for as long as the information qualifies as a trade secret under applicable law.

8. Who Owns What

In plain terms: You own the deliverables we create for you — they’re yours to use however you need. We retain ownership of our tools, frameworks, and general know-how that existed before this engagement, but we license you to use any of our background IP that’s embedded in your deliverables.

8.1 Client Ownership of Deliverables

Upon full payment of the Fixed Fee, the Client owns all rights, title, and interest in the deliverables produced under this Agreement (listed in Section 2), including the Executive Summary, Risk Register, 30/60/90 Action Plan, Maturity Scorecard, and Restore Report/Runbook. The Client may use, modify, copy, and distribute these deliverables for any internal business purpose.

8.2 Solanasis Retained IP

Solanasis retains all rights, title, and interest in:

(a) All pre-existing intellectual property, including methodologies, assessment frameworks, templates, tools, checklists, and processes that existed before this engagement or were developed independently of this engagement (“Background IP”); and

(b) General knowledge, skills, techniques, and experience gained or refined during the engagement — provided that no Client Confidential Information is disclosed or incorporated.

8.3 License Grant

Solanasis grants the Client a non-exclusive, perpetual, irrevocable, royalty-free license to use any Background IP that is embedded within or necessary to use the deliverables, solely for the Client’s internal business purposes.

8.4 No Other Rights

Except as expressly stated in this Section, neither Party grants the other any rights in its intellectual property.

9. No Guarantees

In plain terms: We’re thorough and we take this seriously, but no assessment can catch every risk or prevent every future incident. This is a snapshot based on what we can see during our 10 days with the access you provide. It’s not an insurance policy, and it’s not a substitute for a formal audit. You’re responsible for deciding what to do with our findings.

9.1 Point-in-Time Assessment

The Services represent a point-in-time assessment based on the information, access, systems, and conditions available during the Engagement Period. Findings and recommendations reflect the state of the Client’s environment as observed during the assessment and may not account for changes that occur before, during, or after the Engagement Period.

9.2 No Guarantee of Security

No security or resilience assessment can guarantee the identification of all vulnerabilities, risks, misconfigurations, or deficiencies, or prevent future security incidents, data breaches, system outages, or data losses. Solanasis will use commercially reasonable efforts to identify material risks within the agreed scope, but does not warrant that the assessment is exhaustive or that the Client’s environment will be secure following the engagement.

9.3 Not a Compliance Audit

The Services do not constitute a formal compliance audit, assessment, or certification under any regulatory or industry framework, including but not limited to SOC 2, HIPAA, PCI DSS, ISO 27001, NIST Cybersecurity Framework, CMMC, FedRAMP, or the Colorado Privacy Act. Findings may inform the Client’s compliance efforts but do not certify compliance and are not a substitute for a formal audit conducted by a qualified auditor.

9.4 Not Legal Advice

Nothing in the deliverables or in any communication from Solanasis constitutes legal, regulatory, tax, or compliance advice. The Client should consult qualified legal counsel for such matters.

9.5 Client Responsibility for Decisions

The Client is solely responsible for:

(a) Deciding which recommendations to implement, and which to accept as residual risk;

(b) Prioritizing and resourcing implementation activities;

(c) All operational and business decisions made based on the deliverables; and

(d) Ongoing security and operational resilience after the Engagement Period ends.

Solanasis is not liable for the Client’s decisions regarding implementation or non-implementation of any recommendation.

10. Limitation of Liability

In plain terms: If something goes wrong, the most either of us can owe the other is the total fee for this engagement. Neither side is on the hook for indirect losses like lost profits, lost revenue, or business interruption — even if we warned each other those losses were possible. There are limited exceptions for breaches of confidentiality, gross negligence, and intentional misconduct.

10.1 Cap on Liability

The total aggregate liability of either Party arising out of or related to this Agreement — regardless of the number of claims, the cause of action, or the theory of liability (whether in contract, tort, negligence, strict liability, or otherwise) — will not exceed the total Fixed Fee actually paid or payable under this Agreement.

