TEEYA PRODUCTIONS

1. Definitions & Parties

1.1 "Client" refers to Attorneys of Chicago (https://attorneysofchicago.com/), the professional-services firm identified in the signature block below, including all authorized users, employees, agents, and representatives. Client represents and warrants that the individual executing this Agreement has full legal authority to bind the firm.

1.2 "System" means the custom, firm-branded enterprise command-center Provider designs, builds, configures, and delivers for Client: a consolidated software product that replaces and unifies, in one platform, the core operating functions Client currently spreads across multiple tools.

Client's current stack — Lawmatics (CRM, intake, retainer / e-sign, workflows), CasePeer (matters, deadlines, documents), RingCentral (phone, SMS/MMS, voicemail, recording), Novo (banking, expenses, QuickBooks Online / Xero handoff), Claude by Anthropic (AI drafting, summarization, Q&A, review checkpoints), and any other services Client identifies in onboarding — are the "Reference Platforms." They are benchmarks for scope and user experience only. Provider is not required to ship any particular Reference Platform as part of the System.

For each module in Section 2.1, Provider may, in reasonable discretion, (a) rebuild natively, (b) integrate with an external API or service (not necessarily the matching Reference Platform), or (c) combine both.

"Third-Party Provider" means any external API, platform, infrastructure, or service the delivered System actually uses in production, whether or not it is a Reference Platform, including services Client retains, selects, or adopts before or after handover.

The System also includes all databases, configurations, automations, workflows, and documentation Provider delivers under this Agreement.

1.3 "Deliverables" means the specific instance of the System deployed for Client under Section 2.1, together with the license grants set out in Section 5.

1.4 "Acceptance Date" means the date on which the System is deemed accepted under Section 2.2.

1.5 "Confidential Information" includes system architecture, workflows, AI prompts and routing logic, business processes, credentials, firm data, client-of-firm data accessed through the System, and all non-public technical, legal, or commercial information disclosed by either party. Confidential Information of Client also includes any information subject to attorney-client privilege or attorney work product.

1.6 "Materially conform" (and "materially conforming") means that the System substantially performs the core functions expressly listed in Section 2.1 without system-wide failure or inability to execute primary workflows. Isolated bugs, cosmetic issues, third-party outages, and non-critical feature gaps do not constitute a failure to materially conform. This definition governs the use of "materially conform" throughout this Agreement, including Sections 2.2 (Acceptance) and 12.1 (Structural Guarantee).

2. Scope of Services

2.1 Deliverables — Unified Enterprise Build

Provider shall design, build, configure, test, and deploy a custom enterprise command-center for Client. Implementation follows Section 1.2: each functional domain below is delivered by native build, Third-Party Provider integration, or both, as Provider reasonably elects. Which Reference Platforms or Third-Party Providers Client keeps, drops, or adds before or after handover is Client's business decision. The core Deliverables are:

• A single secured, firm-branded workspace that consolidates the functional domains below into one unified platform.
• A browser-based Web Application and, if the Mobile tier is selected in Section 4.1, native iOS and Android Mobile Applications.
• Private database architecture with role-based access controls, secure authentication, audit logging of privileged actions, and document-repository structure by matter.
• Full build-out of the tools, functions, features, designs, and integrations this Agreement describes, plus what is reasonably necessary for a single unified platform that replaces Client's multi-tool stack (for example authentication, routing, storage, glue code, admin controls). Default: replace core functions natively; integrate where replacement is not feasible, economical, or desired by Client. Reasonably necessary infrastructure does not mean new features, extra modules, new data sources, redesigns, or scope expansion — those are Section 12.3.
• Where Provider elects to integrate with a Third-Party Provider for any module, API connectivity to that provider, including secure credential storage, request/response handling, error logging, and reasonable retry logic for the integrations Provider builds.
• Firm-specific branding (logo, colour palette, typography) and administrator documentation sufficient for Client's designated admin to operate the System.
• Source code, index, and operating instructions (post-delivery handoff). As part of this engagement and at no additional fee, Provider will deliver to Client the System's source code, a written index describing the System's architecture, modules, and configuration, and operating instructions sufficient for Client (or a qualified successor developer) to expand, edit, refine, or replace any part of the System. This handoff is delivered within forty-five (45) business days after the later of (i) the Acceptance Date under Section 2.2, (ii) Client's written confirmation that Client is not requesting any further enhancements or changes, and (iii) resolution of any bugs identified up to that point, so that the index reflects a complete, stable, final build. Final-build retention. Provider will also retain, on a Provider-controlled encrypted drive, a copy of this final delivered build (source, configurations, index, and build artifacts) for the duration of the Structural Guarantee Period (Section 12.1), held solely to support Provider's Section 12.1 remediation obligations as further described in Section 7.6.

Per-module scope (onboarding submission and demo incorporated by reference; this Agreement controls if they conflict):

