Terms of Service

1. Agreement to Terms

These Terms of Service ("Terms") constitute a legally binding agreement between you ("Customer," "Client," "you," or "your") and Polaris Consulting, LLC ("Polaris," "Provider," "we," "us," or "our"), a company based in Los Angeles, California.

By accessing or using our website at polarisconsulting.net and our security assessment platform (collectively, the "Services"), you agree to be bound by these Terms. If you do not agree to these Terms, you must not access or use our Services.

If you are using our Services on behalf of an organization, you represent and warrant that you have the authority to bind that organization to these Terms.

Customers who have executed a separate Master Services Agreement ("MSA") with Polaris are governed by the terms of that MSA. In the event of any conflict between these Terms and an executed MSA, the MSA shall control.

2. Description of Services

Polaris operates a cybersecurity assessment and compliance evaluation platform and offers professional security consulting services. Our Services may include, but are not limited to:

• Security posture assessments of Microsoft 365 and Azure environments
• Compliance evaluations against industry frameworks including CMMC 2.0, CIS Controls v8, ISO 27001, NIST CSF, and SOC 2
• Generation of security and compliance reports, including IT operations briefs, executive summaries, and gap analyses
• CMMC Level 2 gap analysis with SPRS scoring
• Managed IT services, ongoing security monitoring, and periodic reassessments (where contracted)
• Access to the platform for dashboard visibility, report retrieval, and compliance tracking

The specific scope, schedule, and deliverables for each engagement may be set forth in a Statement of Work or service agreement between the parties.

3. Read-Only Access and Client Environment

Our platform connects to your Microsoft 365 tenant using read-only OAuth permissions through the Microsoft Graph API. Unless a separate agreement specifically authorizes remediation work or configuration changes, our access to your environment is limited to read-only operations.

• We shall not modify, delete, or alter any of your configurations, policies, or data without prior written authorization
• We request only the minimum permissions necessary to perform the contracted Services
• You may revoke our access at any time through your Azure AD portal by removing the enterprise application
• Revocation of permissions required for the Services may impact our ability to deliver assessments but shall not constitute a breach by Polaris

4. Client Obligations

As a Customer, you are responsible for:

• Maintaining the security of your Azure AD credentials and account access
• Granting appropriate OAuth permissions necessary for security assessments
• Ensuring you have the authority to connect your organization's Microsoft 365 tenant and that such access does not violate any agreement, law, or regulation to which you are subject
• Providing timely access, information, and cooperation reasonably necessary for us to perform the Services
• Promptly notifying us of any material changes to your environment that may affect the Services
• Keeping your account information accurate and up to date

Implementation responsibility: Unless a separate agreement specifically includes remediation work, you are solely responsible for implementing any recommendations, remediations, or configuration changes identified in our deliverables. Our role is advisory; the decision to implement, partially implement, or decline any recommendation rests entirely with you.

5. Intellectual Property

5.1 Platform Ownership

Polaris retains all right, title, and interest in and to the platform, its proprietary methodologies, assessment frameworks, software, tools, templates, and any pre-existing intellectual property. Nothing in these Terms transfers ownership of our intellectual property to you.

5.2 Deliverable License

Upon payment in full, we grant you a non-exclusive, non-transferable, perpetual license to use the deliverables (reports, assessments, compliance documents) for your internal business purposes. You may share deliverables with your auditors, regulators, and legal counsel as reasonably necessary. You shall not resell, redistribute, or sublicense deliverables to third parties.

5.3 Customer Data Ownership

You retain all right, title, and interest in and to your data. Our access to your data does not confer any ownership rights upon Polaris.

5.4 Aggregated Data

We may use aggregated, anonymized, and de-identified data derived from the Services to improve our platform, develop benchmarks, and create industry research, provided that such data cannot reasonably be used to identify you or any individual.

6. Important Disclaimers

BY USING OUR SERVICES, YOU ACKNOWLEDGE AND AGREE TO THE FOLLOWING:

6.1 No Guarantee of Security

The Services are designed to assess, evaluate, and improve your security posture, but Polaris does not and cannot guarantee that your systems will be free from vulnerabilities, security breaches, or cyberattacks. No security assessment, monitoring service, or remediation effort can eliminate all risk. You acknowledge that cybersecurity is an ongoing process and that threats evolve continuously.

6.2 No Guarantee of Compliance

Our compliance evaluations and reports — including those referencing CMMC 2.0, CIS Controls v8, ISO 27001, NIST CSF, SOC 2, or any other framework — are advisory in nature and represent our professional assessment based on information available at the time. They do not constitute a certification, attestation, or guarantee that you have achieved or will achieve compliance with any framework, regulation, or contractual requirement. Compliance determinations are made solely by the applicable certifying body, auditor, or regulatory authority. SPRS scores and CMMC readiness assessments are estimates and may differ from official government assessments.

6.3 Point-in-Time Assessment

All assessments, reports, and deliverables reflect the state of your environment at the time of the assessment. Your security posture and compliance status may change at any time due to configuration changes, new vulnerabilities, evolving threats, or changes in regulatory requirements. Polaris is not responsible for changes to your environment that occur after an assessment is completed.

6.4 Advisory Role Only

Our recommendations are professional advice based on our expertise and the information available. You are solely responsible for evaluating, approving, and implementing any recommendations. Polaris shall not be liable for your decision to implement, partially implement, or decline any recommendation.

