Terms of Service

1.1 Consulting Services. Polaris provides professional consulting services in the areas of Microsoft 365 governance, Copilot readiness assessment, data loss prevention architecture, identity and access governance, compliance framework implementation, and related advisory services. Consulting services are delivered under Statements of Work ("SOW") that incorporate and are governed by these Terms unless a separate Master Services Agreement is in effect.

1.2 Governance Hub 365 Platform. Polaris operates Governance Hub 365, a proprietary software platform providing M365 tenant analysis, governance reporting, oversharing detection, Copilot readiness assessment, and related analytics capabilities. Platform access is provided pursuant to a separate subscription agreement and is subject to both these Terms and any platform-specific terms provided at the time of subscription.

1.3 Service Modifications. Polaris reserves the right to modify, update, or discontinue any component of the Services at any time, with reasonable notice to affected clients. Material changes to paid Services will not take effect until the conclusion of the then-current subscription or engagement term, or as otherwise agreed in writing.

2.1 Account Requirements. Access to the Governance Hub 365 platform requires creation of an authorized account. You must provide accurate and complete information at registration and maintain the accuracy of that information throughout the term.

2.2 Authorized Users. Client may designate authorized users up to the number specified in the applicable subscription. Client is responsible for ensuring that all authorized users comply with these Terms and for all actions taken through authorized user accounts.

2.3 Account Security. Client is responsible for maintaining the security and confidentiality of account credentials. Client must immediately notify Polaris of any unauthorized access or suspected compromise of account credentials at security@polarisgovernance.com.

2.4 Microsoft Entra ID Integration. The Governance Hub 365 platform authenticates users through Microsoft Entra ID (formerly Azure Active Directory). Client is responsible for maintaining appropriate Entra ID configuration and for the access granted to Polaris service principals within Client's Microsoft 365 tenant.

3.1 Permitted Use. Subject to these Terms and payment of applicable fees, Polaris grants Client a limited, non-exclusive, non-transferable right to use the Services for Client's internal business purposes related to governance and administration of Client's Microsoft 365 environment.

3.2 Restrictions. Client shall not: (a) sublicense, resell, or provide access to the Services to third parties without Polaris's prior written consent; (b) use the Services to process data on behalf of entities other than Client without a separate written agreement; (c) reverse engineer, decompile, or disassemble the Governance Hub 365 platform; (d) use the Services in any manner that violates applicable law or regulation; (e) attempt to circumvent security controls or access data outside the scope of authorized permissions; (f) use the Services to develop competing products or services; or (g) permit access by persons or entities that have been suspended from the Services.

3.3 Compliance with Law. Client is solely responsible for ensuring that its use of the Services complies with all applicable laws and regulations, including but not limited to data protection laws, securities regulations, and industry-specific compliance requirements applicable to Client's business.

4.1 Microsoft 365 Tenant Access. Client is responsible for granting Polaris the Microsoft Graph API permissions and administrative roles necessary to perform the Services. Client acknowledges that Polaris requires read access to certain tenant metadata, configuration data, and usage analytics as described in the applicable SOW or service description. Polaris will not request permissions beyond those necessary to deliver the Services.

4.2 Accuracy of Information. Client is responsible for the accuracy and completeness of information provided to Polaris in connection with any engagement, including organizational structure, compliance requirements, and technical environment details. Polaris's analysis and recommendations are based on the information provided and the state of the M365 environment at the time of assessment.

4.3 Implementation Decisions. Polaris provides recommendations, frameworks, and configurations as part of its consulting services. Client retains sole responsibility for decisions regarding implementation of recommendations in Client's production M365 environment. Polaris is not liable for consequences arising from Client's implementation decisions.

4.4 Cooperation. Client shall provide timely cooperation, information access, and authorized personnel as reasonably required for Polaris to perform the Services. Delays caused by Client's failure to cooperate may result in schedule adjustments or additional charges.

5.1 Statements of Work. Each consulting engagement will be governed by a mutually executed SOW that specifies the scope of services, deliverables, timeline, fees, and any engagement-specific terms. In the event of a conflict between an SOW and these Terms, the SOW controls with respect to the specific engagement, unless the SOW expressly states otherwise.

