Managed IT, Tactical Cybersecurity, and SOC Operations #

Version 2025.10, Appendix Edition

 

Document Field	Value
Service	ManagedCare Complete
Appendix Type	Service level, scope, cybersecurity operations, exclusions, and project boundary appendix
Prepared By	Reis Informatica Inc.
Client	The legal name of the client is listed on the signed Sales Order document
Effective Date	The effective date is listed on the signed Sales Order document
Governing Agreement	The Master Services Agreement (MSA) between Reis Informatica Inc. and the Client
Related Ordering Document	The Sales Order between Reis Informatica Inc. and the Client, identifying the subscribed services, covered locations, covered users, device counts, fees, effective date, and any negotiated deviations

 

Contents #

1. Purpose and Appendix Status
2. ManagedCare Complete Service Model
3. Included Scope of Services
4. Tactical Cybersecurity Baseline and Blackpoint SOC
5. ManagedCare CaaS and Compliance Work Not Included
6. Service Coverage, Priorities, and Response Objectives
7. Project Definition and Out-of-Scope Work
8. Exclusions, Limitations, and Assumptions
9. Maintenance, Patching, Backups, and Reporting
10. Client Responsibilities and Minimum Standards
11. Communication, Escalation, and Review Cadence
12. Performance Measurement and Continuous Improvement
13. Force Majeure and External Dependencies
14. Appendix Control

 

 

1. Purpose and Appendix Status #

1.1 Purpose #

This ManagedCare Complete SLA Appendix defines the service scope, operating model, service level objectives, cybersecurity baseline, client responsibilities, exclusions, and project boundaries for ManagedCare Complete services delivered by Reis Informatica Inc. The purpose of this Appendix is to make the all-inclusive service practical, predictable, and enforceable by separating day-to-day managed services from separately billable project, compliance, procurement, and third-party work.

1.2 Appendix Status #

This Appendix is not a standalone master agreement. It is intended to be attached to or incorporated into the Master Services Agreement (MSA) between Reis and the Client. This Appendix describes how ManagedCare Complete is delivered when the Client subscribes to that service. It does not replace, expand, or override the legal terms of the Master Services Agreement (MSA).

1.3 Order of Precedence #

If this Appendix conflicts with the Master Services Agreement (MSA), the MSA controls unless the parties expressly state otherwise in a signed writing. If this Appendix conflicts with the Sales Order, the Sales Order controls only for commercial details such as covered users, device counts, locations, subscriptions, pricing, term, and any client-specific service variations. All other operational terms in this Appendix remain in effect unless expressly amended.

1.4 Limitations of Liability Preserved #

Nothing in this Appendix modifies, expands, or waives any limitation of liability, damages exclusion, indemnity, confidentiality, warranty disclaimer, dispute resolution provision, governing law provision, or similar legal protection contained in the Master Services Agreement (MSA). Service level objectives in this Appendix are operational targets and do not create service credits, liquidated damages, expanded remedies, or performance guarantees unless the MSA expressly provides them.

1.5 Meaning of All-Inclusive #

All-inclusive means Reis includes the labour required to deliver routine managed IT support, monitoring, maintenance, security operations, and incident response for covered users and covered systems during the applicable coverage hours. All-inclusive does not mean unlimited projects, unlimited after-hours non-emergency work, free hardware or software, free third-party charges, free cabling, formal compliance services, line-of-business software updates or upgrades, operating system installations, operating system reinstallations, operating system rebuilds, major operating system upgrades, or business initiatives that fall outside routine operational support.

1.6 Guiding Principles #

• Operate proactively, with monitoring, patching, lifecycle planning, and recurring service reviews.
• Use a cybersecurity-first baseline that includes endpoint protection, MFA, SOC monitoring, patch management, backup monitoring, and secure administration practices.
• Support practical cyber hygiene in the managed environment without representing ManagedCare Complete as a formal compliance program.
• Communicate service status, risk, and recommendations in a clear and business-focused way.
• Draw a firm line between included operational support and separately scoped projects so expectations remain clear.

2. ManagedCare Complete Service Model #

2.1 Overview #

ManagedCare Complete is Reis Informatica’s fully managed IT operations service for covered users and covered systems. The service combines service desk support, infrastructure management, endpoint management, Microsoft 365 and identity administration, cybersecurity tooling, Blackpoint Cyber SOC monitoring, backup monitoring, reporting, and strategic technology guidance.

ManagedCare Complete is designed for stable business environments that agree to Reis’ technical minimum standards and security baseline. It is not designed to absorb unlimited transformation work, unmanaged technology, unsupported systems, or formal compliance obligations without separate scope and pricing.

2.2 Objectives #

• Reduce avoidable outages through monitoring, preventative maintenance, and lifecycle planning.
• Provide reliable business-hours service desk support for covered users and covered systems.
• Provide after-hours response for P1 emergencies only.
• Implement a tactical cybersecurity baseline that supports common NIST CSF outcomes without becoming a formal NIST compliance program.
• Use Blackpoint Cyber and Reis security processes to detect, triage, contain, and escalate security events on enrolled systems.
• Provide practical reporting and recommendations so the Client can plan upgrades, risk reduction, and future improvements.

2.3 Covered Users, Systems, and Locations #

Covered users, systems, and locations are those identified in the applicable Sales Order and accepted into Reis management. Coverage is limited to systems that meet the minimum standards in this Appendix and are enrolled in Reis management, monitoring, and security tools where applicable.

• Covered users include active Client personnel listed for ManagedCare Complete support.
• Covered systems may include business-grade Windows and Mac workstations and laptops, supported Microsoft servers, supported network equipment, approved cloud services, Microsoft 365 tenants, and approved SaaS applications. Mac coverage is subject to the Apple/macOS limitations and minimum standards in this Appendix.
• Covered locations are the Client locations identified in the Sales Order. Onsite labour for included support is available only where Reis determines onsite work is required and the location is within the agreed service area.
• Hardware, licensing, shipping, third-party vendor fees, travel expenses, and work at non-covered locations are not included unless stated in writing.