6.5 No Warranty of Completeness

While we endeavor to provide thorough assessments, no assessment methodology can identify every vulnerability, misconfiguration, or compliance gap in an environment. The absence of a finding in a deliverable does not constitute a representation that no such issue exists.

6.6 Disclaimer of Other Warranties

EXCEPT AS EXPRESSLY SET FORTH IN THESE TERMS, POLARIS DISCLAIMS ALL OTHER WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, OR NON-INFRINGEMENT. THE SERVICES AND PLATFORM ARE PROVIDED "AS IS" TO THE EXTENT NOT EXPRESSLY WARRANTED HEREIN.

7. Limitation of Liability

7.1 Consequential Damages Exclusion

TO THE MAXIMUM EXTENT PERMITTED BY LAW, NEITHER PARTY SHALL BE LIABLE TO THE OTHER FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO LOSS OF REVENUE, LOSS OF PROFITS, LOSS OF DATA, BUSINESS INTERRUPTION, COST OF SUBSTITUTE SERVICES, OR REGULATORY FINES, ARISING OUT OF OR RELATING TO THESE TERMS, REGARDLESS OF THE THEORY OF LIABILITY (CONTRACT, TORT, STRICT LIABILITY, OR OTHERWISE) AND REGARDLESS OF WHETHER SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

7.2 Liability Cap

POLARIS'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO THESE TERMS SHALL NOT EXCEED THE TOTAL FEES PAID BY YOU TO POLARIS DURING THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

7.3 Exceptions

The limitations in Sections 7.1 and 7.2 shall not apply to: (a) breaches of confidentiality or data protection obligations; (b) indemnification obligations under Section 8; (c) liability arising from fraud, gross negligence, or willful misconduct; or (d) your obligation to pay fees owed.

8. Indemnification

8.1 Client Indemnification

You agree to indemnify, defend, and hold harmless Polaris Consulting, LLC, its officers, directors, employees, contractors, and agents from and against any third-party claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of: (a) your use or misuse of the deliverables; (b) your failure to implement recommendations provided by Polaris; (c) your misrepresentation of your compliance status using our deliverables; (d) any claim arising from your environment that is not caused by Polaris's breach; or (e) your violation of any law or regulation.

8.2 Provider Indemnification

Polaris shall indemnify, defend, and hold harmless you and your officers, directors, employees, and agents from and against any third-party claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of: (a) Polaris's gross negligence or willful misconduct in the performance of the Services; (b) Polaris's breach of its confidentiality or data protection obligations; or (c) any claim that the platform infringes a third party's intellectual property rights.

9. Data Handling and Confidentiality

Our collection, use, and protection of your data is governed by our Privacy Policy, which is incorporated into these Terms by reference.

Your security assessment results, vulnerability findings, compliance status, and related deliverables constitute your confidential information. We shall not disclose such information to any third party without your written consent, except in aggregated, anonymized form that cannot reasonably be used to identify you.

We handle all client data in accordance with industry-standard security practices and applicable data protection laws. Data is encrypted in transit (TLS 1.2 or higher) and at rest. We collect and retain only the data reasonably necessary to perform the Services.

10. Service Availability

We strive to maintain high availability for our platform. However, we do not guarantee uninterrupted or error-free service. The Services may be temporarily unavailable due to:

• Scheduled maintenance (we will provide reasonable advance notice when possible)
• Unplanned outages or technical difficulties
• Third-party service disruptions (Microsoft Azure, Microsoft Graph API, etc.)
• Force majeure events beyond our reasonable control, including natural disasters, acts of government, pandemic, war, terrorism, power failures, internet outages, or cyberattacks

11. Term and Termination

Either party may terminate the service relationship with 30 days' written notice. Notice should be sent via email to info@polarisconsulting.net. We may also terminate or suspend your access immediately if you materially breach these Terms.

Upon termination or expiration:

• You shall pay all fees due for Services performed through the effective date of termination
• We will deliver all completed deliverables for which payment has been received
• Your access to the platform will be deactivated
• Client data shall be retained for a period not to exceed ninety (90) days, after which it shall be securely deleted. You may request earlier deletion in writing.
• You should revoke our OAuth access through your Azure AD portal

Sections 5, 6, 7, 8, 9, and 13 shall survive the termination or expiration of these Terms.

12. Governing Law and Dispute Resolution

These Terms shall be governed by and construed in accordance with the laws of the State of California, without regard to its conflict of laws principles. The parties shall first attempt to resolve any dispute through good-faith negotiation. Any disputes not resolved through negotiation shall be subject to the exclusive jurisdiction of the state and federal courts located in Los Angeles County, California.

13. General Provisions

13.1 Modifications

We reserve the right to modify these Terms at any time. When we make material changes, we will update the "Last updated" date and notify you via email or a prominent notice on our website. Your continued use of the Services after the effective date of any changes constitutes your acceptance of the revised Terms.

13.2 Severability

If any provision of these Terms is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect. Any invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving the parties' original intent.

13.3 Entire Agreement

These Terms, together with our Privacy Policy and any executed MSA or Statement of Work, constitute the entire agreement regarding the Services. In the event of a conflict, an executed MSA shall control, followed by these Terms, followed by our Privacy Policy.

13.4 Independent Contractor

Polaris is an independent contractor. Nothing in these Terms creates an employment, partnership, joint venture, or agency relationship between the parties.

13.5 Assignment

You may not assign these Terms without our prior written consent. We may assign these Terms to a successor in connection with a merger, acquisition, or sale of substantially all of our assets.

14. Contact Us

If you have any questions about these Terms, please contact us: