Last Updated: 02-20-2026
Governing Law: Ontario, Canada
This Master Services Agreement (the "MSA") is Provider's standard terms. It applies to any Client that signs a Service Order (also called a Statement of Work or Quote or a Proposal) that references this MSA. "Provider" means THINKFLEX. "Client" means the entity identified in the applicable Service Order. Service descriptions, pricing, and term are defined in one or more Service Orders. Capitalized terms not defined in a Service Order have the meanings in this MSA.
1. Structure and Scope
1.1 Agreement Structure
This MSA governs all Services provided by Provider and accepted by Client under any Service Order executed by the Parties.
1.2 Precedence
If there is a conflict, the Service Order controls, then this MSA, then any schedules/attachments.
2. Term, Renewal, Termination
2.1 Term per Service Order
Unless a Service Order states otherwise, Services have an Initial Term of twelve (12) months, billed monthly.
2.2 Auto‑Renewal
At the end of the Initial Term, Services renew automatically for successive twelve (12) month terms unless either Party gives thirty (30) days' written notice before the end of the then‑current term.
2.3 Termination for Cause
Either Party may terminate a Service Order for material breach not cured within thirty (30) days of written notice (ten (10) days for payment breach).
2.4 Early Termination for Convenience (Client)
Client may terminate a Service Order early by paying an Early Termination Fee (ETF) equal to 100% of the remaining monthly fees for the Term, plus any non‑cancellable third‑party charges.
2.5 Suspension
Provider may suspend Services on seven (7) days' notice if any undisputed invoice is more than forty‑five (45) days past due.
3. Fees, Invoicing, Taxes
3.1 Fees and Billing
Fees are set forth in each Service Order and are billed monthly, unless otherwise stated.
3.2 Payment Terms
Invoices are due Net 30 days from the invoice date.
3.3 Taxes
Fees are exclusive of HST and other applicable taxes, which will be charged as required. Client is responsible for any duties or similar charges.
3.4 Late Charges
Overdue balances may accrue interest at 1.5% per month (18% APR) or the maximum lawful rate, whichever is lower.
3.5 Price Protection; Renewal Adjustments
Fees are fixed during the Term. At renewal, fees may adjust by the lesser of CPI + 3% or 8%, excluding third‑party vendor increases and new regulatory charges, which may be passed through upon notice.
3.6 True‑Ups
Seat/device counts may be trued up as stated in the Service Order. Increases take effect immediately; decreases apply at the next term/renewal unless otherwise agreed.
3.7 Third‑Party Charges
Client is responsible for non‑cancellable third‑party costs committed on Client's behalf.
4. Changes and Out‑of‑Scope Work
4.1 Change Management
Material changes to scope, assumptions, or timelines require a written change order or updated Service Order.
4.2 Time‑and‑Materials
Work not expressly included in a Service Order will be billed at the then‑current hourly rates.
5. Services; Service Levels and Support
5.1 Services
Provider will deliver the services described in each Service Order using commercially reasonable skill and care, consistent with industry practices.
5.2 Service Levels
Any SLAs or response targets will be stated in the applicable Service Order or schedule. Service credits, if any, are Client's sole and exclusive remedy for failure to meet stated service levels, and such credits do not constitute damages or penalty.
5.3 Onboarding
Provider may provide onboarding at the start of a Service; any credits/discounts are conditional on completion of the Initial Term unless otherwise agreed.
5.4 Client Environment
Provider's performance depends on Client's timely access, information, and fulfilment of responsibilities.
6. Client Responsibilities
6.1 Access and Cooperation
Client will provide reasonable access to systems, facilities, and personnel as needed.
6.2 Designated Contacts
Client will appoint an authorized contact for decisions and approvals.
6.3 Acceptable Use
Client and users will comply with applicable laws and any acceptable use requirements stated in a Service Order.
6.4 Licensing Compliance
Client will maintain valid licenses for Client‑provided software and systems.
6.5 Security Responsibilities
Client is responsible for:
(a) Implementing and maintaining appropriate security controls for systems, data, and operations not within the scope of Provider's Services;
(b) Promptly applying security patches and updates to Client-managed systems;
(c) Training users on security awareness, acceptable use policies, and incident reporting;
(d) Establishing and testing business continuity and disaster recovery plans;
(e) Maintaining appropriate cybersecurity insurance coverage;
(f) Promptly reporting suspected security incidents to Provider;
(g) Cooperating with Provider during incident response activities, including providing timely access, information, and decision-making authority.
7. Data Ownership, Privacy, and Security
7.1 Ownership
Client owns all rights in Client Data. Provider obtains no rights other than to provide the Services.
