This Master Services Agreement ("MSA") governs paid LeakTrace Implementation engagements. Acceptance occurs when you complete payment for an Implementation engagement (Essentials or Complete tier) — the checkout flow records your acceptance with timestamp.
This MSA is entered into between LeakTrace Inc., a Canadian corporation with registered office at 1200 Bay Street, Suite 1201, Toronto ON M5R 2A5 ("LeakTrace"), and the entity completing payment for an Implementation engagement ("Customer").
Acceptance is recorded when Customer completes Stripe checkout for an Implementation engagement and confirms the agreement checkbox displayed at the checkout step. LeakTrace retains a timestamped record of acceptance, including the IP address used at checkout and the purchasing email address, as proof of agreement.
This MSA supplements — and where in conflict, prevails over — the LeakTrace general Terms of Service for matters specific to Implementation engagements.
LeakTrace will perform remediation services targeting exposure vectors identified in the Customer's preceding Scope audit, including but not limited to:
Tier scope: "Implementation Essentials" addresses the highest-priority findings identified in the Scope audit. "Implementation Complete" addresses the full set of findings identified in the Scope audit. The specific findings remediated within each tier are determined by LeakTrace based on severity and feasibility, and are documented in the Completion Record (§5) issued at the end of the engagement.
Out of scope: services not expressly listed above (including but not limited to: code rewrites, application redevelopment, ongoing managed-security services, incident response for active breaches, forensic investigation, legal discovery support, or compliance attestation work) are out of scope. Additional services may be available under a separate engagement.
To enable LeakTrace to perform the services, Customer agrees to:
Customer warrants that it has the legal authority to authorize LeakTrace's actions on the systems within scope, and that no third-party consent is required that has not already been obtained.
Fees are the flat per-tier fees listed at the time of purchase and paid in full at checkout via Stripe. No invoices, retainers, or hourly billing apply.
Term begins on the date of payment and ends on issuance of the Completion Record (§5), or sixty (60) calendar days from start, whichever is earlier. If the engagement cannot be completed within sixty (60) days for reasons within LeakTrace's control, LeakTrace will extend the term at no additional cost. If delay is caused by Customer non-responsiveness, the engagement may be marked complete with deliverables limited to work performed.
Refunds are governed by the LeakTrace Refund Policy effective at the time of purchase. In summary: Implementation engagements are refundable only before a contractor is assigned; once assignment occurs, no refund applies. Billing corrections (duplicate charges, incorrect amounts) are governed by §8 of the Refund Policy and remain available at all times.
At the close of the engagement, LeakTrace will issue an Implementation Completion Record to the Customer's purchasing email address. The Completion Record documents:
The Completion Record is a record of work performed. It is not a certification, warranty, or guarantee of future security posture, and does not constitute a representation that the Customer is compliant with any regulatory framework, insurance requirement, or industry standard. Where Customer requires formal certification or attestation, Customer is responsible for engaging an accredited third party.
LeakTrace warrants that the services will be performed in a workmanlike manner consistent with reasonable industry practice for security remediation work.
EXCEPT AS EXPRESSLY STATED ABOVE, ALL SERVICES ARE PROVIDED "AS-IS" AND "AS-AVAILABLE." LEAKTRACE DISCLAIMS ALL OTHER WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING WITHOUT LIMITATION: (A) ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE; (B) ANY WARRANTY THAT THE SERVICES WILL PREVENT, DETECT, OR REMEDIATE ALL SECURITY EXPOSURES; (C) ANY WARRANTY OF UNINTERRUPTED OR ERROR-FREE OPERATION OF CUSTOMER SYSTEMS FOLLOWING REMEDIATION; (D) ANY WARRANTY AGAINST FUTURE COMPROMISE, BREACH, OR THIRD-PARTY ATTACK; (E) ANY WARRANTY THAT CUSTOMER WILL ACHIEVE OR MAINTAIN ANY SPECIFIC REGULATORY OR INSURANCE STATUS.
Customer acknowledges that no security service can eliminate all risk, and that LeakTrace's services reduce — but do not eliminate — exposure.
TO THE FULLEST EXTENT PERMITTED BY LAW, LEAKTRACE'S TOTAL AGGREGATE LIABILITY UNDER OR IN CONNECTION WITH THIS MSA — REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR OTHERWISE — IS LIMITED TO THE TOTAL FEES PAID BY CUSTOMER TO LEAKTRACE UNDER THE APPLICABLE IMPLEMENTATION ENGAGEMENT.
