Master Services Agreement

This Master Service Agreement (the “Agreement” or “MSA”) is entered into by and between: S.G. Systems, LLC, a limited liability company organized and existing under the laws of the State of Texas, with its principal office located at 6944 Meadowbriar Lane, Dallas, TX 75230 (hereinafter referred to as “Provider”), and the individual or entity accepting this Agreement by accepting a quote and making payment as described herein (hereinafter referred to as “Customer”).

Provider and Customer may collectively be referred to as the “Parties” and individually as a “Party.”

WHEREAS: Provider offers the V5 Traceability software solution (“Software”), including options for hosted services utilizing a third-party cloud hosting provider and on-premise installations, designed to track and manage supply chain data, with Version 5.9 independently assessed for compliance with 21 CFR Part 11, EU Annex 11, and Good Manufacturing Practices (GMP), along with related support and services. Customer desires to engage Provider for the use of the Software and related services under...

NOW, THEREFORE: In consideration of the mutual promises and covenants contained herein, the Parties agree as follows:

1.1 Acceptance. By accepting a quote provided by Provider and making payment (either 100% of the annual fee upfront or the first monthly installment), Customer agrees to be bound by the terms of this MSA. The date of such payment shall be deemed the “Effective Date” of this MSA for the applicable services.

1.2 Software Activation. The Software will be activated within 72 hours of receipt of payment (either the full annual amount or the first monthly installment).

1.3 Agreement Scope. This MSA governs all future transactions between the Parties related to the Software, and individual Order Forms shall specify the scope, pricing, and other terms for specific services provided.

2.1 “Software” means the V5 Traceability software, including all updates, upgrades, and documentation provided by Provider under this MSA. This Agreement applies only to Version 5.9 and does not extend to previous versions or future releases unless otherwise agreed in writing.

2.2 “Hosted Services” means the hosting, maintenance, and support of the Software on a third-party cloud hosting provider’s infrastructure, managed by Provider and accessible by Customer via the internet.

2.3 “On-Premise Installation” means the installation and operation of the Software on Customer’s own hardware and / or infrastructure at Customer’s designated location.

2.3.1 "Default Deployment Architecture" means unless otherwise specified in the Order Form, the Software shall be deployed on-premises at Customer’s designated location. If Customer elects a hosted (cloud) deployment, this must be clearly indicated on the Order Form at the time of order placement.

2.4 “Services” means the Hosted Services, support, maintenance, validation assistance, and/or installation services provided by Provider.

2.5 “Order Form” means a document, quote, or other record provided by Provider and accepted by Customer specifying the Software license type, Services, fees, and other details of Customer’s engagement.

2.6 “Critical Issues” means severe Software malfunctions that prevent Customer from performing essential business operations reliant on the Software.

2.7 “Security Incident” means any unauthorized access, use, disclosure, alteration, or destruction of Customer Data.

2.8 “Sandbox Environment” means a separate, isolated testing environment provided by Provider for deploying Software upgrades prior to production use.

2.9 “Customer Data” means all data uploaded to or generated by the Software.

2.10 “Service Level Agreement (SLA)” means the performance guarantees and commitments outlined in Section 11 of this Agreement, including uptime, response times, and resolution targets for Hosted Services.

2.11 “Renewal Term” means each additional one-year period automatically commenced under Section 5.2.

2.12 “Invoice” means Provider’s written request for payment issued under Section 5.5(a).

2.13 “Device” means a dedicated human–machine interface (HMI) such as a PC or tablet computer used to access the Software, identified by a unique network interface (e.g., MAC address). For clarity, a “Device” does not include passive peripherals such as scales, scanners, printers, or similar equipment—even if such peripherals have IP or MAC addresses—unless expressly listed as licensed HMIs on an Order Form.

2.14 “Device License” means a license assigned to a specific Device (HMI) identified by its MAC address or other unique hardware identifier. A Device License is tied to that Device and may not be used concurrently by other devices.