2.4 Onboarding Requirement #

A system is not fully covered until it has been reviewed, documented, and enrolled in Reis-approved management and security tools. Reis may provide best-effort assistance during onboarding, but unsupported, unknown, unmanaged, or non-compliant systems may be excluded, limited, or treated as project work until brought to standard.

3. Included Scope of Services #

3.1 Included Service Categories #

Service Category	Included ManagedCare Complete Scope
Service Desk and Incident Response	Business-hours support for covered users and covered systems. Includes triage, troubleshooting, remote support, ticket management, user assistance, and escalation for incidents and routine service requests. P1 emergency response is available after hours.
Endpoint and Workstation Management	Monitoring, routine patching within the limits of Section 9.3, endpoint protection enforcement, standard configuration support, performance troubleshooting, hardware health review, and support for business-grade Windows and Mac endpoints that meet the minimum standards in this Appendix.
Server and Core Infrastructure Management	Monitoring, patching coordination, remediation, backup-agent oversight, resource monitoring, event review, and routine administration for covered physical and virtual servers. Major redesign, migration, replacement, and role changes are projects.
Network and Firewall Management	Monitoring, routine configuration support, firmware advisory review, VPN support, wireless support, firewall policy maintenance, and troubleshooting for covered business-grade firewalls, switches, routers, and access points. Cabling and network redesign are projects or exclusions.
Microsoft 365, Identity, and SaaS Administration	User administration, group and permission support, MFA enforcement, mailbox and Teams support, license assignment assistance, Microsoft 365 configuration support, and vendor escalation for approved SaaS platforms. Tenant migrations, major reconfiguration, and compliance programs are projects.
Cybersecurity Operations	Deployment and monitoring of Reis-approved security tools, including endpoint protection, Blackpoint Cyber SOC integration, DNS or web protection, MFA, email security support, alert triage, containment coordination, and security recommendations.
Patch and Vulnerability Remediation	Routine patch management for supported Microsoft Windows/Windows Server, supported Apple macOS security and stability updates where manageable through Reis tools, Microsoft security rollups, Adobe Acrobat/Reader, approved Java runtime, supported web browsers, common drivers, firmware advisory review, and security rollups. Excludes line-of-business application updates, major version upgrades, operating system installations/reinstallations/rebuilds/upgrades, and third-party Apple App Store applications unless separately scoped.
Backup Monitoring and Recovery Support	Monitoring of Reis-approved backup jobs, alert response, sample restore validation, restore support for covered backup sets, and recommendations for retention or capacity. Backup storage costs and unsupported data sources are excluded.
Vendor Liaison	Coordination with ISPs, Microsoft, line-of-business vendors, hardware vendors, and cloud providers when a covered incident involves those providers. Vendor fees, vendor-caused delays, and vendor project management are excluded unless separately scoped.
User Lifecycle Support	Routine onboarding, offboarding, access changes, MFA setup, mailbox setup, group membership updates, and standard device preparation when completed using Reis standard procedures. Bulk, acquisition-driven, or non-standard user changes may be projects.
Asset and Lifecycle Management	Inventory tracking for covered assets, warranty visibility where available, lifecycle recommendations, and budget planning support. Hardware, licensing, procurement costs, and mass refresh labour are excluded unless separately scoped.
Client Success, TAM, and vCIO Guidance	Recurring service reviews, roadmap recommendations, lifecycle planning, risk discussions, and practical IT strategy. While formal compliance governance, policy writing, control mapping, and audit support are part of ManagedCare CaaS or separate projects.
AI and Automation Support	Operational support for approved AI or automation tools integrated into the managed environment, limited to access, security, monitoring, and incident support. Custom AI development, model training, data governance, and AI compliance policy work are excluded unless separately scoped.

 

3.2 Standard Support Inclusions #

• Troubleshooting and resolving incidents affecting covered users and covered systems.
• Routine account administration, password resets, MFA assistance, group changes, and mailbox support.
• Standard installation or removal of approved, licensed, and compatible end-user software, limited to routine setup and removal. This does not include line-of-business software updates or upgrades, application migrations, database work, custom configuration, operating system installation, operating system reinstallation, operating system rebuild, major operating system upgrade, or third-party Apple App Store applications.
• Standard printer, scanner, VPN, Wi-Fi, and peripheral troubleshooting for business-grade supported devices.
• Security agent deployment, monitoring agent deployment, and routine remediation of tool health issues.
• Routine vendor ticket opening and follow-up when a covered issue depends on a third-party provider.
• Preventative maintenance and recommendations based on monitoring, recurring issues, and lifecycle review.

3.3 Scope Boundaries #

Reis may provide advice about improvements during normal service delivery. Advice, recommendations, and roadmap items do not make the resulting work included. When the Client approves a change that falls within the project definition in Section 7, that work must be separately quoted or otherwise authorized before Reis is required to perform it.

4. Tactical Cybersecurity Baseline and Blackpoint SOC #

4.1 Cybersecurity Baseline #

ManagedCare Complete includes tactical cybersecurity controls intended to improve day-to-day protection, visibility, detection, response, and recovery for covered systems. Reis uses frameworks such as the NIST Cybersecurity Framework and CIS Critical Security Controls as practical references, but ManagedCare Complete is not a formal compliance implementation, audit, certification, or control maturity program.

Cybersecurity Area	ManagedCare Complete Baseline
Identify	Maintain practical asset visibility for covered systems, document key infrastructure, track lifecycle risks, and raise material risks during service reviews.
Protect	Deploy and enforce endpoint protection, MFA, secure remote access practices, DNS or web protection, email security support, patch management, least-privilege administration, and backup coverage where subscribed.
Detect	Use endpoint telemetry, Blackpoint Cyber SOC monitoring, Reis monitoring tools, backup alerts, and security stack alerts to identify operational and security events.
Respond	Triage alerts, contain suspected threats where technically possible, coordinate credential resets or device isolation, communicate with authorized contacts, and escalate to vendors where required.
Recover	Support recovery from Reis-approved backups, assist with restoration of covered services, document incidents, and recommend improvements after material incidents.