• CRM, intake & retainer (Lawmatics reference): lead and contact records tied to intake source; pipeline stages by practice area or case type; intake forms and branching questionnaires; consultation scheduling and reminders; automated follow-up sequences and task triggers; e-sign workflow for retainers and engagement documents; document templates populated from matter and contact data.
• Matter workflow & deadlines (CasePeer reference): matter file structure and status workflow; parties, witnesses, and counsel records; critical-date and deadline management; task templates and phase checklists; document repository structure by matter; case notes and communications timeline; reporting for caseload, velocity, and status.
• Phone, messaging, voicemail & call recording (RingCentral reference): extensions, routing, auto-attendant, queues, business SMS/MMS governance (TCPA/CAN-SPAM/CASL-conscious consent is Client's), voicemail, recording policy and access (consent law, including Illinois two-party under 720 ILCS 5/14, is Client's), reporting. Live voice/SMS/recording runs on a licensed carrier or CPaaS — a Third-Party Provider at Client cost; see Section 6.
• Banking, expenses & accounting handoff (Novo reference): operating-account workflow and permissions; expense capture and categorization rules; receipt and transaction documentation process; bookkeeping sync requirements (QuickBooks Online or Xero); accountant/bookkeeper access controls; entity/account segmentation. Provider does not open, operate, or hold funds in any banking account on Client's behalf and does not provide accounting, tax, legal, or financial advice; Client is responsible for validating bookkeeping output with its CPA or equivalent.
• AI drafting, summarization & oversight (Claude by Anthropic reference): roles, prompts, summarization and Q&A workflows, human-review checkpoints, usage logging, and privilege / retention / bar-advertising guardrails from onboarding. AI inference uses an external model provider (a Third-Party Provider; Section 6). Client ensures compliance with Illinois RPC (including Rules 1.1, 1.6, 5.3, 7.x), applicable ABA generative-AI guidance, Client's engagement terms, and the provider's acceptable-use policy.

Implementation choices. Discretion versus approval: Provider chooses native build, Third-Party Provider integration, libraries, APIs, and patterns, provided the result delivers the agreed feature set without material diminishment and is disclosed at the next status checkpoint. Client's prior written approval (email sufficient) is required only for a substitution that materially increases Client's ongoing third-party operating costs, moves Client data to a materially different jurisdiction, or introduces a materially different vendor relationship. Choosing integration over native build (or the reverse) is not, by itself, such a substitution.

Not included / out of scope. Provider does not own or operate Client's Reference Platforms, Third-Party Providers, or other vendor accounts. Expansions, redesigns, new modules, and post-handover migrations are Change Orders under Section 12.3, not the Total Fee. Provider may not expand the written scope without Client approval.

2.2 Acceptance Criteria

Delivery is deemed accepted ("Acceptance Date") on the earlier of (a) Client's written acceptance, or (b) the fifth (5th) consecutive business day during which the System has operated in production without a Critical Failure. "Critical Failure" means complete System unavailability or verified corruption of Client data caused by a defect in the originally-shipped System (and not by a third-party service, Client action, or Client-side configuration change). A Critical Failure is a downtime / unusable-system event and is distinct from a "structural defect" (a design-level failure of the originally-shipped build as defined in Section 12.1), which in turn is distinct from a "Non-Recoverable Structural Failure" (the final-remedy trigger under Section 12.1.4).

Minor bugs, cosmetic issues, and non-critical feature requests do not delay acceptance and are addressed under Section 12 (Structural Guarantee & Ongoing Support).

Acceptance under this Section 2.2 is separate from, and does not waive, Client's rights under Section 12.1 (Structural Guarantee). The Acceptance Date simply starts the Structural Review Period clock under Section 12.1.2.

Acceptance under this Section 2.2 is final and binding. Client may not revoke acceptance or assert new structural defects after the Acceptance Date, and all claims under Section 12.1 must be raised within the Structural Review Period.

3. Project Timeline & Dependencies

3.1 Target Delivery & Onboarding Intake

Onboarding portal access. Promptly upon execution of this Agreement, Provider will issue Client access credentials to Provider's secure client portal, where Client completes Provider's onboarding questionnaire and delivers the credentials, decisions, and materials required under Section 3.2 (the "Onboarding Submission"). Client shall complete and submit the Onboarding Submission within fifteen (15) business days of receiving portal access.

Target delivery. Target delivery is ninety (90) business days from Provider's receipt of the complete Onboarding Submission through the client portal. The ninety (90) business-day target is a good-faith estimate based on the scope defined in Section 2.1 and is not a guaranteed fixed deadline or "time is of the essence" term. The estimate is expressly conditioned on (i) Provider's continuous, uninterrupted access to the credentials, accounts, environments, decision-makers, and feedback required under Section 3.2 throughout the build, and (ii) no material change to the scope defined in Section 2.1. Any interruption of access, delay in Client responses or approvals, or material scope change extends the target day-for-day under Section 3.3 and may, in Provider's reasonable judgment, require a written re-baselining of the timeline. For the avoidance of doubt, the ninety (90) business-day clock does not begin to run until Client has submitted a complete Onboarding Submission.

3.2 Client Responsibilities — Onboarding Submission

Within fifteen (15) business days of receiving client-portal access under Section 3.1, Client shall submit through the portal a complete Onboarding Submission that includes:

• All necessary credentials, API keys, OAuth consents, admin seats, and platform access for each Reference Platform or Third-Party Provider that Provider reasonably needs to deliver the Section 2.1 scope, including (as and if applicable) Lawmatics, CasePeer, RingCentral, Novo, any AI provider (such as Anthropic / Claude), QuickBooks Online / Xero for bookkeeping sync, hosting/DNS provider accounts, and any other services designated by Client during onboarding;
• A named decision-maker available during U.S. business hours for approvals, clarifications, and user-acceptance review;
• Complete and accurate responses to Provider's onboarding questionnaire;
• Written consent (and, where applicable, an executed Business Associate Agreement under Section 7) authorizing Provider to access Client systems for the sole purpose of performing this engagement.

During the build, Client shall also provide timely written feedback on interim deliverables and review cycles within five (5) business days of delivery for review, and shall respond to Provider's written requests for additional credentials, information, decisions, or approvals within five (5) business days.

Provider's ninety (90) business-day target in Section 3.1 does not begin to run until Client has submitted a complete Onboarding Submission. Any delay by Client in submitting the Onboarding Submission (including any extension beyond the initial fifteen (15) business-day window) pushes the start of the ninety (90) business-day target correspondingly and extends the overall timeline under Section 3.3.