3.1 Scope of Implementation. Provider will configure the system, set up sample data, and demonstrate key workflows based on the selected subscription tier:

• Express: Example Electronic Batch Record (EBR), Batch Manufacturing Record (BMR), or Device History Record (DHR) process (Est. 4 hours).
• Professional: Sample Purchase Order (PO) and Sales Order (SO) workflows, including labeling, putaway, and shipping (Est. 8 hours).
• Enterprise: Setup of a sample approval workflow, training schedule, checklist, or Standard Operating Procedure (SOP) & Policy framework (Est. 12 hours).

3.2 All-Inclusive Support. Provider offers comprehensive implementation support, including Subject Matter Expert (SME) training, onboarding assistance, and configuration guidance, at no additional cost for the duration of the Customer’s active subscription. There are no additional implementation charges beyond the agreed subscription fees, regardless of the time required to complete implementation.

3.3 Customer Responsibilities and Implementation Timeline. While Customers are encouraged to complete implementation within 90 days to ensure rapid go-live, there is no penalty or additional charge if implementation takes longer. Provider does not charge extra for implementation support at any stage, as long as the subscription remains active. Customers are still expected to make reasonable efforts to provide timely access to personnel, systems, and required information to facilitate progress.

3.4 Implementation Timeline Expectations. Provider shall use commercially reasonable efforts to complete implementation within the timelines outlined in Section 3.1, typically within 4 to 8 weeks from the Effective Date. This estimate assumes the Customer is using standard Software features and workflows as provided in their subscription tier.

Implementation timelines are contingent upon Customer providing timely access to personnel, systems, and resources as required. Where the Customer requests non-standard workflows, continuous feature development, or substantial deviations from core functionality, Provider may extend the timeline and adjust resource allocation accordingly. Any such modifications will be communicated to Customer, and revised timelines or cost implications will be documented via an updated Order Form or written adde...

Provider encourages Customers to first go live using the standard toolkit included with their selected Software level, and to phase in additional features after successful deployment, thereby reducing risk, cost, and implementation time.

4.1 License Grant. Provider grants Customer a non-exclusive, non-transferable, revocable license to use the Software. The Software is available in three levels: Express, Professional, and Enterprise, each with varying features and capabilities as outlined in the Order Form. Customer’s access and functionality will be determined based on the selected software level.

4.2 Hosted Services Option. If specified in the Order Form, Provider will provide Hosted Services, including hosting, maintenance, upgrades, and adherence to the SLA outlined in Section 11.

4.3 On-Premise Installation Option. If specified in the Order Form, Provider will provide On-Premise Installation services, with Customer responsible for maintaining necessary infrastructure and ensuring compliance with regulatory requirements. Provider will continue to provide ongoing operational support, including answering questions and providing technical assistance, at no additional charge beyond the subscription fees paid, once the implementation has been completed. Customer acknowledges t...

4.4 Licensing (User- or Device-Based) and Restrictions. The Software may be licensed on either a per-user or per-device basis, as specified on the applicable Order Form. Customer must elect one of the following minimum licensing thresholds: (a) at least **three (3) active user licenses**, or (b) at least **one (1) device-based license**. The Software will enforce access limits so that no more users or devices are active than licensed.

User-Based Licensing. A User License is assigned to a single named individual and may not be shared, rotated, or used by multiple individuals. Customer must ensure that the number of active users matches the quantity of User Licenses specified in the Order Form. The Software will automatically enforce license limits, preventing access by unlicensed users.

Device-Based Licensing. A Device License is assigned to a specific Device (HMI) such as a PC or tablet that is used by humans to interface with the Software and is identified by its MAC address or other unique hardware identifier. Device-Based Licensing expressly excludes passive peripherals (e.g., scales, scanners, printers, or similar equipment), even if those peripherals have IP or MAC addresses. Access from any session originating on an unlicensed Device will be blocked by the Software.

Administration. Licenses (user or device) may be reassigned by Customer only in the event of permanent personnel changes or permanent Device retirement/replacement. Temporary rotation or pooling is not permitted without Provider’s prior written consent. Any discounts must be agreed upon in writing with Customer’s assigned sales representative. Provider reserves the right to audit Customer’s usage to verify compliance with this licensing model.

