Version: 1.0
Last Updated: 04/30/2026
This Agreement outlines the services provided, important limitations, and each party’s responsibilities.
This Service Agreement (“Agreement”) is entered into by and between CyberHero LLC (“Consultant”) and the individual or entity purchasing services (“Client”) (collectively, the “Parties”). This Agreement governs the provision of cybersecurity documentation and guidance services by Consultant.
1.1 Consultant provides a combination of:
(a) limited analytical services, including preparation of a limited-scope risk assessment based primarily on Client-provided information;
(b) advisory services, including documentation drafting and general cybersecurity guidance; and
(c) optional limited review services (such as configuration checks or periodic reviews), which are not included in standard services and are provided only if separately requested and purchased.
1.2 Consultant will use reasonable efforts to provide accurate and practical recommendations based on the information provided by Client.
1.3 The purpose of these services is to provide structured, practical guidance to help reduce cybersecurity risk and support alignment with the HIPAA Security Rule.
2.1 Nature of Services
Consultant provides a structured, advisory service based solely on information provided by Client. Deliverables are intended to provide practical guidance and reduce cybersecurity risk when properly implemented, but do not constitute a comprehensive audit, technical security assessment, or guarantee of compliance or outcomes. Cybersecurity risk cannot be fully eliminated, and ongoing risk management remains the responsibility of Client.
2.2 Scope Boundaries
Consultant’s services are advisory in nature and are not legal, audit, or certified compliance services. Consultant does not provide legal advice or interpret laws or regulations, including the HIPAA Privacy Rule, HIPAA Breach Notification Rule, requirements related to non-electronic PHI, or state-specific laws.
2.3 Timing of Services
Consultant will use reasonable efforts to complete services within a practical timeframe based on the scope of work and responsiveness of Client, but does not guarantee specific completion dates.
2.4 Services Not Included
Consultant does not:
Access, log into, or configure Client systems or networks;
Access or process Protected Health Information (“PHI”);
Implement, audit, monitor, test, verify, or enforce cybersecurity controls;
Provide legal advice or guarantee regulatory compliance;
Provide guidance on HIPAA Privacy Rule, Breach Notification Rule, non-electronic PHI requirements, or state-specific laws;
Provide real-time incident response or emergency cybersecurity support;
Provide audit, investigation, or regulatory support;
Provide updates to materials outside of the Revision Policy of this Agreement;
Perform system monitoring, threat detection, malware analysis;
Provide time-critical services or guaranteed turnaround times.
2.5 Review Services Limitation
Any review, assessment, or validation services (including configuration checks or periodic reviews) are limited in scope, based solely on information provided by Client, and do not constitute a technical audit, security verification, or guarantee of implementation, effectiveness, or outcomes. Consultant does not independently test, access, or validate Client systems.
All reviews are based on point-in-time information and do not guarantee that all risks are identified or that safeguards remain effective over time.
These services are one-time engagements and do not include ongoing monitoring or support.
Such services are subject to all other limitations, disclaimers, and terms of this Agreement.
3.1 Client agrees not to transmit PHI to Consultant. Client represents and warrants no PHI will be shared. Consultant shall not be responsible for verifying whether any information provided constitutes PHI. Consultant will make reasonable efforts to notify Client if such disclosure is identified.
3.2 Consultant is not a Business Associate under HIPAA. No Business Associate Agreement (BAA) shall be required or executed.
4.1 Accuracy of Information
Client is responsible for providing complete and accurate information, and all deliverables are based solely on such information. Consultant is not responsible for identifying omissions, edge cases, or workflows not apparent from the information provided. Consultant may, but is not obligated to, request clarification where responses appear incomplete or unclear.
4.2 Implementation and Maintenance
Client is responsible for reviewing, approving, implementing, and maintaining any recommended safeguards, policies, or procedures. Consultant does not implement, enforce, or verify such measures.
4.3 Ongoing Risk Management
Client is responsible for maintaining documentation and ensuring that changes to systems, vendors, or operations are reflected in its ongoing risk management and compliance efforts. Ongoing compliance requires periodic review and other activities. Such activities are not included in the standard services described in this Agreement but may be requested separately as additional services.
4.4 Compliance Responsibility
Client is solely responsible for compliance with all applicable laws and regulations, including but not limited to the HIPAA Privacy Rule, Breach Notification Rule, requirements related to non-electronic protected health information, and state-specific laws.
4.5 Scope Acknowledgment
Client acknowledges that Consultant’s services are limited in scope and may not address all risks, vulnerabilities, or regulatory requirements. These services are intended to support, but do not by themselves ensure, security or full regulatory compliance.
4.6 Requirements and Timing of Risk Reduction
Client acknowledges that any cybersecurity benefit from Consultant’s services occurs only upon implementation by Client. Consultant shall not be liable for any security incident, breach, or compliance issue occurring prior to Client’s implementation of recommendations.
Consultant retains all copyright and intellectual property rights to deliverables. Client is granted a limited, non-transferable license to use the deliverables internally for the purposes described in this Agreement. Client may share deliverables with auditors, regulators, or other authorized parties for HIPAA compliance purposes, as well as for internal review, edits, updates, or revisions.
6.1 Fees for services will be set forth in any invoice, proposal, or written communication issued by Consultant and accepted by Client (the “Fee Schedule”). Payment of an invoice or commencement of services constitutes acceptance of the Fee Schedule and this Agreement.
6.2 Unless otherwise agreed in writing, payment is required prior to delivery of any deliverables. Consultant is not obligated to begin or continue work until payment is received.
6.3 Services outside the original scope, including revisions beyond the Revision Policy, updates, or additional documentation, will be billed separately.