3.3 Events That Extend the Timeline

The target in Section 3.1 shall extend on a day-for-day basis for any delay arising from or contributed to by the following, and Provider shall have no liability for such delays:

• Client's late or incomplete provision of credentials, approvals, data, content, or feedback
• Client-initiated changes to scope, requirements, branding, workflows, or integrations after execution (material changes require a written Change Order under Section 12.3)
• Third-party dependency events allocated to Client under Section 6.3 (including hosting, cloud, email/SMS/voice/CPaaS, AI, bookkeeping sync, identity, DNS, or payment providers)
• AI model policy changes, content-moderation behaviour, rate limits, quota exhaustion, or safety-filter behaviour outside Provider's control
• Security incidents, data-integrity issues, or compromises originating in Client's environment or in any Reference Platform or Third-Party Provider account under Client's control
• Regulatory, ethics-board, bar-association, or internal legal-review hold periods imposed by Client or required of Client
• Delays caused by any third party engaged by Client (including prior vendors, incumbent IT staff, accountants, or outside counsel)
• Unavailability of Client's designated decision-maker or reviewers
• Force Majeure events under Section 11

3.4 Pause Rights

If Client fails to provide requested access, decisions, feedback, or content within fifteen (15) business days of Provider's written request, Provider may pause the engagement on written notice with no liability. Paused engagements resume upon Client compliance within thirty (30) days; otherwise the engagement terminates, Provider retains all work product created to date on account, and the engagement is deemed completed through the paused stage.

3.5 External Dependencies

Schedule impact from third-party systems and Force Majeure follows Sections 6.3 and 11.

4. Engagement Fee, Platform Selection & Payment

4.1 Platform Selection (Total Fee)

All amounts under this Agreement are expressed and payable in United States Dollars (USD). Client shall select one of the following deployment tiers at execution. The tier selected is recorded in the Engagement Summary panel below and constitutes the "Total Fee" for this engagement:

• Web Only — US $9,000 (no tax). Includes the full unified enterprise build described in Section 2.1 deployed as a browser-based Web Application.
• Complete System (Web + Mobile) — US $10,500 (no tax). Includes everything in the Web Only tier plus native iOS and Android Mobile Applications.

The tier may be upgraded from "Web Only" to "Complete System" after execution only under a written Change Order; the price differential of US $1,500 shall apply to any such upgrade.

4.2 Taxes

Provider currently does not collect or add any sales, use, service-occupation, value-added, GST/HST, or similar transaction tax to the Total Fee or to any invoice. Client is solely responsible for any tax it owes directly on its use of the System (including any Illinois use-tax self-assessment or City of Chicago Personal Property Lease Transaction Tax, if applicable) and shall indemnify Provider against any such tax, penalty, or interest. On Client's request, Provider will supply a completed IRS Form W-8BEN. If a change in law later requires Provider to collect a tax, Provider may add it to the affected invoice on thirty (30) days' written notice.

4.3 Milestone Payment Schedule

The Total Fee is invoiced in three (3) equal installments of one-third (1/3) each, in USD, against the following milestones:

• (a) Milestone 1 — Kickoff (33⅓% of Total Fee): invoiced on execution of this Agreement. Provider commences build upon the later of (i) receipt of Milestone 1 payment in full and (ii) receipt of the onboarding materials described in Section 3.2.
• (b) Milestone 2 — Mid-Build Delivery (33⅓% of Total Fee): invoiced when Provider delivers a mid-build checkpoint with (i) Section 2.1 core modules (CRM/intake, matters, communications, banking/accounting handoff, AI) working in staging per Provider's implementation choices under Sections 1.2 and 2.1, (ii) core workflows demoable to Client, and (iii) Web shell branding applied.
• (c) Milestone 3 — Completion & Shipping (33⅓% of Total Fee): the System is considered functionally complete and ready to ship when Provider has finished the build described in Section 2.1, internal QA has passed, and the System has satisfied the Acceptance Criteria of Section 2.2. Milestone 3 is invoiced upon Provider's written notice of completion. Payment of Milestone 3 in cleared funds is a condition precedent to shipping. Provider shall not ship, release, deploy, turn over, publish to app stores, or otherwise transfer possession or control of the completed System, administrator credentials, source or configuration artifacts, documentation, domain/DNS cut-over, or (if applicable) the Mobile Application binaries or store-distribution certificates until Milestone 3 has cleared in full. For clarity, "shipping" means the transition from Provider-controlled environments to Client-controlled environments.

For clarity, the milestone amounts under this Section 4.3 are:

• Web Only (US $9,000): Milestone 1 = US $3,000; Milestone 2 = US $3,000; Milestone 3 = US $3,000.
• Complete System (US $10,500): Milestone 1 = US $3,500; Milestone 2 = US $3,500; Milestone 3 = US $3,500.

Each invoice is issued in United States Dollars and is payable net fifteen (15) days from the invoice date by wire transfer or ACH to the account identified on the invoice. Partial payment does not constitute acceptance of reduced consideration. Any dispute with an invoice must be raised by Client in writing within ten (10) business days of the invoice date, failing which the invoice is deemed accepted.

4.4 Late Payment & Title Retention

If any invoice is past due, Provider may, after seven (7) days' written notice and an opportunity to cure, suspend work until the account is brought current, and may recover reasonable collection costs. Interest shall accrue at the lesser of the prime rate published by the Bank of Canada plus two percent (2%) per annum or the maximum rate permitted by the laws of the Province of Ontario.

Title to the source code, administrative credentials, mobile binaries, distribution certificates, and any other deliverable Provider creates under this Agreement passes to Client when the Milestone 3 invoice clears in full. Any pre-payment access (for example, staging review) is a limited preview only and does not transfer title.

4.5 No Waiver

No inaction, partial performance, or course of dealing by Provider shall be deemed a waiver of any right under this Agreement, including Provider's rights under Sections 4.3, 4.4, 4.6, 5, 10, 12, and 14.