 

4.2 Approved Security Stack #

The approved security stack may change as technologies, licensing, and threat conditions evolve. Reis may replace tools with equivalent or improved alternatives. Current or typical components include:

Layer	Typical Platform	Purpose
Endpoint Protection and EDR	CrowdStrike Falcon or Reis-approved equivalent	Malware, ransomware, behavioural detection, endpoint telemetry, and response capability on enrolled endpoints and servers.
SOC-as-a-Service	Blackpoint Cyber	24×7 security monitoring, triage, escalation, threat hunting, and coordinated response for supported enrolled sources.
DNS or Web Protection	Cisco Umbrella or Reis-approved equivalent	Blocking of known malicious domains, phishing destinations, and command-and-control infrastructure where technically available.
Email Security and Microsoft 365 Protection	Microsoft Defender, third-party email security, SaaS backup, or approved equivalents	Email threat reduction, Microsoft 365 protection support, and SaaS backup where licensed and configured.
Identity and MFA	Microsoft Authenticator, Cisco Duo, or approved equivalent	MFA enforcement, secure administrator access, conditional access support, and remote access protection.
Awareness and Phishing Training	Reis-approved training platform where subscribed	Security education and phishing simulation where included in the order or separately subscribed.

 

4.3 Blackpoint Cyber SOC Operations #

Blackpoint Cyber SOC monitoring is integrated into ManagedCare Complete for supported and enrolled systems where licensed. SOC activity is limited by the data sources, integrations, permissions, and telemetry available from the Client environment. Reis and Blackpoint may take protective actions such as alert escalation, process termination, device isolation, account protection, or credential reset when required to contain a credible threat.

1. Detection, security event or anomaly is identified through an enrolled tool or integration.
2. Triage, SOC or Reis personnel validate severity, scope, and likely business impact.
3. Containment, Reis or the SOC takes reasonable steps to reduce risk, which may include isolating systems or disabling accounts.
4. Notification, Reis notifies authorized Client contacts based on severity and available information.
5. Remediation, Reis coordinates cleanup, restoration, credential resets, vendor escalation, and recommendations for covered systems.
6. Post-incident summary, Reis provides a written summary for material confirmed incidents after containment and closure.

4.4 Security Incident Notification Targets #

Incident Type	Target Notification
Confirmed P1 active security incident	Target notification to authorized Client contacts within 1 hour of confirmation, where contact information is current and communication channels are available.
Confirmed non-P1 security incident	Target notification within 6 business hours of confirmation or sooner if risk increases.
Informational or blocked security event	May be included in normal reporting unless Reis determines direct notice is required.

 

4.5 Client Security Responsibilities #

• Permit deployment of Reis-approved security, monitoring, backup, and management agents on all covered systems.
• Do not disable, bypass, uninstall, or materially alter Reis security tools without written approval.
• Enforce MFA for administrative access, remote access, Microsoft 365, and other sensitive systems as directed by Reis.
• Restrict local administrator rights. Exceptions require Reis approval and may require a written risk acceptance.
• Report suspected phishing, account compromise, malware, data exposure, or other security anomalies immediately.
• Maintain supported hardware, supported operating systems, supported applications, and active vendor support for business-critical systems.
• Approve reasonable security changes, upgrades, or replacements needed to reduce unacceptable risk.
• Ensure users complete security awareness training when training is included or required by the Client’s risk profile.

4.6 Security Exceptions #

Reis may suspend, limit, or exclude support for any user, system, device, application, or configuration that creates unacceptable risk, cannot be adequately monitored, is unsupported, is non-compliant with minimum standards, or has been altered outside Reis change control. Reis may require remediation as a condition of continued coverage. Remediation caused by Client refusal, delay, unsupported technology, or security exception may be billed separately or treated as project work.

4.7 No Security Guarantee #

Cybersecurity tools and services reduce risk but do not eliminate risk. Reis does not guarantee that all attacks, breaches, data loss, fraud, or service interruptions will be prevented or detected. Reis is not an insurer of the Client’s systems, data, revenue, or business operations. The Master Services Agreement (MSA)’s limitations of liability and damages exclusions apply to cybersecurity services and incidents.

5. ManagedCare CaaS and Compliance Work Not Included #

5.1 ManagedCare Complete Is Not a Formal Compliance Program #

ManagedCare Complete implements practical technical controls and operational practices that support good security hygiene. It does not include the full governance, risk, control, evidence, policy, audit, and reporting work required to formalize compliance against NIST or any other framework.

5.2 ManagedCare CaaS #

ManagedCare CaaS, Compliance as a Service, is a separate service designed for Clients that want deeper formalization of NIST or similar frameworks. CaaS may include control mapping, policy development, evidence management, risk registers, formal assessments, remediation planning, audit readiness, executive reporting, and ongoing compliance program management. Unless CaaS is expressly ordered, those activities are excluded from ManagedCare Complete.

5.3 Examples of Compliance Work Excluded from ManagedCare Complete #

• Formal NIST CSF, NIST 800-171, CIS, ISO 27001, SOC 2, CMMC, or industry-specific control mapping.
• Creation, maintenance, or approval of written governance policies, standards, procedures, or control narratives.
• Formal risk assessments, risk treatment plans, control maturity scoring, or board-level compliance reporting.
• Evidence collection, audit package preparation, auditor interviews, audit remediation, and compliance attestation support.
• Business continuity plans, disaster recovery plans, incident response plans, tabletop exercises, and crisis communications plans as formal documents.
• Vendor risk management, third-party security questionnaires, cyber insurance questionnaire ownership, and regulatory filings.
• Penetration testing, external vulnerability scanning programs, application security testing, privacy impact assessments, and data classification programs.
• Policy enforcement work that requires organizational authority, HR action, legal review, or executive governance decisions.

6. Service Coverage, Priorities, and Response Objectives #

6.1 Coverage Hours #

Coverage Period	Hours	Included Support
Business Hours	Monday to Friday, 8:30 a.m. to 5:00 p.m. Eastern Time, excluding Canadian statutory holidays unless otherwise agreed	All included incidents, service requests, administrative requests, and routine support for covered users and covered systems.
After Hours	Evenings, weekends, and holidays	P1 emergencies only. Non-emergency requests are deferred to the next business day.
24×7 Security and Monitoring	Continuous monitoring where tools are deployed and operational	Automated monitoring, security alerting, Blackpoint Cyber SOC triage, and on-call escalation for qualifying emergencies.

 

6.2 After-Hours Emergency Rule #

After-hours support is limited to emergencies. A request is an after-hours emergency only when it qualifies as P1 under Section 6.3. Non-emergency requests submitted after hours will be acknowledged and worked at the start of the next business day according to priority. The fact that a request is inconvenient, involves an important user, was discovered after hours, or is desired before morning does not by itself make the request a P1 emergency.

Clients must use the designated emergency support channel for after-hours P1 issues. Email and portal tickets submitted after hours may be deferred unless Reis identifies the issue as a P1 emergency through monitoring or SOC escalation.

6.3 Priority Classification #

Priority	Definition	Examples
P1 – Critical Emergency	A complete outage or confirmed active threat that materially stops a critical business function for all or a substantial portion of users, or creates imminent risk of material data loss, security compromise, or major business interruption.	Network unavailable for the site, core server failure, company-wide Microsoft 365 access outage when not caused by Microsoft alone, confirmed ransomware activity, active account compromise affecting business operations, failed critical backup during an active recovery event.
P2 – High	A major degradation affecting multiple users or an important business process during business hours, where a workaround is limited or unavailable.	Line-of-business application unavailable for a department, multiple users unable to access shared resources, VPN unavailable for a remote team, degraded network performance affecting operations.
P3 – Medium	A service issue affecting one user or a small group, or an issue with a reasonable workaround.	Single workstation failure, one user unable to print, one mailbox issue, application error affecting one user, standard peripheral issue.
P4 – Low / Request	General request, advisory question, scheduled change, minor issue, or task that does not materially affect productivity.	How-to question, new software request, license assignment, routine onboarding, device replacement scheduling, reporting request.

 

6.4 Response and Resolution Objectives #

Priority	Target Response	Target Resolution or Containment Objective	Coverage
P1 – Critical Emergency	30 minutes	Work continuously until contained, workaround is provided, service is restored, or vendor or Client dependency prevents further progress. Target initial containment or workaround is 2 hours where feasible.	24x7x365
P2 – High	1 business hour	Target resolution or workaround within 1 business day where feasible.	Business hours
P3 – Medium	4 business hours	Target resolution within 3 business days or scheduled based on impact, availability, and dependencies.	Business hours
P4 – Low / Request	1 business day	Scheduled based on priority, availability, and required approvals.	Business hours

 

These are service level objectives, not guarantees. Resolution may depend on Client availability, third-party vendors, hardware delivery, software defects, ISP outages, cloud provider outages, force majeure events, project approval, unsupported technology, or other factors outside Reis’ direct control.

6.5 Priority Assignment and Reclassification #

Reis assigns and may revise priority based on business impact, urgency, number of users affected, security risk, available workarounds, and whether the issue is an incident, request, change, or project. Client preference is considered, but Reis determines final priority for operational purposes.

6.6 Onsite Response #

Reis will determine whether onsite attendance is required. Remote support is the default method of service delivery. Onsite labour for included support at covered locations within the agreed service area is included when Reis determines onsite work is necessary. Onsite work outside the agreed service area, planned onsite projects, cabling, physical moves, and after-hours onsite work are excluded unless separately approved.

6.7 Courier Service and Equipment Transport #

Where equipment transportation can reasonably be completed without technical expertise on-site, Reis Informatica may require the use of a courier service instead of dispatching a technician. Courier-eligible items may include, but are not limited to, workstations, monitors, phones, and accessories. For client locations situated 25 or more kilometres by normal driving route from Reis Informatica’s office, courier service is the standard method of transport unless onsite technical work is reasonably required. Courier fees are the responsibility of the Client.

If the Client requests that a technician attend on-site where Reis Informatica determines that the matter could reasonably have been handled by courier, the visit will be billable at Reis Informatica’s standard hourly rate, including travel time to the site. This section does not apply to project work unless expressly included in the applicable project scope, statement of work, or written agreement.

7. Project Definition and Out-of-Scope Work #

7.1 Purpose of the Project Definition #

This section is intended to remove ambiguity from the all-inclusive service model. ManagedCare Complete includes routine operational support. It does not include business initiatives, material changes, deployments, migrations, transformations, formal compliance work, or other project work. Reis will use this section to determine whether work is included or separately billable.