7.1 Consultant may decline or terminate services upon written notice if the engagement falls outside the intended scope of services, presents material risk, or cannot reasonably be completed within Consultant’s service model or capacity.
Such termination shall not constitute breach of this Agreement.
7.2 In the event of termination, Consultant will provide a full or prorated refund as appropriate and will use reasonable efforts to minimize disruption to Client.
8.1 Client may cancel services at any time prior to delivery of the first draft of documentation.
8.2 If Client cancels before Consultant has begun work, Client is entitled to a full refund. Such work shall be considered to have commenced once the Client submits the assessment questionnaire and acknowledges authorization to begin services.
8.3 If Client cancels after Consultant has begun work, but prior to delivery of the first draft of documentation, Consultant may retain a reasonable work fee, not to exceed $175, to compensate for time spent preparing materials and reviewing Client information. Any remaining balance will be refunded to Client.
8.4 Once Consultant delivers the initial draft of documentation and risk analysis materials, services shall be considered substantially performed and no refunds will be issued.
9.1 Revision Scope
Client may request or Consultant may provide reasonable revisions or clarifications to draft deliverables within thirty (30) days of delivery. Revisions are limited to corrections, clarifications, or adjustments based on the original information provided by Client.
9.2 Scope Changes
Requests that materially change the scope of work, require new documentation, or involve new or previously undisclosed information may be treated as additional services. Consultant is not obligated to fulfill such requests and may bill them separately.
9.3 Revision Limits
Consultant reserves the right, in good faith, to determine when revision requests exceed reasonable scope or frequency.
This Agreement governs the initial services described herein as well as any future services requested by Client and accepted by Consultant, including but not limited to update, revision, review, or additional HIPAA Security related services.
Additional services may be authorized through written communication (including email) or through payment of an invoice referencing this Agreement. Such services shall automatically be subject to all terms and limitations contained in this Agreement unless the Parties agree otherwise in writing.
Consultant provides services and deliverables on an advisory basis using information provided by Client. While Consultant uses reasonable efforts to provide accurate and practical guidance, all deliverables are provided “as is” without warranties of any kind.
To the maximum extent permitted by law, Consultant disclaims all warranties, express or implied, including but not limited to fitness for a particular purpose and any warranty that deliverables will ensure regulatory compliance, identify all risks, pass audits, or achieve any specific outcome.
12.1 Consultant’s total liability arising out of or relating to this Agreement, whether in contract, tort, negligence, or otherwise, shall not exceed the total fees paid by Client under this Agreement for the services giving rise to the claim.
12.2 To the maximum extent permitted by law, Consultant shall not be liable under any theory of law (whether in contract, tort, negligence, strict liability, or otherwise) for any indirect, incidental, consequential, special, exemplary, or punitive damages, including but not limited to loss of revenue, profits, business, data, goodwill, or regulatory fines or penalties, even if Consultant has been advised of the possibility of such damages.
12.3 The parties agree that the limitations and exclusions of liability set forth in this Agreement are a fundamental basis of the bargain and shall apply notwithstanding any failure of essential purpose of any limited remedy.
Client shall indemnify, defend, and hold harmless Consultant and its owner, members, employees, contractors, and representatives from and against any and all third-party claims, demands, damages, liabilities, losses, costs, and expenses (including reasonable attorneys’ fees) arising out of or related to:
(a) Client’s implementation, non-implementation, or maintenance of safeguards, policies, or procedures;
(b) Client’s failure to maintain compliance with applicable laws or regulations;
(c) Any inaccurate, incomplete, or misleading information provided by Client;
(d) Client’s use or misuse of the deliverables outside the scope of their intended purpose; or
(e) Claims by patients, customers, regulators, or other third parties to the extent arising from Client’s handling of electronic protected health information (ePHI), including its use, disclosure, or protection.
Consultant shall have the right to control the defense and settlement of any claim subject to indemnification, provided that Consultant shall not settle any claim in a manner that imposes liability or obligations on Client without Client’s prior written consent (not to be unreasonably withheld).
This obligation shall not apply to the extent such claims are finally determined to result from Consultant’s gross negligence or willful misconduct.
Any dispute arising out of or relating to this Agreement that is unable to be resolved through good faith effort through informal discussion within 30 days shall be resolved by binding arbitration administered by the American Arbitration Association in Seminole County, Florida (or another mutually agreed location), in accordance with its commercial arbitration rules. The arbitration shall be conducted by a single arbitrator. Each party shall bear its own attorneys’ fees and costs, unless otherwise required by law.
15.1 Force Majeure: Consultant is not liable for delays or failure to perform caused by events beyond its reasonable control.
15.2 Governing Law: This Agreement shall be governed by the laws of the state of Florida.
15.3 Severability: If any provision is unenforceable, the remaining provisions remain in effect.
15.4 Data Retention: Consultant may retain or delete Client records, files, and communications in accordance with Consultant’s then-current Privacy Policy made available to Client upon request or through Consultant’s website. Consultant is not obligated to retain records indefinitely.
By selecting the acceptance option during the payment process and submitting payment for services, Client acknowledges and agrees to be bound by the terms of this Agreement.
Client acknowledges that it has read and understands this Agreement.
Client further acknowledges and agrees that the provisions regarding (i) Limitation of Liability, (ii) Indemnification, (iii) Warranty Disclaimer, and (iv) Arbitration are essential and material terms of this Agreement.
Client represents that it has had the opportunity to review this Agreement and seek independent legal advice prior to acceptance.
This Agreement constitutes a binding electronic agreement under applicable law.