4.6 No Refunds; Work Allocation

All fees paid under this Agreement are non-refundable, except as expressly and narrowly provided in Section 12.1.5.

In the event Client elects to stop, pause, or terminate the engagement for any reason, Provider shall immediately cease work and Client shall receive all work completed up to the termination date in its current state. No refunds, credits, or partial reimbursements shall be issued.

Alternatively, where the engagement is structured in phases or milestones, work shall continue strictly to the next agreed milestone once payment for that milestone has been applied. After a milestone has commenced, it is non-cancellable and non-refundable.

Termination by Client does not relieve Client of payment obligations for work already performed or for any milestone in progress. Fees reflect Provider's allocation of engineering capacity and are non-refundable on that basis.

5. Intellectual Property

5.1 Client Ownership (Instance-Level)

Upon full payment, Client owns their specific deployed System instance, including database content, configurations, and generated business data. Client receives a perpetual, non-exclusive, non-transferable license to use the System for internal business operations only. Permitted extension to affiliates and successors. Notwithstanding the non-transferability of the foregoing license, Client may extend use of the System, on the same terms and subject to all restrictions in this Section 5, to (i) any entity that controls, is controlled by, or is under common control with Client (an "Affiliate"), and (ii) any successor entity arising from a bona fide reorganization, merger, conversion, name change, or sale of all or substantially all of Client's assets, in each case provided that (a) Client gives Provider prompt written notice of the extension or transition, (b) the receiving Affiliate or successor is not a competitor of Provider in the legal-tech build/integration space, and (c) the Affiliate or successor agrees in writing to be bound by Section 5 (Intellectual Property), Section 7 (Security, HIPAA & Data Responsibility), and Section 1.5 (Confidentiality). Any other transfer requires Provider's prior written consent under Section 13.

5.2 Provider Ownership (Core IP)

Provider retains all ownership rights to:

• Underlying frameworks, architecture, and system methodologies
• Pre-existing code libraries, AI models, and automation templates
• Development tools, deployment scripts, and proprietary processes
• All derivative works, improvements, or modifications to Provider IP

5.3 License Restrictions

Client expressly shall not:

• Sell, resell, sublicense, lease, rent, or barter the System
• Distribute, share, or grant access outside Client's organization
• Reverse engineer, decompile, or create derivative works
• Use as SaaS, service bureau, or for third-party benefit
• Transfer control without written consent

5.4 Breach & Remedies

The parties acknowledge that monetary damages may be inadequate to remedy a breach of this Section 5 and that misuse of Provider's IP would cause irreparable harm to Provider that is difficult to quantify. Upon any breach of this Section 5 (an "IP Breach"), Provider shall be entitled, cumulatively, to:

• (a) immediate termination of the Section 5.1 license (without cure period or refund);
• (b) preliminary and permanent injunctive relief in any court of competent jurisdiction (each party agrees that the other need not post bond beyond what the court otherwise requires);
• (c) liquidated damages equal to the greater of (i) three (3) times the Total Fee paid under this Agreement, or (ii) US $50,000 — which the parties agree is a reasonable pre-estimate of harm, not a penalty, given the difficulty of quantifying actual loss; and
• (d) the prevailing party's reasonable attorneys' fees and enforcement costs.

Election of liquidated damages under (c) is in lieu of, not in addition to, recovery of Provider's actual damages for the same IP Breach. The cap in Section 10.1 does not apply to claims arising from an IP Breach or from Client's indemnity under Section 8; all other claims (including any arising under Section 1.5 or Section 7) remain subject to Section 10.1.

5.5 Attribution

"System Architect: Teeya Productions" may remain in system metadata and documentation.

6. Third-Party Services & Infrastructure

6.1 Client Responsibilities

Client retains Provider to deliver the consolidated System in Sections 1.2 and 2.1. Client procures, pays for, and administers every Reference Platform and Third-Party Provider used to operate the System, including services Provider reasonably connects under Section 2.1. Vendor choice, contracts, and operating cost are Client's, not Provider's. Third-party risk is allocated in Section 6.3.

Without limiting the foregoing, when any of the following is used — retained by Client, connected by Provider under Section 2.1, or adopted after handover — Client is solely responsible for accounts, fees, seats, compliance, and administration:

• Lawmatics (CRM / intake / retainer platform) account(s), user seats, API access, and any custom-field or e-sign add-ons required to deliver the Section 2.1 scope
• CasePeer (case-management platform) accounts, user seats, API access, and any premium tiers required for document repository, reporting, or integrations
• RingCentral (phone, SMS/MMS, voicemail, call-recording) accounts, phone-number provisioning, DID assignments, SMS/MMS 10DLC / A2P registration, and any recording-retention storage required by Client's policies
• Novo (business-banking platform) accounts, credentials, and any API or partner agreements; Provider does not open, operate, or hold funds in any banking account on Client's behalf
• Anthropic (Claude) API account(s) (or any substituted AI provider), usage quotas, and compliance with that provider's usage policies, acceptable-use policies, and any policies applicable to legal-industry or regulated-data use
• QuickBooks Online and/or Xero (bookkeeping sync) accounts, chart-of-accounts configuration, and accountant/bookkeeper licensing
• Hosting, cloud, compute, and storage accounts (AWS, Google Cloud, Azure, Firebase, Vercel, etc.)
• Any supplemental voice, SMS, email, transcription, or notification providers that the firm elects to layer on top of (or in place of) RingCentral (Twilio, SendGrid, Resend, etc.)
• Identity, single-sign-on, and MFA providers
• Domain registration, DNS, and SSL/TLS certificate management
• Any payment-processing, trust-accounting, or merchant accounts Client may connect (Provider does not handle IOLTA / client-trust funds, and trust-accounting compliance remains solely with Client)
• Any other third-party service, platform, API, integration, license, subscription, certificate, or infrastructure dependency identified during the build as necessary to deliver, host, operate, secure, or connect any part of the System — whether or not foreseeable at execution. Such dependencies are ordinary operating costs of running a software product of this kind, not of the build, and are governed by the notice procedure under Section 6.2.