4.5 ERP Integration. Unless otherwise specified in the applicable Order Form, the Provider’s standard implementation services include integration to one (1) Customer ERP system using a single API interface. This integration assumes: The Customer ERP environment provides standard ERP objects required for the Software integration, including but not limited to Purchase Orders, Sales Orders, Items, Locations, Schedules, Bills of Material (BOMs), Customers, Suppliers, and Inventory Data. Customer will ensure Provider has timely and sufficient access to a sandbox environment of the ERP system for development, testing, and validation purposes during the implementation period. In cases where Customer’s ERP environment lacks standard objects or fields required by the Software, or if ERP customization is necessary, Provider will notify Customer immediately. Such ERP customizations are the sole responsibility of the Customer and may delay the implementation schedule and incur additional costs not covered by Provider’s standard integration offering. Provider shall not be responsible for any delays or additional expenses resulting from Customer’s inability or delay in delivering required ERP customizations or sandbox access. Any additional services required to support ERP-side customizations will be subject to scoping and mutual agreement, but shall not be imposed unilaterally.

5.1 MSA Term. This MSA begins on the Effective Date and continues until terminated.

5.2 Service Term. Each Order Form establishes a 365-day term (the “Initial Term”). Unless Customer provides written notice of cancellation at least thirty (30) days before the end of the then-current term, each term shall automatically renew for additional one-year periods (each, a “Renewal Term”) under the same fees and terms then in effect, subject to any price adjustment Provider may notify Customer of as provided in Section 5.5 below.

5.3 Termination for Cause. Either Party may terminate due to a material breach not cured within thirty (30) days of notice.

5.4 Effect of Termination. For Hosted Services, Customer Data will be retrievable for 90 days post-termination, subject to applicable regulatory retention requirements. Non-payment exceeding thirty (30) days may result in service suspension, and non-payment exceeding forty-five (45) days will result in termination and data deletion, subject to regulatory obligations.

5.5 Renewal and Invoicing.

• a. Invoice Timing. No later than sixty (60) days before the end of the Initial Term or any Renewal Term, Provider will issue an invoice for the next term’s fees based on the services and license quantities set forth in the most recently executed Order Form.
• b. Cancellation Window. Customer may cancel all or part of the upcoming term—or otherwise adjust the scope—by delivering written notice to Provider at least thirty (30) days before the start of the next term. Any cancellation or reduction in scope received after that date will apply only to the following term.
• c. Term Start Payment. Full payment for each Initial Term or Renewal Term is due thirty (30) days prior to the first day of that term. Provider reserves the right to suspend or terminate services under Section 5.4 if payment is not received by the due date.

6.1 Fees. Customer shall pay as per the Order Form.

6.2 Payment Options.

• a. Annual Payment Option. 100% of the term’s fees due thirty (30) days before the term start date.
• b. Monthly Payment Option. Twelve equal monthly installments, with payment for the first installment due thirty (30) days before the term start date and each subsequent installment due on the same calendar day of each month thereafter; a 10% convenience fee applies.
• c. Methods. ACH is preferred; credit card payments incur a processing fee.

6.3 Subscription Upgrades. Fees will be prorated based on the remaining term.

6.4 Subscription Downgrades. Downgrades will take effect at the next renewal cycle, with a written notice required at least thirty (30) days prior.

6.5 Late Payment Consequences. If payment is not received by the due date, Provider reserves the right to immediately suspend access to Hosted Services and withhold technical support. If payment remains outstanding for fifteen (15) days, Provider may terminate this Agreement, revoke software access, and delete Hosted Services Customer Data, subject to applicable regulatory requirements. A reactivation fee will be required to restore services following a suspension. Customer is responsible for al...

7.1 Compliance Commitment. Provider represents that Version 5.9 (Major Version) of the Software has been independently assessed and meets the requirements of 21 CFR Part 11 (electronic records and signatures), EU Annex 11 (computerized systems), and Good Manufacturing Practices (GMP). Provider will take reasonable steps to ensure continued compliance with these standards and the SLA outlined in Section 11.

7.2 Data Integrity and Retention. The Software is designed to maintain the integrity of electronic records and enforce controls to prevent unauthorized modifications. Audit trails, version control, and data encryption are included as standard features. Customer data will be retained for a period consistent with applicable regulatory requirements (e.g., 5-7 years for GMP compliance), unless an alternative retention period is specified in an Order Form.