7.2 Definition of a Project #

A Project is any planned or non-routine body of work that is outside day-to-day support, monitoring, maintenance, or incident response for covered systems. A request is a Project if one or more of the following conditions apply:

• It introduces, replaces, migrates, materially reconfigures, expands, consolidates, upgrades, or decommissions a system, application, network, cloud service, security control, office, location, or business process.
• It requires an operating system installation, operating system reinstallation, operating system rebuild, image deployment, edition change, in-place upgrade, or major operating system version upgrade for Windows, Windows Server, macOS, or any other endpoint or server platform.
• It requires discovery, design, planning, a written scope, risk review, a change plan, a migration plan, a rollback plan, user communications, a training plan, or formal deliverables.
• It has a defined business outcome beyond restoring, maintaining, or supporting an existing covered system.
• It materially changes architecture, identity, permissions, firewall policy, network topology, data location, backup design, security posture, compliance posture, or business workflow.
• It requires coordination of multiple vendors, multiple internal teams, multiple Client departments, or a staged implementation schedule.
• It requires after-hours or weekend work by preference or change-window requirement, unless the work is emergency containment of a P1 incident.
• It is expected to require more than 4 consecutive labour hours or more than 8 aggregate labour hours within a 30-day period, except where the work is a genuine incident response required to restore an existing covered system.
• It requires onsite labour beyond a normal support visit, multiple onsite visits, travel outside the agreed service area, or physical work that is not ordinary troubleshooting.
• It is caused by Client decisions, acquisitions, reorganizations, office moves, new business requirements, unsupported technology, non-compliance with minimum standards, or refusal to approve recommended lifecycle replacement.
• It is listed as excluded or separately billable anywhere in this Appendix, the Master Services Agreement (MSA), or the Sales Order.

A planned change can be a Project even if it is small. A break-fix incident can remain included even if it takes significant time, provided the work is reasonably required to restore an existing covered system and does not become redesign, replacement, migration, or remediation of excluded conditions.

7.3 Examples of Projects #

Project Type	Examples
Office, Site, and Physical Changes	New office setup, office relocation, network buildout, wireless redesign, cabling coordination, rack cleanup, server room rebuild, ISP cutover, physical asset move, acquisition or closure of a site.
Infrastructure and Cloud Changes	Server replacement, virtualization host replacement, storage migration, firewall replacement, switch refresh, VPN redesign, Azure migration, cloud architecture change, backup redesign, disaster recovery implementation.
Microsoft 365 and Identity Projects	Tenant migration, domain migration, conditional access redesign, Entra ID restructuring, Intune rollout, SharePoint rebuild, Teams voice implementation, bulk permission redesign, merger or divestiture integration.
Operating System and Endpoint Build Projects	Windows or Windows Server installation, reinstallation, rebuild, in-place upgrade, edition change, major version upgrade, standardized image creation, Autopilot/Intune/Jamf deployment, macOS major version upgrade, Mac rebuild, bulk device provisioning, and endpoint refresh programs.
Security and Compliance Projects	Formal NIST implementation, policy creation, control mapping, audit readiness, cyber insurance remediation program, security architecture redesign, incident response tabletop, penetration test remediation program.
Application and Data Projects	Line-of-business application deployment, database migration, major version upgrade, data import or export, report writing, custom scripts, API integration, workflow automation, custom AI implementation.
Endpoint Rollouts and User Changes	Mass workstation refresh, standardized image redesign, more than 3 device replacements in 30 days as part of a planned refresh, more than 5 user onboardings or offboardings in 30 days caused by reorganization, acquisition, seasonal hiring, or project-driven change.
Remediation Caused by Non-Compliance	Bringing unsupported systems to standard, replacing end-of-life systems, rebuilding unmanaged devices, repairing environments changed outside Reis control, remediating security exceptions accepted by the Client.

 

7.4 Work That Is Usually Included and Not a Project #

• Troubleshooting an incident on a covered system and restoring normal operation.
• Routine Operating System patching, monitoring, health checks, backup alert response, and tool remediation.
• A standard password reset, MFA reset, mailbox setting change, group membership change, or permission change for an existing process.
• Routine onboarding or offboarding for a small number of users using standard Reis procedures, provided the Client gives reasonable notice and required licensing or hardware is available.
• Standard setup of one replacement workstation for an existing user using the approved build process, excluding hardware, licensing, shipping, and any data migration complexity outside the standard process.
• Opening and following up on a vendor ticket for a covered incident.
• Initial containment of a covered security incident, including isolation, credential reset, and security tool response.

7.5 Emergency Containment vs. Project Remediation #

Reis may take immediate action to contain a P1 incident, reduce security risk, prevent data loss, or restore critical operations. That emergency containment work is included when it relates to covered systems. Follow-up work may become a Project if it requires rebuilding systems, replacing architecture, migrating data, implementing new controls, producing formal compliance deliverables, or correcting unsupported or non-compliant conditions.

7.6 Project Approval and Billing #

When Reis determines that the requested work is a Project, Reis will notify the Client and may provide a quote, statement of work, or change order. Project work is not required to begin until approved in writing. If the Client instructs Reis to proceed before a formal quote is completed, Reis may perform the work on a time-and-materials basis at the applicable rates, subject to the Master Services Agreement (MSA) and any written approval process.

Project work is not subject to the response and resolution objectives in this Appendix unless a project statement of work expressly states otherwise. Project timelines depend on scope, approvals, third-party vendors, procurement, scheduling, and Client participation.

7.7 Mixed Requests #

Some requests contain both included support and project components. Reis may separate the included portion from the project portion. For example, Reis may restore a failed workstation as included support, while a requested company-wide device refresh remains a Project. Reis may also provide a temporary workaround, including support, while a permanent redesign, replacement, or migration is separately scoped.