Any additional dependency Provider identifies during the build is subject to Section 6.2; risk allocation for all third parties is Section 6.3.

6.2 Written Notice of New Third-Party Dependencies

Where Provider identifies during the build any third-party dependency described in Section 6.1 that was not expressly listed in the intake/demo materials or in this Agreement, Provider shall give Client prompt written notice (email to Client's designated decision-maker is sufficient) identifying (i) the service or dependency, (ii) the reason it is needed for the build, (iii) the approximate cost to Client, and (iv) any options or alternatives. Provider shall not commit Client to any new recurring cost, contract, or subscription on Client's behalf without Client's prior written approval (email acceptance is sufficient). If Client declines the dependency, and the dependency is reasonably necessary to deliver a Section 2.1 feature, the affected feature may be descoped from the build by written Change Order with a corresponding adjustment to the timeline under Section 3 (but not, for the avoidance of doubt, a reduction to the Total Fee).

6.3 Third-Party Dependencies — Risk Allocation

(a) Client owns the stack. Client is solely responsible for the selection, licensing, cost, lawful use, configuration, and continued operation of every Reference Platform and Third-Party Provider the System uses, including services Provider reasonably integrates under Section 2.1.

(b) No vendor warranties; no vendor liability. Provider does not warrant or guarantee the performance, availability, pricing, terms, quotas, data handling, security practices, or continued existence of any Reference Platform or Third-Party Provider. Provider has no liability for outages, API or product changes, policy or pricing changes, rate limits, security or data incidents, billing disputes, discontinuation, insolvency, or any other failure of such services, or for claims arising from Client's or any vendor's acts or omissions. This subsection applies during the build and after handover, whether or not the dependency was foreseeable at execution.

(c) Client access and backups. Client shall maintain independent administrative access, credentials, and backups for business-critical third-party accounts.

(d) Other sections. Third-party events may also suspend performance under Section 11 where its tests are met. Timeline extensions for dependency failures follow Section 3.3.

6.4 Third-Party Terms Flow Down

Client acknowledges that the System's use of third-party services is subject to those providers' terms of service, acceptable-use policies, and data-processing agreements. Client is responsible for reviewing and complying with such terms, including the AI provider's restrictions on processing regulated or privileged data.

7. Security, HIPAA & Data Responsibility

7.1 Provider Security Baseline (Defined Controls)

Through the Acceptance Date, Provider shall implement and maintain the following defined controls for the System Provider builds and for Provider's handling of Client credentials and data during the build:

• Encryption in transit: TLS 1.2 or higher for all data flowing between the System and any Third-Party Provider it connects to.
• Encryption at rest: AES-256 (or equivalent industry-standard cipher) for secrets, credentials, API keys, and tokens that Provider stores during the build.
• Role-based access control (RBAC): documented role matrix delivered with the System; least-privilege defaults.
• Multi-factor authentication (MFA): required on every Provider-side admin account that touches Client credentials, the build environment, or any Third-Party Provider on Client's behalf.
• Audit logging: privileged actions inside the System logged to a tamper-evident store, subject to the underlying capabilities of any Third-Party Providers the System depends on.
• Secret hygiene: secrets stored in an industry-standard secret manager (e.g., AWS Secrets Manager, GCP Secret Manager, 1Password, HashiCorp Vault); no secrets committed to source control.
• Environment separation: development, staging, and production environments separated where applicable.
• Dependency hygiene: automated dependency scanning on Provider-authored code; known critical CVEs patched before handover.
• Credential return / destruction: firm credentials Provider held during the build are returned or securely destroyed within thirty (30) days of the Acceptance Date or sooner upon Client's written request.
• Security-incident notice: if Provider becomes aware, during the build period, of a security incident materially affecting Client data in Provider's possession, Provider shall notify Client's designated decision-maker in writing within seventy-two (72) hours.

7.1.1 Disclaimer of Security Warranty. The controls in this Section 7.1 represent Provider's good-faith efforts to implement industry-recognized practices. They do not constitute a warranty that the System or any data will be secure, breach-proof, or compliant with any specific regulatory framework beyond the express scope of Section 7.2. Provider has no liability for security incidents, data breaches, or unauthorized access occurring despite these controls.

7.2 HIPAA & Business Associate Agreement

If the System will, during the build, create, receive, maintain, or transmit Protected Health Information ("PHI") on Client's behalf, the parties shall execute a Business Associate Agreement ("BAA") in a form reasonably acceptable to both parties before Provider is given access to PHI. The BAA establishes Provider as Client's business associate only for the PHI, systems, and activities the BAA describes — not as Client's general "data processor" or custodian for all firm or client data. While a BAA is in force, Provider shall implement safeguards at or above the level required by the HIPAA Security Rule (45 C.F.R. Parts 160 and 164, Subparts A and C) for the System components Provider builds and for the limited scope of Provider's access. Client is and remains the covered entity (or the upstream business associate) for all PHI in its possession.

7.3 Certifications & Programs Not Provided

Provider is a custom-software studio, not a certified security-services firm. The following certifications, attestations, and ongoing security-program services are not included in the Total Fee and Provider makes no representation or warranty that the build will achieve them:

• SOC 1 / SOC 2 / SOC 3, HITRUST CSF, ISO/IEC 27001-series, FedRAMP/StateRAMP/CJIS, or PCI-DSS attestation or audit;
• Third-party penetration testing, red-team engagements, or bug-bounty programs;
• 24x7 Security Operations Center (SOC) monitoring, managed-detection-and-response (MDR), or incident-response retainer.