7.2 Security
Provider will implement administrative, physical, and technical safeguards consistent with industry practices and applicable privacy laws, including PIPEDA.
7.3 Confidentiality of Data
Provider will treat Client Data as Confidential Information.
7.4 Data Return/Deletion
Upon request within 30 days after termination, Provider will deliver Client Data in a commonly used, machine‑readable format and then securely delete remaining copies, except as required by law or backup retention cycles.
7.5 Incident Notice and Response
(a) Provider will notify Client without undue delay upon confirming a security incident impacting Client Data.
(b) Provider will cooperate in investigation and remediation within the scope of the Services and to the extent commercially reasonable.
(c) Client is responsible for: (i) its own incident response activities, including legal counsel, forensics, public relations, regulatory notifications, and credit monitoring; (ii) costs associated with incident response beyond Provider's standard Services; and (iii) determining whether regulatory notification obligations apply.
(d) Provider's incident response obligations are limited to the Services expressly identified in the Service Order. Additional forensics, remediation, or consulting services may be provided on a time-and-materials basis or separate statement of work.
8. Confidentiality
8.1 Obligations
Each Party will protect the other's Confidential Information with the same care it uses for its own, and at least reasonable care.
8.2 Exclusions
Information is not confidential if it is public without breach, independently developed, or rightfully obtained from a third party without duty of confidentiality.
8.3 Compelled Disclosure
A Party may disclose Confidential Information if required by law, after providing reasonable notice if legally permitted.
9. Intellectual Property and Licensing
9.1 Provider Materials
Provider retains all IP in its pre‑existing tools, methods, and software ("Provider Materials"). Provider grants Client a non‑exclusive, non‑transferable licence to use Provider Materials delivered under a Service Order solely for Client's internal business purposes.
9.2 Deliverables
Subject to payment of fees, Client receives a perpetual, non‑exclusive licence to use deliverables for internal purposes.
9.3 Third‑Party Products
Third‑party terms may apply as specified in a Service Order; Client agrees to comply with such terms.
10. Warranties and Disclaimers
10.1 Warranties
Provider warrants it will perform Services in a professional and workmanlike manner.
10.2 Disclaimer
Except as expressly stated, the Services and deliverables are provided "as is." Provider does not warrant that the Services will be uninterrupted, error‑free, or free of vulnerabilities, or that they will prevent, detect, or remediate all security events or cyber attacks. Provider is not responsible for outages or failures of third‑party or upstream services, including but not limited to public clouds, internet service providers, power utilities, data centre providers, domain registrars, SaaS platforms, or email and telecommunications networks.
10.3 Third‑Party Dependencies
The Services may rely on third‑party hardware, software, platforms, or networks. Client acknowledges that third‑party terms may apply (as referenced in the Service Order) and that Provider is not liable for acts, omissions, changes, price increases, limits, or failures of such third parties. Provider will use commercially reasonable efforts to coordinate remediation with the applicable third party.
10.4 Cybersecurity Acknowledgments
Client acknowledges and agrees that:
(a) No security measure is absolute, and cyber threats evolve continuously. While Provider implements industry-standard safeguards, Provider cannot guarantee prevention of all security incidents, breaches, or cyber attacks.
(b) Client is responsible for maintaining its own cybersecurity insurance, incident response plans, business continuity plans, and disaster recovery procedures appropriate to Client's risk tolerance and business requirements.
(c) Client's security posture depends on factors outside Provider's control, including but not limited to: user behavior, password management, phishing susceptibility, social engineering attacks, zero-day vulnerabilities, supply chain attacks, and Client's own security policies and controls.
(d) Provider's obligations are limited to those expressly stated in the applicable Service Order. Provider is not an insurer and does not assume liability for Client's business losses, regulatory fines, notification costs, remediation expenses, or other damages resulting from security incidents.
(e) In the event of a security incident, Provider will use commercially reasonable efforts to investigate, contain, and remediate the incident within the scope of Services, but Provider is not responsible for costs or consequences beyond Provider's direct actions or omissions.
10.5 Acknowledgment for Residential and Individual Clients
For services provided to residential or individual clients (non-business use), Client further acknowledges and agrees that:
(a) Nature of Residential Services
Residential cybersecurity services are designed to reduce risk, not eliminate it. No security service can prevent all threats, particularly those involving user actions such as clicking malicious links, sharing passwords, downloading unauthorized software, or disabling security features.