8. Exclusions, Limitations, and Assumptions #

8.1 General Exclusions #

• Hardware, software, cloud subscriptions, licensing, renewals, shipping, taxes, duties, third-party charges, and vendor support fees.
• Cabling, wiring, electrical work, construction, mounting, physical security work, and facilities work.
• Consumer-grade or prosumer devices unless expressly approved by Reis.
• Unsupported, end-of-life, unlicensed, pirated, altered, or non-compliant hardware, software, operating systems, applications, or device configurations.
• Devices, users, locations, cloud tenants, applications, or data sources not identified as covered and not enrolled in Reis management tools.
• Application development, database development, report writing, data entry, data cleansing, business process consulting, and custom automation.
• End-user training beyond ordinary support guidance unless training is expressly included.
• Line-of-business application defects, vendor bugs, vendor outages, or functionality that must be corrected by the software vendor.
• Line-of-business software updates, upgrades, service packs, tax table updates, plug-ins, database/schema changes, compatibility testing, vendor release management, or application-specific remediation, unless separately scoped.
• Operating system installations, operating system reinstallations, operating system rebuilds, image creation or redeployment, edition changes, in-place upgrades, and major operating system upgrades.
• Support, patching, update responsibility, or administration for third-party applications obtained through the Apple App Store, unless expressly approved and separately scoped in writing.
• End-user or server operating systems outside current Microsoft or Apple support, including Linux, ChromeOS, beta operating systems, consumer operating systems, jailbroken/rooted devices, and other non-standard platforms unless expressly approved and separately scoped in writing.
• Data recovery from failed or unmanaged systems, unsupported storage media, personal devices, or data not protected by a Reis-approved backup solution.
• Formal legal, privacy, regulatory, compliance, or audit advice.
• Non-emergency after-hours work, planned after-hours changes, and weekend project work unless separately approved.
• Any work that meets the Project definition in Section 7.

8.2 Line-of-Business Applications #

Reis supports line-of-business applications only at the infrastructure, access, workstation/server compatibility, installation/removal coordination, connectivity, permissions, and vendor liaison levels. Updates, upgrades, service packs, tax-table updates, database/schema changes, plug-ins, application-specific configuration, custom reports, software code, data integrity, vendor release management, and remediation of application defects are excluded unless separately scoped. The Client must maintain active vendor support and is responsible for vendor charges.

8.3 Third-Party Services #

Reis will make commercially reasonable efforts to coordinate with third-party providers when their services affect covered systems. Reis is not responsible for third-party outages, provider delays, provider data loss, vendor platform defects, vendor licensing changes, or provider security incidents outside Reis control.

8.4 Procurement #

Reis may assist with procuring approved hardware, software, and licenses. Unless otherwise agreed, products, subscriptions, renewals, taxes, shipping, and related costs are charged separately and may require prepayment before ordering. Client-purchased equipment must be reviewed and approved by Reis before being introduced into the managed environment.

9. Maintenance, Patching, Backups, and Reporting #

9.1 Maintenance Overview #

Reis performs maintenance activities intended to preserve stability, security, and performance of covered systems. Maintenance may include patch management within the limits in Section 9.3, firmware review, monitoring remediation, backup validation, security tool health checks, log review, capacity review, and lifecycle recommendations.

9.2 Maintenance Windows #

Maintenance Type	Standard Window or Cadence	Notes
General Maintenance	Sunday 9:00 a.m. to Monday 4:00 a.m. Eastern Time where feasible	Used for routine activities intended to reduce business disruption.
Workstation Patching	Normally weekly or aligned to Microsoft patch cycles	Limited to the routine patch scope in Section 9.3, including supported Microsoft and Apple operating system security/stability updates, Adobe, Java, browsers, drivers, and security rollups. Excludes line-of-business updates and major operating system upgrades.
Server Patching	Normally monthly during approved windows	Server reboots may be required. Scope is limited to supported Microsoft server patching and routine security rollups. Operating system upgrades, server rebuilds, application upgrades, and architecture changes are Projects unless separately scoped.
Network and Firewall Updates	As required based on vendor advisories and risk	May require scheduled outage or separate project if architecture changes are needed.
Backup Validation	Monitored daily where configured, with sample restore validation on a recurring basis	Scope depends on the subscribed backup service and protected data sets.
Site or Infrastructure Review	As scheduled through Client Success, TAM, or project teams	May include lifecycle, environmental, and cabling observations. Remediation may be project work.

 

9.3 Patch Management #

For clarity, included updates and patching under ManagedCare Complete are limited to routine security, stability, and vendor-recommended patches for the systems and components listed below. This section controls any broader use of the word update in this Appendix.

• Included routine patching is limited to Microsoft-supported Windows and Windows Server patches, Microsoft security rollups, Microsoft 365 and Office update channels where managed by Reis, Apple-supported macOS security and stability updates on covered Macs, Adobe Acrobat/Reader patches, approved Java runtime patches, supported web browser updates, common driver patches, firmware advisory review, and other security rollups that Reis determines are appropriate for routine managed patching.
• Patch or update does not mean an operating system installation, operating system reinstallation, operating system rebuild, image deployment, edition change, in-place upgrade, or major operating system version upgrade. Those activities are Projects unless expressly included in a separate written scope.
• Line-of-business software updates are not included. This includes accounting, ERP, CRM, legal, dental, medical, manufacturing, estimating, database-driven, and other specialized applications, along with vendor service packs, tax-table updates, database/schema updates, plug-ins, custom reports, application-specific compatibility testing, or application-specific remediation.
• For Macs, Reis support is limited to supported macOS devices that can be enrolled in Reis-approved management and security tools. Third-party applications acquired through the Apple App Store are excluded from support, patching, and update responsibility unless separately scoped in writing.
• Critical security patches may be expedited when Reis determines the risk justifies urgent action.
• Client-requested patch deferrals must be documented. The Client accepts the associated risk of deferred or refused patches.
• If a patch causes instability, Reis will make reasonable efforts to roll back, remediate, or coordinate with the vendor. Remediation that becomes application-specific repair, redesign, rebuild, migration, or major upgrade work may be treated as a Project.
• Unsupported systems may be excluded or require project remediation before routine patching can be effective.

9.4 Backup and Recovery Support #

For systems and data protected by a Reis-approved backup solution, Reis monitors backup job status, responds to alerts, performs sample restore validation, and assists with restoration when needed. Backup coverage applies only to systems, applications, and data sets configured for backup. The Client is responsible for identifying business-critical data and approving retention, recovery, and capacity requirements.

• Backup monitoring does not guarantee that every file, database, SaaS object, device, or application is backed up.
• Restore time and restore point depend on the backup product, subscription, data size, retention, connectivity, system condition, and third-party services.
• Disaster recovery design, business continuity planning, full recovery exercises, and formal DR documentation are projects or CaaS work unless expressly included.
• Reis is not responsible for data not selected for backup, data stored outside approved locations, personal storage, shadow IT, or unsupported systems.