IN NO EVENT WILL LEAKTRACE BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, EXEMPLARY, OR PUNITIVE DAMAGES, INCLUDING WITHOUT LIMITATION: LOST PROFITS; LOST REVENUE; LOST BUSINESS OPPORTUNITY; LOSS OF DATA; COSTS OF SUBSTITUTE SERVICES; BUSINESS INTERRUPTION; CYBER-INCIDENT INVESTIGATION, NOTIFICATION, OR REMEDIATION COSTS; REGULATORY FINES OR PENALTIES; OR THIRD-PARTY CLAIMS — EVEN IF LEAKTRACE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
These limitations apply notwithstanding any failure of essential purpose of any limited remedy. The parties agree that these limitations are a material basis on which LeakTrace has agreed to provide the services at the stated price.
Where mandatory consumer protection law in Customer's jurisdiction provides greater rights or protections to Customer, that law prevails to the extent it cannot be lawfully disclaimed. The MSA is offered to business Customers only.
Customer agrees to indemnify, defend, and hold harmless LeakTrace, its officers, directors, employees, and contractors from and against any third-party claims, damages, losses, liabilities, costs, and expenses (including reasonable legal fees) arising out of or related to:
Each party will treat as confidential all non-public information disclosed by the other party in connection with the engagement, including without limitation: Customer's security findings, configuration details, and business operations; and LeakTrace's methodologies, tooling, and pricing.
Confidentiality obligations survive termination of this MSA for a period of three (3) years, except for trade secrets, which remain confidential indefinitely.
Either party may disclose confidential information if compelled by law or court order, provided the disclosing party gives the other party reasonable prior notice where legally permissible.
LeakTrace personnel and approved contractors performing services under this MSA are independent contractors of LeakTrace. They are not employees, agents, or representatives of Customer. Nothing in this MSA creates a partnership, joint venture, agency, or employment relationship between Customer and LeakTrace personnel.
LeakTrace services are not designed to process, store, or transmit Protected Health Information (PHI), payment card data subject to PCI-DSS, or other regulated personal data beyond standard contact information.
Customer represents and warrants that systems within scope do not contain PHI, PCI data, or similarly regulated data that LeakTrace will incidentally access during the engagement, unless Customer has provided written notice to LeakTrace in advance and the parties have executed a separate data-handling addendum (including, where applicable under U.S. law, a Business Associate Agreement, or under Ontario law, a service-provider agreement compliant with PHIPA).
Without such advance notice and addendum, Customer is solely responsible for any consequences arising from regulated data being present in systems within scope.
Neither party will be liable for failure to perform under this MSA where such failure is caused by events beyond the party's reasonable control, including without limitation: acts of God, war, terrorism, civil disturbance, pandemic, government action, internet or telecommunications failure, or third-party cyber attack against LeakTrace's own infrastructure.
The affected party will give prompt notice and use reasonable efforts to resume performance.
Either party may terminate this MSA for material breach by the other party that remains uncured fifteen (15) days after written notice of the breach.
LeakTrace may terminate immediately for non-payment, Customer use of the services to perform unauthorized activity, or Customer breach of §11 (regulated-data exclusion).
Termination does not entitle Customer to refund except as provided in the Refund Policy. Sections 6 (Disclaimers), 7 (Limitation of Liability), 8 (Indemnification), 9 (Confidentiality), and 14 (Governing Law) survive termination.
This MSA is governed by the laws of the Province of Ontario, Canada, and the federal laws of Canada applicable therein, without reference to conflict-of-laws principles.
Good-faith negotiation: Before initiating formal proceedings, the parties will attempt in good faith to resolve any dispute through direct negotiation for at least thirty (30) days.
Exclusive jurisdiction: Any unresolved dispute will be brought exclusively in the courts of the Province of Ontario sitting in Toronto, and the parties consent to the exclusive jurisdiction and venue of such courts.
Class action waiver: To the fullest extent permitted by law, each party waives any right to bring or participate in a class, collective, or representative action arising under this MSA.
This MSA, together with the LeakTrace Terms of Service, Privacy Policy, Refund Policy, and Scanning Policy in force at the time of acceptance, constitutes the entire agreement between the parties regarding the Implementation engagement and supersedes all prior or contemporaneous agreements, representations, or understandings, whether oral or written.
No modification of this MSA is effective unless made in writing and signed by both parties or accepted electronically via a LeakTrace checkout flow that records the modification.
If any provision of this MSA is held unenforceable, the remaining provisions remain in full force and effect, and the unenforceable provision will be reformed to the minimum extent necessary to make it enforceable.