7.3 Electronic Signatures. The Software includes electronic signature functionality in accordance with 21 CFR Part 11 and EU Annex 11, ensuring that signed records cannot be modified and that access to signature capabilities is restricted to authorized personnel.

7.4 Validation and Qualification Support. Provider will offer Installation Qualification (IQ), Operational Qualification (OQ) templates to assist Customer in validating the Software in their environment. If requested, Provider will provide access to a Sandbox Environment to allow validation testing prior to deploying software updates to production. Any software modifications, patches, or upgrades will follow a Change Control Process, ensuring that compliance is maintained and aligned with SLA pe...

7.5 Audit and Inspection Readiness. Provider will cooperate with regulatory audits related to the Software’s compliance with 21 CFR Part 11, EU Annex 11, and GMP. Provider will provide documentation, logs, and access records to support Customer’s compliance needs during audits and regulatory inspections. If required, Provider will participate in mock regulatory audits to validate the integrity of the Software and adherence to SLA commitments.

7.6 Security and Access Controls. The Software provides role-based access controls to limit data access based on user roles, ensuring compliance with ALCOA+ principles (Attributable, Legible, Contemporaneous, Original, Accurate, and Complete). All system access and activity will be logged and time-stamped to ensure complete traceability and meet SLA reporting requirements. Provider will ensure that Customer data is protected against unauthorized access or tampering through encryption and access ...

8.1 Controlled Software Updates. All Major software updates, patches, or enhancements will be subject to a Change Control Process to maintain compliance with regulated environments and SLA performance metrics. Provider will notify Customer in advance of any significant updates that may impact compliance and allow time for validation before deployment, ensuring no disruption to SLA commitments. Customers using Hosted Services will be given at least 30 days’ notice before any major updates.

8.2 Customer Approval for Critical Updates. Updates that impact electronic records, security, or regulatory compliance will require Customer approval before deployment to production, ensuring alignment with SLA performance guarantees. Customers using On-Premise Installation will be responsible for ensuring that all updates comply with their validation procedures and SLA commitments.

8.3 Versioning and Documentation. Each update will include release notes detailing changes, new features, and potential validation considerations, as well as any impact on SLA metrics. Customers will receive a compliance impact assessment if any changes affect audit trails, electronic signatures, or data retention, ensuring continued SLA adherence.

9.1 Security Standards. Provider maintains industry-standard cybersecurity measures, including data encryption, firewalls, intrusion detection, and multi-factor authentication, to meet SLA security commitments. Hosted Services customers benefit from regular security audits and penetration testing, with results reported as part of SLA compliance.

9.2 Incident Response. In the event of a Security Incident, including unauthorized access, data breaches, or loss of data integrity, Provider will:

• a) Notify Customer within 24 hours (instead of 48 hours) of becoming aware of the incident to meet stringent pharmaceutical requirements and SLA commitments.
• b) Provide a detailed incident report within 3 business days (instead of 5) and cooperate with Customer to mitigate the impact and support any required regulatory reporting, as outlined in the SLA.

9.3 Business Continuity and Disaster Recovery. Hosted Services customers benefit from automatic data backups performed at regular intervals, with recovery time objectives (RTO) and recovery point objectives (RPO) defined in the SLA (Section 11). Provider maintains a disaster recovery plan to ensure data integrity and minimal downtime in the event of system failure, with performance metrics tracked under the SLA. Data recovery testing is performed quarterly to ensure compliance with regulatory da...

10.1 Validation and Qualification. Customer is responsible for performing qualification and validation of the Software in their production environment to meet specific regulatory requirements, ensuring alignment with SLA performance metrics. Customer must maintain documentation proving compliance with regulatory bodies such as the FDA, EMA, or other governing authorities.

10.2 Regulatory Reporting. If Customer is subject to regulatory inspections, they must maintain internal policies for data integrity and system security, reporting any SLA-related issues to Provider promptly. Customer must notify Provider promptly if the Software is involved in any regulatory audit or data integrity concern that may impact SLA performance.