9.5 Reporting and Review #

Report or Review	Typical Frequency	Purpose
Monthly Executive Summary	Monthly where applicable	Summarizes ticket activity, patch posture, backup status, security activity, and notable risks.
Backup and Restore Summary	Monthly or as configured	Summarizes backup job health, issues, and sample restore validation where available.
Client Success or TAM Review	As scheduled	Reviews service trends, recurring issues, lifecycle needs, and operational improvements.
vCIO or Strategic Review	At least annually where included, or more frequently by agreement	Reviews roadmap, budget planning, risk reduction, lifecycle priorities, and business alignment.
Security Incident Summary	After material confirmed incidents	Documents incident timeline, scope, containment, remediation, and recommendations based on information available to Reis.

 

9.6 Emergency Maintenance #

Reis may perform emergency maintenance without prior approval when Reis reasonably believes action is required to prevent imminent failure, security compromise, data loss, or material business impact. Reis will notify the Client as soon as practicable and provide a summary of material emergency actions after completion.

10. Client Responsibilities and Minimum Standards #

10.1 General Client Responsibilities #

• Provide Reis with timely administrative access, documentation, vendor authorizations, and information required to manage covered systems.
• Use Reis official support channels for service requests, incidents, and escalations.
• Maintain accurate lists of authorized contacts, approvers, users, locations, vendors, and business-critical systems.
• Notify Reis in advance of personnel changes, office changes, acquisitions, new systems, application changes, vendor changes, and technology purchases.
• Maintain business-class power, cooling, physical security, internet connectivity, and environmental conditions suitable for reliable IT operations.
• Maintain vendor support contracts for business-critical hardware, software, applications, internet services, and cloud platforms.
• Approve required upgrades, replacements, and security changes when systems reach end of support, become non-compliant, or create unacceptable risk. Operating system installations, reinstallations, rebuilds, and major upgrades are separately scoped Project work even when required for supportability.
• Ensure users cooperate with Reis support, security procedures, maintenance windows, and incident response instructions.

10.2 Technical Minimum Standards #

Area	Minimum Standard
Hardware	Business-grade devices. Servers, firewalls, switches, storage, and critical infrastructure must be under active warranty or vendor support where available. Devices beyond normal lifecycle may be excluded or supported only on a best-effort basis.
Operating Systems	Standard ManagedCare Complete operating system support is limited to Microsoft-supported Windows and Windows Server, and Apple-supported macOS on covered Macs. macOS devices must run a version currently supported by Apple and be compatible with Reis-approved management and security tools. Linux, ChromeOS, consumer operating systems, beta releases, jailbroken/rooted devices, and other non-standard platforms are excluded unless expressly approved and separately scoped in writing. Operating system installation, reinstallation, rebuild, edition change, or major upgrade is Project work.
Apple and Mac Devices	Covered Macs must be business-owned or Client-authorized business devices, enrolled in Reis-approved management and security tools, running supported macOS, and capable of required security controls. Reis support does not include consumer Apple ID or iCloud issues, Apple Store or App Store account management, personal devices, or third-party Apple App Store applications unless separately scoped in writing.
Network	Business-grade firewalls, switches, access points, and internet connections. Wireless networks must use Reis-approved encryption and segmentation. Inbound and outbound traffic must be controlled through approved security architecture.
Security	Reis-approved endpoint protection, SOC integration where licensed, MFA, remote access controls, patching, backup protection where applicable, and least-privilege administration.
Backup	Business-critical systems and data must use Reis-approved backup solutions and retention settings. Client must identify systems and data that require protection.
Licensing	All software, cloud services, and subscriptions must be properly licensed and supported by the vendor. Reis may refuse to support unlicensed, pirated, unsupported, App Store-sourced third-party software, software without active vendor support, or software that cannot be reasonably managed through Reis tools.
Documentation	Client must permit Reis to maintain accurate technical documentation for covered systems, access methods, vendor contacts, warranties, and service dependencies.

 

10.3 Access and Administrative Control #

Reis requires sufficient administrative access to manage covered systems securely. Client-created administrative accounts, shared passwords, unmanaged privileged access, or disclosure of Reis credentials to third parties may result in service limitation or suspension. Privileged access exceptions may require written approval and risk acceptance.

10.4 Non-Compliance #

If the Client environment does not meet the standards in this Appendix, Reis may notify the Client and recommend remediation. Reis may limit support, exclude affected systems, classify remediation as a Project, or charge additional fees where non-compliance increases risk, support effort, or service complexity. Reis is not responsible for service failures caused by Client refusal or delay in addressing known non-compliance.

10.5 Technology Lifecycle #

Asset Type	Typical Maximum Lifecycle	Notes
Workstations and Laptops	4 to 5 years	Must run supported operating systems and meet performance standards. SSD storage and modern security capability are strongly recommended.
Servers and Virtual Hosts	5 to 6 years	Must remain under support and meet backup, security, performance, and redundancy needs.
Firewalls, Switches, and Access Points	5 years	Must support current firmware, security updates, and Reis management requirements.
Storage Systems	5 years	Must have monitored health, supported firmware, adequate capacity, and documented recovery requirements.
Operating Systems	Microsoft/Apple vendor support lifecycle	Covered Windows, Windows Server, and macOS versions must remain within Microsoft or Apple support. Operating system installation, reinstallation, rebuild, edition change, and major operating system upgrade are Project work unless expressly included in a separate written scope.
Line-of-Business Applications	Vendor support lifecycle	Client must maintain active vendor support. Application updates, upgrades, service packs, tax-table updates, database/schema changes, compatibility testing, and vendor release management are excluded unless separately scoped.