(b) Services Not Included
Provider's residential services do not include and Provider is not responsible for:
(i) Monitoring, controlling, or supervising the online activities or behavior of household members;
(ii) Preventing users from clicking phishing links, visiting malicious websites, or downloading harmful content;
(iii) Guaranteeing prevention of all malware, ransomware, phishing attacks, social engineering attempts, or cyber fraud;
(iv) Protecting against actions taken by household members that bypass, disable, or circumvent security measures;
(v) Providing 24/7 real-time monitoring or immediate incident response (unless specifically included in the Service Order);
(vi) Legal advice, identity theft protection services, credit monitoring, or fraud resolution services;
(vii) Recovery of financial losses, personal information, or other damages resulting from cyber incidents;
(viii) Compliance with specific regulations or legal requirements applicable to the Client's personal situation.
(c) Strongly Recommended Practices
Provider strongly recommends that residential clients:
(i) Maintain homeowner's or renter's insurance policies that include cyber liability or identity theft coverage;
(ii) Educate all household members (including children) about basic cybersecurity practices and online safety;
(iii) Use strong, unique passwords for all accounts and enable multi-factor authentication wherever available;
(iv) Keep all devices and software up to date with the latest security patches;
(v) Exercise caution with emails, links, attachments, and requests for personal or financial information;
(vi) Report any suspicious activity, emails, or potential security issues to Provider immediately;
(vii) Follow all security recommendations and best practices provided by Provider.
(d) Shared Responsibility Model
Client understands and accepts that residential cybersecurity is a shared responsibility requiring cooperation between:
(i) Provider's role: Installing and maintaining technical security safeguards, monitoring for threats within the scope of Services, providing guidance and support, and responding to incidents within the agreed service levels; AND
(ii) Client's role: Following safe computing practices, educating household members, maintaining insurance coverage, promptly reporting issues, and cooperating during incident response.
(e) Limitation of Liability for Residential Services
Provider cannot and does not accept responsibility for security incidents or damages that result from:
(i) Actions or inactions of Client or household members, including but not limited to clicking phishing links, using weak passwords, sharing credentials, downloading malicious software, or ignoring security warnings;
(ii) Household members under the age of 18 whose online activities are the responsibility of their parents or guardians;
(iii) Devices, accounts, or systems not specifically covered under the Service Order;
(iv) Social engineering, fraud, or scams that exploit human behavior rather than technical vulnerabilities;
(v) Zero-day exploits, advanced persistent threats, or nation-state level attacks;
(vi) Failures or breaches of third-party service providers (email providers, cloud storage, social media platforms, financial institutions, etc.).
(f) Insurance Requirement
Client acknowledges that homeowner's or renter's insurance with cyber liability coverage is the appropriate primary protection against financial losses from cyber incidents affecting residential clients. Provider's services are technical safeguards only and do not replace or substitute for appropriate insurance coverage.
(g) Reasonable Expectations
Client understands that residential cybersecurity services, given their pricing and scope, provide a baseline level of protection appropriate for home use. They are not equivalent to enterprise-grade security operations centers, 24/7 monitoring, or dedicated incident response teams, unless such services are specifically detailed and priced in the Service Order.
10.6 Use of Artificial Intelligence and Machine Learning
(a) AI-Enabled Services
Provider's Services may incorporate artificial intelligence (AI), machine learning (ML), and automated decision-making technologies, including but not limited to:
(i) Threat detection and analysis systems that use AI/ML to identify malicious emails, malware, phishing attempts, and security anomalies;
(ii) Automated security monitoring and alerting systems;
(iii) Content filtering, spam detection, and email classification tools;
(iv) Security recommendations, analysis, or reporting that may be generated or assisted by AI technologies;
(v) Third-party platforms and services (such as email security providers, endpoint protection tools, and cloud services) that utilize AI/ML in their operations.
(b) AI Limitations and Disclaimers
Client acknowledges and agrees that:
(i) AI and ML technologies are not infallible and may produce errors, inaccuracies, false positives (flagging safe content as threats), or false negatives (missing actual threats);
(ii) AI systems learn from patterns and data, and their effectiveness depends on training data quality, evolving threat landscapes, and system limitations beyond Provider's control;
(iii) No AI-powered security tool can guarantee 100% accuracy in threat detection, and some legitimate threats may evade detection while some safe activities may be incorrectly flagged;
(iv) AI-generated recommendations, reports, or analysis should be reviewed and validated by qualified personnel before being relied upon for critical decisions;
(v) Provider does not warrant that AI-enabled services will detect all threats, prevent all security incidents, or operate without errors, interruptions, or inaccuracies.