10.3 User Training. Customer must ensure that their employees and personnel are properly trained on using the Software in accordance with regulatory requirements and SLA expectations. Provider offers training sessions and certification programs to assist with compliance training and SLA adherence.

11.1 Purpose. This Service Level Agreement (SLA) defines the performance guarantees, metrics, and remedies Provider commits to for Hosted Services and ongoing support services, ensuring the Software meets the stringent requirements of pharmaceutical, life sciences, and food manufacturing industries. For On-Premise Installations, while Provider commits to providing operational and technical support, specific uptime and response time guarantees in this SLA are applicable only to Hosted Services, u...

11.2 Ongoing Operational Support (On-Premise). For customers with On-Premise Installations, Provider shall continue to offer routine technical support, assistance with operational questions, and troubleshooting without additional fees beyond the subscription payments. Customer is responsible for infrastructure and system maintenance, while Provider’s support obligations are limited to software functionality, usage guidance, and troubleshooting.

11.3 Response and Resolution Times.

• Critical (Severity 1): Within 90 minutes (24/7/365), Resolution within 4 hours, Escalate to senior engineer within 2 hours if unresolved.
• High Priority (Severity 2): Response within 4 business hours, Resolution within 24 business hours.
• Medium Priority (Severity 3): Response within 8 business hours, Resolution within 5 business days.
• Low Priority (Severity 4): Response within 2 business days, Resolution within 10 business days.

11.4 Data Recovery and Business Continuity. Provider guarantees a Recovery Time Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 15 minutes for Hosted Services, ensuring minimal data loss and rapid recovery in the event of a system failure or Security Incident. Data backups are performed every 15 minutes, with quarterly disaster recovery testing to validate SLA compliance.

11.5 Security and Compliance Metrics. Provider will conduct quarterly security audits and penetration tests, with results shared with Customer annually or upon request. Security Incidents will be resolved within 48 hours, with full mitigation and reporting completed within 5 business days, as outlined in Section 9.2.

11.6 Performance Monitoring and Reporting. Provider will provide monthly SLA performance reports to Customer, detailing uptime, response times, resolution times, and any incidents affecting service levels. Customers may request ad-hoc reports or audits to verify SLA compliance, with Provider cooperating fully.

11.7 Penalties for Non-Compliance. If Provider fails to meet any SLA metric (e.g., uptime, response times, resolution times), the following penalties apply:

• Uptime Shortfall: For each 0.1% below the 99.9% uptime guarantee, Customer will receive a credit equal to 5% of the monthly Hosted Services fee, up to a maximum of 50% of the monthly fee.
• Response/Resolution Delays: For each instance where Provider exceeds response or resolution times by more than 50%, Customer will receive a credit equal to 2% of the monthly Hosted Services fee, up to a maximum of 20% per incident.
• Security Incident Delays: If Provider fails to notify Customer of a Security Incident within 24 hours or resolve it within 48 hours, Customer will receive a credit equal to 10% of the monthly Hosted Services fee, up to a maximum of 50%.

11.8 Exclusions. SLA commitments do not apply to: Downtime or issues caused by Customer’s actions, including misuse, non-compliance with system requirements, or failure to provide necessary information. Outages due to third-party infrastructure failures beyond Provider’s control (e.g., cloud hosting provider outages). Force Majeure events, such as natural disasters or government actions.

11.9 SLA Review and Adjustment. The Parties may review and adjust SLA metrics annually or upon mutual agreement, ensuring alignment with evolving regulatory requirements and Customer needs.

12.1 Provider’s total liability under this Agreement, including for SLA breaches, shall not exceed the total fees paid by Customer in the 12 months preceding the claim.

12.2 Neither Party shall be liable for indirect, incidental, consequential, or punitive damages, including lost profits, unless arising from gross negligence, willful misconduct, or a breach of data security obligations under Sections 9 or 11.

13.1 Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of Texas, without regard to its conflict of laws principles.

13.2 Dispute Resolution. Any disputes arising under this Agreement shall be resolved through mediation, followed by arbitration if necessary, in Dallas, Texas.

13.3 Entire Agreement. This MSA, together with any Order Forms, constitutes the entire agreement between the Parties and supersedes all prior agreements or understandings.