Client may engage Provider to coordinate any of the foregoing through a third-party specialist by written Change Order under Section 12.3.

7.4 Allocation of Responsibility

(a) Through the Acceptance Date. Provider is responsible for the controls in Section 7.1 (and, where triggered, the HIPAA safeguards in Section 7.2) for the System Provider builds and for Provider's handling of Client credentials during the build. Provider has no security obligation for any Reference Platform or Third-Party Provider itself; vendor risk is Client's under Section 6.3.

(b) From the Acceptance Date forward. Client owns ongoing security operation of the System and of external services it depends on (Section 6.3), including regulatory compliance for Client's practice. Provider's post-delivery role is limited to Section 12 (Structural Guarantee, Complimentary Assistance Window, and paid Change Orders).

7.5 HIPAA Role vs. General Data-Processing Position

Where a BAA is executed under Section 7.2, Provider is Client's business associate only for PHI within the scope of that BAA and Section 7.2. Outside that narrow HIPAA relationship — and for all non-PHI data, and for production data after Acceptance except as the BAA expressly requires — Provider does not act as Client's data processor, sub-processor, or data custodian, and does not undertake a continuous processing role on Client's behalf. Post-delivery work under Section 12 (Structural Guarantee, Complimentary Assistance, or paid Change Orders) is discrete technical support, not ongoing processing services.

7.6 Build Retention for Structural Guarantee; Data Loss Disclaimer

(a) Final-build retention for Structural Guarantee purposes. To support its obligations under Section 12.1 (Structural Guarantee), Provider will retain, on a Provider-controlled encrypted drive held offline by Provider, a copy of the final delivered build of the System (source, configurations, index, and associated build artifacts) as accepted by Client under Section 2.2, for the duration of the Structural Guarantee Period defined in Section 12.1 (five (5) years from the Acceptance Date). This retained copy is not a backup service for Client data. It exists solely to enable Section 12.1 remediation against the originally-shipped build; it is not synchronized with the live System and does not capture any post-handover changes made by Client or its vendors, any Client data written to the System after handover, or any data held by any Reference Platform or Third-Party Provider. Upon expiration of the Structural Guarantee Period, Provider may permanently destroy the retained copy at any time without notice to Client and has no obligation to retain, reconstruct, or deliver any copy of the build thereafter.

(b) Disclaimer. Except as expressly set out in Section 7.6(a) and Provider's Section 12.1 remediation obligation, Provider is not responsible for data loss, corruption, or unauthorized access occurring after the Acceptance Date, for backup failures after acceptance, or for Client's failure to maintain independent backups of data written into the System or residing in any Reference Platform or Third-Party Provider.

7.7 Data Export & Exit

Upon termination, Client receives a one-time export of its data from Provider-controlled components in standard formats (CSV, JSON). Provider has no obligation to migrate data to new systems, rebuild configurations, or continue to maintain any integration.

8. Indemnification

Client agrees to defend, indemnify, and hold harmless Provider from any claims, damages, liabilities, costs, or expenses (including reasonable legal fees) arising from:

• Client's use or misuse of the System
• Data stored, processed, or transmitted through the System
• Third-party tools, APIs, or integrations configured by Client
• Violation of laws, regulations, or third-party rights
• Breach of this Agreement by Client or its users

9. Warranty Disclaimer

EXCEPT FOR THE EXPRESS STRUCTURAL GUARANTEE SET OUT IN SECTION 12.1, THE SYSTEM IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED. PROVIDER EXPRESSLY DISCLAIMS ALL OTHER WARRANTIES, INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, ACCURACY, SYSTEM INTEGRATION, AND QUIET ENJOYMENT, AND ANY WARRANTIES ARISING FROM COURSE OF DEALING OR USAGE OF TRADE.

Provider does not warrant that:

• System will meet Client's specific requirements or expectations
• Operation will be uninterrupted, timely, secure, or error-free
• Results obtained will be accurate, reliable, or economically beneficial
• System will generate specific revenue, savings, or efficiency gains

10. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW:

10.1 Cap on Liability. Provider's total aggregate liability for all claims arising out of or relating to this Agreement, the System, or any Provider act or omission — whether in contract, tort (including negligence), warranty, statute, or otherwise — shall not exceed the amount of one (1) milestone payment under Section 4.3 (i.e., US $3,000 for Web Only, US $3,500 for Complete System). This cap applies per claim and in the aggregate across all claims, theories, claimants, and causes of action, and is not refreshed, multiplied, or reset. In no event shall Provider's liability exceed the lesser of (i) the fees paid by Client for the specific module or deliverable giving rise to the claim, or (ii) one milestone payment. This cap applies regardless of whether Provider's conduct is alleged to be negligent, grossly negligent, reckless, or intentional, and regardless of whether any limited remedy fails of its essential purpose.

10.2 Excluded Damages. Provider shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including:

• Lost profits, revenue, or anticipated savings
• Business interruption or loss of goodwill
• Data loss or corruption costs
• Procurement of substitute services
• Any damages exceeding the limitation set forth above

10.3 These limitations apply regardless of the form of action, whether in contract, tort (including negligence), strict liability, or otherwise, even if advised of the possibility of such damages.