10.2 Exclusion of Consequential Damages

Neither Party will be liable to the other for any indirect, incidental, consequential, special, punitive, or exemplary damages, including but not limited to:

Lost profits or lost revenue
Loss of data or data corruption
Business interruption or loss of business opportunity
Cost of procurement of substitute services
Reputational harm or loss of goodwill

This exclusion applies regardless of the theory of liability and even if the Party has been advised of the possibility of such damages.

10.3 Exceptions

The limitations in Sections 10.1 and 10.2 do not apply to:

(a) Either Party’s breach of confidentiality obligations (Section 7), for which the liability cap is two times (2x) the Fixed Fee;

(b) Either Party’s indemnification obligations for third-party intellectual property infringement claims;

(c) Damages arising from either Party’s fraud, gross negligence, or willful misconduct; or

(d) Either Party’s obligation to pay fees or amounts expressly due under this Agreement.

10.4 Basis of the Bargain

The Parties acknowledge and agree that the limitations and exclusions in this Section reflect a fair and reasonable allocation of risk between the Parties, are a fundamental element of the basis of the bargain, and were a material factor in determining the Fixed Fee. These limitations will apply to the fullest extent permitted by applicable law.

11. If We Discover Something Serious

In plain terms: If during our assessment we find signs that your systems may be actively compromised — an ongoing breach, unauthorized access, or similar — we’ll notify you within 24 hours. But stopping a breach is a different kind of engagement. You’ll need to bring in incident response resources for that (which could be us under a separate agreement, or another firm).

11.1 Active Breach Discovery

If, during the course of performing the Services, Solanasis discovers indicators reasonably suggesting an active security breach, ongoing unauthorized access, or evidence of a system compromise, Solanasis will:

(a) Notify the Client’s POC within twenty-four (24) hours of discovery, using the most expedient means available (phone, followed by written confirmation);

(b) Document the indicators observed in a brief written summary (without conducting a forensic investigation or attempting remediation); and

(c) Pause assessment activities related to the affected systems until the Client provides written direction on how to proceed.

11.2 No Incident Response Obligation

This notification does not create any obligation for Solanasis to contain, remediate, investigate, or respond to the potential breach beyond the notification and documentation described in Section 11.1. The Client is responsible for engaging appropriate incident response resources.

11.3 Cooperation

Solanasis will reasonably cooperate with the Client’s incident response efforts to the extent such cooperation: (a) does not materially interfere with the remaining Services, (b) does not require Solanasis to assume liability or responsibility beyond the scope of this Agreement, and (c) is covered by appropriate legal protections (e.g., attorney-client privilege, if applicable).

11.4 Timeline Impact

If an active breach discovery causes a pause in the Services, the Parties will mutually agree on an adjusted timeline. Such a pause does not reduce the Fixed Fee unless the Parties agree otherwise in writing.

12. Indemnification

In plain terms: If a third party (not one of us) brings a legal claim against one of us because of something the other did or failed to do under this agreement, the responsible party covers the legal costs and any damages.

12.1 Mutual Indemnification

Each Party (“Indemnifying Party”) agrees to defend, indemnify, and hold harmless the other Party and its officers, directors, members, employees, and agents (“Indemnified Party”) from and against any third-party claims, suits, demands, damages, losses, liabilities, and reasonable expenses (including attorneys’ fees) arising from:

(a) The Indemnifying Party’s material breach of this Agreement;

(b) The Indemnifying Party’s gross negligence or willful misconduct in connection with this Agreement; or

(c) The Indemnifying Party’s violation of applicable law in connection with this Agreement.

12.2 Additional Client Indemnification

The Client additionally agrees to indemnify and hold harmless Solanasis from third-party claims arising from:

(a) The Client’s knowing decision not to implement recommendations that Solanasis identified as critical in the deliverables, where such non-implementation is a direct and primary contributing factor to the third-party claim; or

(b) The Client’s failure to maintain adequate backups of its own systems before a restore test or quick-win activity, after Solanasis has requested confirmation of such backups.

12.3 Process

The Indemnified Party will: (a) notify the Indemnifying Party promptly in writing of the claim (provided that a delay in notice does not relieve the Indemnifying Party’s obligations except to the extent the delay materially prejudices the defense); (b) give the Indemnifying Party reasonable control of the defense and settlement (provided the Indemnifying Party may not settle any claim that admits fault on behalf of the Indemnified Party or imposes obligations on the Indemnified Party without the Indemnified Party’s written consent); and (c) cooperate reasonably in the defense at the Indemnifying Party’s expense.

The Indemnified Party may participate in the defense with counsel of its own choosing and at its own expense.

13. Insurance

In plain terms: We carry professional liability insurance to protect both of us in case something goes wrong. “Per occurrence” means the maximum our insurer will pay for a single incident. “Aggregate” means the maximum across all incidents in a policy year. We’ll provide proof of coverage if you ask.

Solanasis will obtain and maintain, at its own expense, professional liability insurance (Technology Errors and Omissions) with coverage of at least $1, 000, 000 p erocc u rre n ce * * an d * *$ 1,000,000 in the aggregate during the term of this Agreement and for a period of one (1) year following completion of the Services.

Solanasis will provide a certificate of insurance upon the Client’s written request within ten (10) business days.

14. Termination

In plain terms: Either of us can end this agreement. If it ends early, you pay for the work we’ve done so far (pro-rated), and we hand over everything we’ve produced to that point. Certain obligations — like confidentiality, liability limits, and IP ownership — survive even after the agreement ends.

14.1 Termination for Convenience

Either Party may terminate this Agreement for any reason by providing five (5) business days’ written notice to the other Party.

14.2 Termination for Cause

Either Party may terminate this Agreement immediately upon written notice if the other Party:

(a) Materially breaches this Agreement and fails to cure the breach within five (5) business days of receiving written notice specifying the breach; or

(b) Materially breaches its confidentiality obligations under Section 7, in which case termination is effective immediately without a cure period; or

(c) Becomes insolvent, files for bankruptcy, or has a receiver or trustee appointed for a substantial part of its assets.

14.3 Effect of Termination

Upon termination for any reason:

(a) Payment. The Client will pay for all Services satisfactorily performed through the effective date of termination, calculated on a pro-rata basis (percentage of the Engagement Period completed, applied to the Fixed Fee). If the Client has prepaid more than the pro-rata amount, Solanasis will refund the excess within fifteen (15) days of the termination date.

(b) Deliverables. Solanasis will deliver all work product completed as of the termination date within five (5) business days.

(c) Access. All access credentials will be revoked in accordance with Section 5.1(d), and all Client data will be handled in accordance with Section 5.2(d).

14.4 Survival

The following Sections survive termination or expiration of this Agreement: Section 5.4 (Solanasis Breach Notification), Section 7 (Confidentiality), Section 8 (Intellectual Property), Section 9 (No Guarantees), Section 10 (Limitation of Liability), Section 12 (Indemnification), Section 13 (Insurance), Section 16 (Dispute Resolution), Section 18 (General Provisions), and Section 19 (Representations and Warranties).

15. Relationship of the Parties

In plain terms: We’re an independent contractor — not your employee, partner, or agent. We decide how and when we do the work. If we use any subcontractors, we’re still fully responsible for the quality and confidentiality of the work.

15.1 Independent Contractor

Solanasis is an independent contractor. Nothing in this Agreement creates an employment, partnership, joint venture, franchise, or agency relationship between the Parties. Neither Party has the authority to bind the other or make commitments on the other’s behalf.

15.2 Taxes and Benefits

Solanasis is solely responsible for all taxes (including self-employment taxes), insurance, and benefits related to Solanasis and its personnel. The Client will not withhold any taxes from payments to Solanasis.

15.3 Subcontractors

Solanasis may engage qualified subcontractors to assist in performing the Services, provided that: (a) Solanasis remains fully responsible for the quality and timeliness of all work performed by subcontractors; (b) all subcontractors are bound by confidentiality obligations at least as protective as those in this Agreement; and (c) Solanasis notifies the Client before any subcontractor accesses the Client’s systems or Confidential Information. The Client may object to a specific subcontractor within three (3) business days of notification, and Solanasis will make reasonable efforts to accommodate the objection.

15.4 No Exclusivity

This Agreement does not prevent either Party from entering into similar agreements or business relationships with other parties.

16. Dispute Resolution

In plain terms: If we disagree about something, let’s talk it through first. If that doesn’t resolve it, we’ll bring in a mediator. Court is the last resort. Colorado law applies, and any proceedings happen in Boulder County.

16.1 Governing Law

This Agreement is governed by and construed in accordance with the laws of the State of Colorado, without regard to its conflict-of-law principles.

16.2 Informal Resolution

The Parties will first attempt to resolve any dispute arising under this Agreement through good-faith discussion between their respective principals for a period of not less than fifteen (15) business days from written notice of the dispute.

16.3 Mediation

If informal resolution is unsuccessful, the Parties will submit the dispute to confidential mediation administered by a mutually agreed-upon mediator in Boulder County, Colorado. Each Party will bear its own costs of mediation, and the Parties will share the mediator’s fees equally. Mediation will be completed within thirty (30) days of the mediator’s appointment, unless the Parties agree to extend.

16.4 Litigation

If mediation does not resolve the dispute, either Party may pursue the matter in the state or federal courts located in Boulder County, Colorado. Both Parties irrevocably consent to the exclusive personal jurisdiction and venue of these courts for any dispute arising under this Agreement.

16.5 Attorneys’ Fees

In any legal proceeding arising under this Agreement, the substantially prevailing Party is entitled to recover its reasonable attorneys’ fees, court costs, and related expenses from the other Party.

16.6 Continued Performance

Unless this Agreement is terminated in accordance with Section 14, the Parties will continue performing their respective obligations during any dispute resolution process.

17. Force Majeure

In plain terms: If something truly beyond either party’s control — like a natural disaster, pandemic, government action, or widespread cyber attack — prevents performance, the affected party isn’t in breach. But they need to communicate promptly and make reasonable efforts to resume. If it lasts more than 30 days, either side can walk away.

Neither Party will be liable for any delay or failure in performance caused by circumstances beyond its reasonable control (“Force Majeure Event”), including but not limited to: natural disasters, pandemics or epidemics, acts of government or regulatory action, wars or acts of terrorism, widespread cyberattacks or internet infrastructure failures, prolonged utility failures, or civil unrest.

The affected Party will:

(a) Notify the other Party in writing within five (5) business days of the Force Majeure Event, describing the event and its expected impact on performance;

(b) Make commercially reasonable efforts to mitigate the impact and resume performance as soon as practicable; and

(c) Provide periodic updates on status and expected resolution.

If a Force Majeure Event continues for more than thirty (30) calendar days, either Party may terminate this Agreement by written notice without liability, except for payment of fees for Services already performed.

18. General Provisions

(a) Entire Agreement. This Agreement, together with any Mutual NDA between the Parties and any Change Orders executed under Section 6.4, constitutes the entire agreement between the Parties regarding the Services and supersedes all prior and contemporaneous discussions, proposals, negotiations, understandings, and agreements, whether written or oral.

(b) Amendments. This Agreement may only be modified by a written instrument signed by authorized representatives of both Parties. No verbal modifications, course of dealing, or course of performance will be deemed to modify this Agreement.

(c) Assignment. Neither Party may assign or transfer this Agreement or any rights or obligations under it without the other Party’s prior written consent. Notwithstanding the foregoing, either Party may assign this Agreement in connection with a merger, acquisition, corporate reorganization, or sale of substantially all of its assets, provided the assignee agrees in writing to assume all obligations under this Agreement. Any attempted assignment in violation of this Section is void.