(c) Third-Party AI Systems
Many security platforms used by Provider (including email security, endpoint detection, and threat intelligence services) incorporate proprietary AI/ML technologies developed and controlled by third-party vendors. Client acknowledges that:
(i) Provider has limited or no control over how third-party AI systems operate, learn, or make decisions;
(ii) Third-party AI systems may be updated, modified, or changed by vendors without Provider's advance notice or approval;
(iii) Provider is not liable for errors, omissions, biases, or failures of third-party AI systems, even when such systems are integral to the Services;
(iv) Provider will use commercially reasonable efforts to select reputable vendors and monitor AI system performance, but cannot guarantee third-party AI accuracy or reliability.
(d) Data Processing by AI
Client acknowledges that:
(i) AI-enabled services may process, analyze, or learn from Client Data (including email content, file metadata, usage patterns, and security events) to provide threat detection and security services;
(ii) Third-party AI platforms may process Client Data in accordance with their own privacy policies and terms of service, which Client agrees to review and accept;
(iii) Provider will use commercially reasonable efforts to ensure third-party AI vendors comply with applicable privacy laws (including PIPEDA) and maintain appropriate data protection safeguards;
(iv) Client should not include highly sensitive, confidential, or regulated data in systems protected by AI-enabled services unless Client has verified that such processing is compliant with applicable laws and Client's own policies.
(e) Human Oversight
Provider maintains human oversight of AI-enabled security services, including:
(i) Reviewing AI-generated alerts and recommendations before taking significant actions;
(ii) Investigating and validating AI-detected threats when appropriate;
(iii) Providing human judgment and expertise in incident response and security decision-making.
However, Client acknowledges that not every AI decision or alert can be manually reviewed, and some automated actions (such as blocking suspected malicious emails or quarantining potential threats) occur in real-time without human intervention.
(f) No Liability for AI Errors
Provider is not liable for damages, losses, or consequences resulting from:
(i) AI false positives that block, quarantine, or flag legitimate content, emails, files, or activities;
(ii) AI false negatives that fail to detect actual threats, malicious content, or security incidents;
(iii) AI-generated recommendations, reports, or analysis that contain errors, omissions, or inaccuracies;
(iv) Decisions made by Client based on AI-generated information or recommendations;
(v) Changes, updates, or failures of third-party AI systems beyond Provider's control;
(vi) Biases, limitations, or unexpected behaviors of AI/ML algorithms.
Such errors and limitations are inherent risks of AI technology and are excluded from Provider's liability under Section 12.
(g) Client Responsibilities
Client is responsible for:
(i) Understanding that AI-enabled services have limitations and are not substitutes for human judgment, expertise, or decision-making;
(ii) Not relying solely on AI-generated recommendations for critical business or security decisions without independent validation;
(iii) Reporting AI errors, false positives, or missed threats to Provider so that systems can be tuned and improved;
(iv) Accepting that some level of AI error (both false positives and false negatives) is unavoidable and inherent to the technology;
(v) Maintaining appropriate insurance coverage (including cyber liability insurance) as AI-enabled security services do not eliminate all risks.
(h) Continuous Improvement
Provider will use commercially reasonable efforts to:
(i) Monitor and tune AI systems to improve accuracy and reduce false positives/negatives over time;
(ii) Stay informed about AI technology developments and vendor updates;
(iii) Provide feedback to third-party AI vendors regarding performance issues or improvement opportunities;
(iv) Update AI-related policies and practices as technology and regulations evolve.
(i) Regulatory Compliance
As AI regulations evolve in Canada (including anticipated legislation under Bill C-27 - Artificial Intelligence and Data Act), Provider will make commercially reasonable efforts to maintain compliance. Client acknowledges that AI regulatory requirements may change, and such changes may require modifications to Services, additional costs, or adjustments to AI usage, which will be communicated pursuant to Section 16 (Updates to MSA).
11. Indemnification
11.1 By Provider
Provider will defend and indemnify Client against third‑party claims that Provider's Provider Materials used in the Services infringe that third party's IP rights, subject to customary exclusions (e.g., combinations not supplied by Provider, Client instructions, or unsupported uses).
11.2 By Client
Client will defend and indemnify Provider against claims arising from Client Data, Client‑provided materials, or Client's misuse of the Services.
11.3 Process
The indemnified Party must promptly notify the indemnifying Party and provide reasonable cooperation; the indemnifying Party controls the defence.
12. Limitation of Liability
12.1 Cap
Except for confidentiality or IP infringement obligations, each Party's total liability under this MSA and any Service Order will not exceed the fees paid or payable by Client in the twelve (12) months preceding the event giving rise to the claim, subject to a minimum of $10,000 CAD and a maximum of $100,000 CAD.
12.2 Exclusion
Neither Party is liable for indirect, incidental, special, punitive, or consequential damages, including loss of profits or data.
12.3 Essential Basis
The limitations form an essential basis of the bargain.