11. Force Majeure

11.1 Definition

Neither party shall be liable for, nor in breach of, any delay, suspension, or failure of performance under this Agreement (other than Client's payment obligations that have already accrued before the event commenced, which remain due and payable) caused by any event or circumstance beyond the reasonable control of the affected party (each, a "Force Majeure" event), regardless of whether the event was foreseeable. Force Majeure events include, without limitation:

• (a) Natural disasters and severe weather — earthquakes, floods, hurricanes, tornadoes, wildfires, and similar natural events.
• (b) War, terrorism, and civil unrest — armed conflict, acts of terrorism (including cyber-terrorism), sabotage, riots, and similar human-caused events.
• (c) Public-health events — pandemics, epidemics, quarantines, travel bans, and government-ordered closures or shelter-in-place orders.
• (d) Governmental or legal events — acts, orders, or regulations of any governmental authority; changes in law or its enforcement; embargoes, sanctions, or export/import restrictions.
• (e) Labour and supply disruptions — strikes, lock-outs, labour shortages, and material or transportation shortages or delays (including at third parties).
• (f) Infrastructure failures — failures or disruptions of electric power, internet, cloud, hosting, DNS, telecom, satellite, or other critical infrastructure.
• (g) Cyber and information-security events — cyberattacks, ransomware, denial-of-service attacks, compromise of third-party software dependencies, and similar security incidents.
• (h) Third-party service events (Force Majeure subset only) — large-scale infrastructure or backbone failures, widespread loss of a major cloud region, vendor insolvency, or government action that prevents performance and is beyond the affected party's reasonable control. Routine vendor outages, API or pricing changes, quota limits, or commercial disputes a reasonably prepared party could route around are not Force Majeure and remain allocated under Section 6.3.
• (i) Any other event beyond the affected party's reasonable control that prevents, hinders, or materially delays performance notwithstanding commercially reasonable efforts to avoid or mitigate it.

11.2 Notice, Mitigation & Suspension

The party affected by a Force Majeure event shall give the other party written notice as soon as commercially reasonable after becoming aware of the event, describing its nature and expected duration. During the pendency of the event, (i) performance obligations affected by the event are suspended and all timelines (including the target-delivery window in Section 3.1 and the milestones in Section 4.3) are automatically extended by the duration of the event plus a commercially reasonable recovery period; (ii) the affected party shall use commercially reasonable efforts to mitigate and resume performance; and (iii) no liability, breach, default, or penalty shall accrue against the affected party for the suspended obligations.

11.3 Termination for Prolonged Force Majeure

If a Force Majeure event continues for more than sixty (60) consecutive days and materially prevents the core build from being completed, either party may terminate this Agreement by written notice. Upon such termination, Sections 4.6 (No Refunds; Work Allocation), 5 (Intellectual Property), 7 (Security & Data Responsibility), 8 (Indemnification), 10 (Limitation of Liability), and 14 (General Provisions) survive; Client remains liable for fees already accrued for completed work and for any milestone that has commenced prior to notice of termination.

11.4 Pre-Existing Obligations Not Excused

Force Majeure does not excuse payment obligations that accrued prior to the commencement of the event, does not excuse confidentiality obligations (Sections 1.5 / 7), and does not excuse IP obligations (Section 5).

12. Structural Guarantee & Ongoing Support

12.1 Structural Guarantee (Originally-Shipped Product)

Provider warrants only that the System as originally shipped and accepted under Section 2.2 will materially conform (as defined in Section 1.6) to the agreed functional specifications at the time of delivery. This is a structural integrity warranty only and expressly excludes performance outcomes, uptime guarantees, business results, or third-party dependency behavior.

12.1.1 No Refund Policy (Baseline Rule). All fees paid under this Agreement are strictly non-refundable under all circumstances, except as expressly and narrowly provided in Section 12.1.5. No chargebacks, reversals, credits, or partial reimbursements apply.

12.1.2 Structural Review Period. Any claim that the System contains a structural defect must be raised in writing within ninety (90) calendar days of the Acceptance Date (the "Structural Review Period"). After this period, the System is conclusively deemed accepted and compliant.

12.1.3 Remedy Obligation (Repair Priority). If a valid structural defect is reported within the Structural Review Period, Provider shall have ninety (90) calendar days from written notice to repair, replace, or functionally correct the defect so the System materially conforms to its original shipped specification.

12.1.4 Final Failure Determination. A "Non-Recoverable Structural Failure" exists only if all of the following occur: (a) the defect is reported within the Structural Review Period; (b) Provider has completed the full 90-day remediation period under Section 12.1.3; and (c) the System still cannot be restored to materially conforming operation to its original shipped specification.

12.1.5 Exclusive Remedy. In the event of a Non-Recoverable Structural Failure, Client's sole and exclusive remedy is a refund of one (1) milestone payment actually received by Provider under this Agreement (US $3,000 or US $3,500, as applicable). No alternative remedy, additional remediation, credit, replacement, or damages of any kind shall be available. This Section 12.1.5 constitutes the complete, final, and exclusive remedy notwithstanding any other provision in this Agreement, and Client expressly waives all other remedies at law or in equity.

12.1.6 Exclusions. This Structural Guarantee does not apply to:

• any post-delivery modifications by Client or third parties;
• third-party API, platform, or infrastructure changes;
• misuse, misconfiguration, or unsupported environments;
• failures originating outside Provider-built components; or
• scope expansions or Change Orders under Section 12.3.

12.1.7 Liability Cap Interaction. All obligations under this Section 12.1 remain subject to Section 10. Provider's total exposure under this Section shall not exceed the Total Fee actually paid.

12.2 Complimentary Assistance Window (First Twelve (12) Months)

For twelve (12) calendar months from the Acceptance Date, Provider shall provide complimentary assistance related to operation of the originally-shipped System, including usage guidance, minor non-structural configuration adjustments, bug triage, and clarification of existing functionality.

Availability: 7:00 AM — 7:00 PM U.S. Eastern Time, seven (7) days per week. Assistance is requested via the support channel designated at handover.

Assistance response-time targets are commercially reasonable best-efforts. This Section 12.2 is a goodwill commitment and is not a formal service-level agreement (SLA); Provider does not guarantee any specific response time, resolution time, or availability percentage, and no service credits or refunds apply.