 

11. Communication, Escalation, and Review Cadence #

11.1 Official Support Channels #

Channel	Use
Client Portal	Preferred channel for submitting and tracking routine service requests and incidents.
Email	Creates a service ticket for business-hours handling unless separately configured.
Phone	Recommended for urgent business-hours issues and required for after-hours P1 emergencies.
Scheduled Meetings	Used for service reviews, vCIO discussions, project meetings, and recurring operational planning.

 

Support requests, approvals, status updates, and escalations should use official channels so work is documented and auditable. Requests made directly to individual staff may be redirected into the ticketing process.

11.2 Escalation Path #

Level	Role	Responsibility
Level 1	Service Desk	Initial triage, troubleshooting, communication, and resolution for routine tickets and incidents.
Level 2	Senior Technical Resource or TAM	Technical escalation, recurring issue review, standards alignment, and coordination across technical teams.
Level 3	Client Success Manager	Service quality oversight, relationship management, communication review, and coordination of systemic issues.
Level 4	Director or Executive Sponsor	Final operational escalation, executive engagement, and review of persistent service concerns.

 

11.3 Communication Expectations #

• P1 updates, every 30 to 60 minutes, where practical until contained, stabilized, or dependent on a third party or Client action.
• P2 updates, at least once each business day while actively open, or as meaningful progress occurs.
• P3 and P4 updates occur when milestones are reached, when information is needed from the Client or a vendor, or when the target changes.
• Post-incident summaries, provided for material confirmed incidents after closure or containment.
• Client approvals, required for changes that create business impact, security exceptions, project work, purchases, or planned service interruptions unless emergency action is required.

11.4 Authorized Contacts #

The Client must maintain at least two authorized contacts who can approve changes, security actions, emergency decisions, projects, purchases, and escalations. Reis is entitled to rely on instructions from authorized contacts unless the Client has provided written notice revoking that authority.

12. Performance Measurement and Continuous Improvement #

12.1 Operational Metrics #

Category	Example Metric	Typical Goal
Responsiveness	Tickets acknowledged within target response objectives	95 percent or better, measured internally
Resolution	Tickets resolved or worked to reasonable closure within target objectives	90 percent or better, excluding dependencies and projects
Patch Posture	Supported managed systems patched within policy	95 percent or better where systems are healthy and available
Backup Health	Backup jobs completing successfully for configured backup sets	98 percent or better, excluding vendor and Client dependencies
Security Coverage	Covered endpoints enrolled in required management and security tools	No unmanaged covered endpoints tolerated
Client Engagement	Service reviews and roadmap discussions completed	At least annually, or as agreed

 

Metrics are used for service management and improvement. They are not warranties, guarantees, or service credit commitments unless expressly stated in the Master Services Agreement (MSA).

12.2 Continuous Improvement #

Reis reviews ticket trends, recurring issues, monitoring data, security alerts, lifecycle risks, backup health, and Client feedback to identify improvements. Recommended improvements may be handled as included operational changes, client tasks, lifecycle recommendations, CaaS activities, or Projects depending on scope.

12.3 Client Feedback #

Client feedback may be collected through ticket surveys, service reviews, strategic meetings, and direct communication with Client Success. Reis uses feedback to improve service delivery, staff training, documentation, and roadmap recommendations.

13. Force Majeure and External Dependencies #

13.1 Force Majeure #

Reis is not responsible for delay, interruption, or failure to perform caused by events beyond its reasonable control, including natural disasters, fire, flood, storm, war, terrorism, civil unrest, pandemic, labour disruption, power grid failure, utility failure, widespread telecommunications failure, government action, supply chain disruption, vendor failure, or acts or omissions of the Client or third parties.

13.2 External Providers #

External Dependency	Scope Limitation
Internet Service Providers	Connectivity failures, bandwidth limitations, routing issues, carrier outages, circuit delays, and ISP support delays.
Microsoft 365, Azure, and SaaS Providers	Cloud outages, authentication failures, licensing platform issues, vendor data centre failures, feature changes, and vendor-side incidents.
Security Vendors	Platform outages, false positives, false negatives, vendor telemetry issues, agent defects, and vendor-side service interruptions.
Backup Vendors	Cloud repository outages, appliance failures outside support, vendor software defects, storage provider issues, and restore limitations caused by the product or subscription.
Utilities and Facilities	Power failures, cooling failures, physical access restrictions, building incidents, and environmental problems.
Client-Managed Systems	Systems, devices, accounts, data, applications, vendors, Apple IDs, Apple App Store applications, or configurations outside Reis management or changed without Reis approval.

 

13.3 Reis Commitment During External Events #

• Validate the issue where possible and document observable impact.
• Notify authorized Client contacts when the event is confirmed and materially affects covered systems.
• Open or coordinate vendor tickets where Reis has authorization and sufficient access.
• Provide status updates based on available information and vendor communications.
• Recommend mitigation options such as redundant internet, upgraded backup design, alternate access methods, or replacement systems where appropriate.

13.4 Service Metrics During External Events #

Downtime, degradation, delay, or data loss caused by force majeure events, third-party providers, Client-managed systems, unsupported systems, or conditions outside Reis control is excluded from Reis service performance metrics and does not create a breach of this Appendix.

14. Appendix Control #

14.1 Version Control #

Field	Value
Document Name	ManagedCare Complete SLA Appendix
Version	2025.10 Appendix Edition
Prepared By	Reis Informatica Inc.
Supersedes	Prior ManagedCare Complete SLA wording for appendix use
Next Review	Annual review or earlier if service, legal, security, or operational requirements materially change
Confidentiality	Confidential and Proprietary – Not for Distribution

 

14.2 Acknowledgment of Scope #

By incorporating this Appendix into the Master Services Agreement (MSA) or Sales Order, the parties acknowledge that ManagedCare Complete includes routine managed IT and tactical cybersecurity operations for covered systems, while Projects, formal compliance services, ManagedCare CaaS, procurement, third-party charges, excluded work, and non-emergency after-hours work are outside the included monthly service unless expressly stated in writing.