13. Subcontractors; Non‑Solicitation
13.1 Subcontractors
Provider may use subcontractors; Provider remains responsible for their performance.
13.2 Non‑Solicitation
During the Term and for twelve (12) months thereafter, neither Party will solicit for employment any personnel of the other who were materially involved in the Services, except through general solicitations.
14. Force Majeure
Neither Party is liable for delays or failures due to events beyond its reasonable control (e.g., natural disasters, acts of government, network outages, strikes), provided it uses commercially reasonable efforts to mitigate.
15. Notices; Governing Law; Dispute Resolution
15.1 Notices
Legal notices must be in writing and sent to the addresses set out in the applicable Service Order (or updated by notice) via email with confirmation, courier, or certified mail.
15.2 Governing Law
This MSA is governed by the laws of Ontario and the federal laws of Canada applicable therein.
15.3 Dispute Resolution
The Parties will escalate disputes to senior management in good faith before pursuing litigation. Venue is the courts of Ontario.
16. Updates to this MSA
Provider may update this MSA from time to time. Updates apply (a) immediately to new Service Orders issued after the update, and (b) to existing renewable Services at the next renewal after 30 days' notice to Client. Material changes will not apply mid‑term unless required by law, security, or third‑party vendor changes.
17. Entire Agreement; Miscellaneous
17.1 Entire Agreement
This MSA, together with all Service Orders and referenced schedules, is the complete agreement regarding its subject matter and supersedes prior discussions.
17.2 Assignment
Neither Party may assign without the other's consent, except to an affiliate or in connection with a merger, acquisition, or sale of substantially all assets, with notice.
17.3 Severability; Waiver
If any provision is unenforceable, the remainder remains in effect. Failure to enforce is not a waiver.
17.4 Counterparts; Electronic Signatures
Service Orders may be executed in counterparts and by electronic signature.
17.5 Audit Rights
Upon reasonable notice and no more than once per year, Client may audit Provider's compliance with this MSA's confidentiality and data security obligations, at Client's expense, during business hours, subject to Provider's security and confidentiality requirements. Provider may satisfy this obligation by providing SOC 2, ISO 27001, or similar third-party audit reports in lieu of direct audit.
17.6 Artificial Intelligence Regulation Compliance
As artificial intelligence regulations develop in Canada, including under Bill C-27 (Artificial Intelligence and Data Act - AIDA) or successor legislation, Provider will make commercially reasonable efforts to comply with applicable requirements.
Client acknowledges that:
(a) New AI regulations may require changes to how AI systems are used, documented, or disclosed;
(b) Compliance with new AI regulations may result in additional costs, service modifications, or limitations on AI functionality;
(c) Provider may need to update AI-related terms, obtain additional consents, or provide additional documentation to maintain regulatory compliance;
(d) Such changes will be communicated pursuant to Section 16 (Updates to MSA) and may be implemented as necessary to maintain legal compliance.
Schedule A — Definitions
"AI/ML Technologies" means artificial intelligence, machine learning, neural networks, natural language processing, automated decision-making systems, and similar technologies used within the Services or by third-party platforms to analyze data, detect threats, classify content, or provide security functions.
"Client Data" means data supplied by or on behalf of Client in connection with the Services.
"Confidential Information" means non‑public information disclosed by a Party that is marked confidential or should reasonably be understood as confidential.
"Deliverables" means work product specifically identified in a Service Order.
"Service Order" means any ordering document (including SOW or Quote or Proposal) that references this MSA.
"Services" means the services described in a Service Order.
"Term" means the Initial Term and any renewal terms set out in a Service Order.
"Third-Party AI Systems" means AI/ML technologies developed, owned, controlled, or operated by third-party vendors (including but not limited to Proofpoint, Microsoft, Google, or other security platform providers) that are incorporated into or used in connection with the Services.
Schedule B — Data Protection (PIPEDA)
B1. Purpose Limitation
Provider will process Client Data solely to deliver the Services.
B2. Safeguards
Provider will maintain reasonable administrative, physical, and technical safeguards appropriate to the nature of Client Data.
B3. Personnel
Provider will ensure personnel with access to Client Data are bound by confidentiality obligations.
B4. Breach Notice
Provider will notify Client without undue delay after confirming an incident that results in loss, unauthorized access, or unauthorized disclosure of Client Data and will provide available information to support Client's notifications under PIPEDA, if applicable.
B5. Cross‑Border Processing
Client acknowledges Services may involve processing outside the province of Ontario and outside Canada; Provider will ensure appropriate safeguards and require subcontractors to provide substantially similar protections.
B6. Return/Deletion
As set out in Section 7.4.