12.3 Out-of-Scope Work (Expansions, Add-Ons, New Features)

Any work that falls outside the Structural Guarantee or the Complimentary Assistance Window — including, without limitation, new features, additional integrations, new data sources, new user roles, new workflows, UI or branding redesigns, additional AI tuning or prompt engineering beyond the originally-shipped configuration, additional reporting or analytics, new modules, platform migrations, architecture changes, and any other expansion of the original scope — is billed at Seventy-Five U.S. Dollars (US $75) per hour on a paid Change Order basis.

Availability for paid work: same window as Section 12.2 (7:00 AM — 7:00 PM U.S. Eastern Time, seven (7) days per week), subject to Provider's scheduling availability. All out-of-scope work requires a written Change Order agreed to by both parties before work begins; Change Orders set forth scope, estimate, and any applicable adjustments to the timeline under Section 3.

13. Tooling, Subcontractors & Assignment

Provider's build process routinely relies on AI-powered development tools and automated coding assistants (including large-language-model coding assistants) as productivity tools operated under Provider's direction and supervision. Such tools are not independent contractors, agents, sub-processors, or subcontractors of Client, and their use does not create any relationship between Client and the underlying AI provider. Provider remains solely responsible to Client for the Deliverables regardless of which tools Provider uses to produce them. Provider does not delegate this engagement to outside human subcontractors without Client's prior written consent. Client may not assign this Agreement, by operation of law or otherwise, without Provider's prior written consent. Nothing in this Agreement creates any partnership, joint venture, employment, fiduciary, or agency relationship between the parties.

14. General Provisions

14.1 Entire Agreement (Order of Precedence)

This Agreement constitutes the entire agreement between the parties with respect to its subject matter and supersedes all prior and contemporaneous communications, emails, proposals, demonstrations, and representations, whether oral or written. In case of conflict, this signed Agreement prevails.

14.2 Severability

If any provision of this Agreement is held invalid or unenforceable by a court or arbitrator of competent jurisdiction, the remainder of the Agreement shall continue in full force and effect, and the invalid provision shall be modified to the minimum extent necessary to render it enforceable while preserving the parties' original intent.

14.3 Governing Law & Dispute Resolution

(a) Governing law. This Agreement is governed by and construed in accordance with the laws of the Province of Ontario and the federal laws of Canada applicable therein, without regard to conflict-of-laws principles. The parties acknowledge that Client is located in Illinois, U.S.A.; Client's compliance with United States federal, Illinois state, and professional-conduct law in its own operations is Client's responsibility and is not altered by this choice of law.

(b) Arbitration — exclusive forum. Any dispute, claim, or controversy arising out of or relating to this Agreement (other than the carve-outs in (c) and (d) below) shall be resolved exclusively by final and binding arbitration before a single arbitrator, conducted in English, seated in Hamilton, Ontario, Canada, under the Arbitration Rules of the ADR Institute of Canada, Inc., applying the Arbitration Act, 1991 (Ontario). Each party consents to the jurisdiction of that forum and waives any objection based on forum non conveniens. The arbitral award is final, binding, and enforceable in any court of competent jurisdiction, including under the New York Convention (Convention on the Recognition and Enforcement of Foreign Arbitral Awards, 1958), to which both Canada and the United States are signatories.

(c) Costs and fees. The prevailing party shall recover its reasonable legal fees, arbitration fees, expert fees, and enforcement expenses. Each party irrevocably waives any right to a jury trial and to participate in any class, collective, mass, or representative action.

(d) Court carve-out for emergency relief and award enforcement only. Notwithstanding (b), either party may bring an action solely for (i) emergency, preliminary, or permanent injunctive or equitable relief to protect intellectual property or Confidential Information (Sections 1.5, 5, and 7), and (ii) enforcement of any arbitral award. All other claims, including collection of fees, shall be resolved exclusively through arbitration under (b). Doing so does not waive the arbitration agreement for any other claim.

14.4 Compliance with Laws

Each party shall comply with all laws applicable to its own performance under this Agreement. Without limiting the foregoing, Client is responsible for compliance with all United States federal, Illinois state, and local laws and professional-conduct rules applicable to its practice and to the data it processes through the System, including HIPAA (where applicable), the Illinois Rules of Professional Conduct, Illinois data-privacy laws, and the ABA Model Rules to the extent adopted in Illinois.

14.5 Survival

Sections 4.6 (No Refunds; Work Allocation), 5 (Intellectual Property), 7 (Security, HIPAA & Data Responsibility), 8 (Indemnification), 9 (Warranty Disclaimer), 10 (Limitation of Liability), 11 (Force Majeure, with respect to obligations accrued during the event), 12 (Structural Guarantee & Ongoing Support, to the extent applicable to a terminated engagement), 13 (Tooling, Subcontractors & Assignment), and 14 (General Provisions) survive termination or expiration of this Agreement.

14.6 Audit & Enforcement Rights

Provider reserves the right to investigate suspected misuse or breach of Sections 5 (IP) or 1.5 / 7 (Confidential Information / Security) and to pursue all available legal and equitable remedies, including injunctive relief.

14.7 Notices

Notices under this Agreement shall be in writing and delivered by email to the addresses designated by each party at execution, with confirmation of delivery. A notice is effective upon actual receipt or the next business day after transmission, whichever is earlier.

14.8 Electronic Execution

This Agreement may be executed electronically. Electronic signatures, including signatures captured via the signature pad below, are valid and binding to the fullest extent permitted by applicable law (including the U.S. Electronic Signatures in Global and National Commerce Act (E-SIGN), the Uniform Electronic Transactions Act as adopted in Illinois, and the Ontario Electronic Commerce Act, 2000).

14.9 Counterparts

This Agreement may be executed in counterparts (including via electronic signature), each of which is deemed an original and all of which together constitute one and the same instrument.

14.10 Headings

Section headings are for convenience only and do not affect interpretation.