(d) Severability. If any provision of this Agreement is found by a court of competent jurisdiction to be invalid, illegal, or unenforceable, the remaining provisions will continue in full force and effect. The invalid provision will be reformed to the minimum extent necessary to make it enforceable while preserving the Parties’ original intent.

(e) Waiver. A Party’s failure or delay in exercising any right or remedy under this Agreement does not constitute a waiver of that right or remedy. A waiver of any provision is effective only if in writing and signed by the waiving Party, and only for the specific instance for which it is given.

(f) No Third-Party Beneficiaries. This Agreement is for the sole benefit of the Parties and their permitted successors and assigns. Nothing in this Agreement creates any rights or remedies for any third party.

(g) Notices. All notices under this Agreement must be in writing and delivered to the contact information in the Engagement Summary (or to updated information provided in writing). Notice is effective upon receipt when delivered by: (i) email with confirmed receipt or read receipt, (ii) certified mail with return receipt requested, or (iii) nationally recognized overnight courier with delivery confirmation.

(h) Headings. Section headings and plain-language summaries are for convenience and readability only. They do not limit, modify, or affect the interpretation of any provision.

(i) Counterparts and Electronic Signatures. This Agreement may be executed in counterparts, each of which constitutes an original and all of which together constitute one and the same instrument. Electronic signatures (including signatures delivered via e-signature platforms) are legally binding and have the same force and effect as original ink signatures, in accordance with the Uniform Electronic Transactions Act (UETA) and the federal Electronic Signatures in Global and National Commerce Act (E-SIGN Act).

19. Representations and Warranties

In plain terms: Both sides confirm they have the authority to sign this agreement, that doing so doesn’t violate any other commitments, and that they’ll comply with the law. The Client also confirms that granting us access to their systems doesn’t break any agreements they have with other vendors.

19.1 Mutual Representations

Each Party represents and warrants that:

(a) It is duly organized, validly existing, and in good standing under the laws of its state of formation;

(b) The person signing this Agreement has full authority to bind the Party;

(c) Entering into and performing this Agreement does not conflict with any other agreement or obligation to which the Party is bound; and

(d) It will comply with all applicable laws and regulations in performing its obligations under this Agreement.

19.2 Client Representations

The Client additionally represents and warrants that:

(a) Granting Solanasis access to the Client’s systems and data as described in this Agreement does not violate any agreement with a third party, including managed service provider (MSP) contracts, cloud service provider terms of service, or software license agreements; and

(b) The Client has obtained (or will obtain before the Start Date) any consents or approvals from third parties that are necessary for Solanasis to access the Client’s systems and perform the Services.

19.3 Solanasis Representations

Solanasis additionally represents and warrants that:

(a) It possesses the professional qualifications, skills, and experience necessary to perform the Services; and

(b) All personnel assigned to the engagement will be bound by confidentiality obligations at least as protective as those in this Agreement.

Exhibits

Exhibit A: Access Checklist (Solanasis ORB Pack document 07, current version as of the Effective Date — provided separately by Solanasis within two (2) business days of execution of this Agreement)

Exhibit B: Intake Form (Solanasis ORB Pack document 09, current version as of the Effective Date — provided separately by Solanasis within two (2) business days of execution of this Agreement)

Signatures

By signing below, each Party confirms that it has read, understood, and agrees to be bound by all terms and conditions of this Engagement Agreement. Each signatory represents that they have the authority to enter into this Agreement on behalf of their respective organization.

Solanasis LLC (DBA Solanasis)


Name:	________________________________________
Title:	________________________________________
Date:	________________________________________
Signature:	________________________________________

[Client Legal Name]


Name:	________________________________________
Title:	________________________________________
Date:	________________________________________
Signature:	________________________________________

Solanasis Docs

Explorer

02_ORB_Engagement_Agreement