5.2 Deliverable Acceptance. Unless otherwise specified in the SOW, Client has ten (10) business days following delivery of a deliverable to provide written notice of any material non-conformance with the agreed specifications. Failure to provide timely written notice constitutes acceptance. Acceptance does not waive Client's warranty claims for latent defects.

5.3 Scope Changes. Changes to the scope, timeline, or resources of a consulting engagement require a written change order executed by both parties. Polaris will provide a change order estimate for Client's approval prior to commencing out-of-scope work unless the parties agree otherwise in writing.

5.4 Personnel. Polaris will assign personnel to each engagement at its discretion. While Polaris will endeavor to maintain continuity of key personnel, it reserves the right to substitute qualified personnel where necessary for business or operational reasons, with reasonable advance notice to Client.

6.1 Subscription Terms. Access to the Governance Hub 365 platform is provided on an annual subscription basis unless otherwise agreed. Subscriptions automatically renew for successive one-year terms unless either party provides written notice of non-renewal at least 60 days before the end of the then-current term.

6.2 Service Levels. Polaris targets 99.5% monthly uptime for the Governance Hub 365 platform, excluding scheduled maintenance, emergency maintenance, and outages caused by Microsoft Azure or Microsoft 365 service disruptions. Detailed service level commitments are specified in Client's subscription agreement.

6.3 Data Retention. Polaris retains Client tenant data processed through the platform for the duration of the subscription plus 90 days following termination, after which it is securely deleted. Clients may request earlier deletion in writing subject to legal hold and regulatory retention obligations.

7.1 Data Processing. To the extent Polaris processes personal data on Client's behalf in connection with the Services, Polaris acts as a data processor and Client acts as a data controller under applicable data protection law. The terms of such processing are set forth in Polaris's Data Processing Agreement ("DPA"), which is incorporated herein by reference for clients whose use of the Services involves processing of personal data subject to GDPR, CCPA, or other applicable data protection regulations.

7.2 Data Minimization. Polaris collects and processes only the minimum M365 tenant data necessary to deliver the Services as described in each SOW or subscription agreement. Polaris does not access the content of individual user emails, files, or messages except as explicitly authorized in writing by Client and required for the performance of a specific consulting service.

7.3 Security Measures. Polaris maintains organizational and technical security measures designed to protect Client data against unauthorized access, disclosure, alteration, and destruction. Current security measures are described on the Security Practices page. Polaris will notify Client without undue delay upon discovery of a security incident affecting Client data.

7.4 Privacy Policy. Collection and use of information through polarisgovernance.com and related marketing activities is governed by Polaris's Privacy Policy, which is incorporated herein by reference.

7.5 Subprocessors. Polaris uses Microsoft Azure (cloud infrastructure), Microsoft Graph API (M365 data access), and a limited number of other subprocessors as required to deliver the Services. A current list of subprocessors is available upon request.

8.1 Polaris IP. Polaris retains all intellectual property rights in the Governance Hub 365 platform, its underlying technology, methodologies, frameworks, and any pre-existing materials used in delivering the Services. Nothing in these Terms transfers ownership of Polaris IP to Client.

8.2 Client Data. Client retains all intellectual property rights in Client data, including all M365 tenant data, configuration information, and business information provided to or processed by Polaris in connection with the Services.

8.3 Deliverables. Unless otherwise specified in the applicable SOW, Polaris grants Client a perpetual, non-exclusive, royalty-free license to use deliverables produced for Client in connection with Client's internal business operations. Deliverables that incorporate Polaris pre-existing IP (such as templates, frameworks, or methodology documents) are licensed, not sold, and Client may not redistribute or commercialize such materials.

8.4 Feedback. If Client provides feedback or suggestions regarding the Services, Polaris may use such feedback without restriction or compensation to Client, and Client hereby grants Polaris a perpetual, irrevocable license to do so.

8.5 Aggregate Data. Polaris may use aggregated, anonymized, and de-identified data derived from Client's use of the Services for the purposes of improving the Services, developing benchmarks, and producing industry research, provided that such data does not identify Client or any individual.

9.1 Definition. "Confidential Information" means any non-public information disclosed by one party ("Disclosing Party") to the other ("Receiving Party") that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure.

9.2 Obligations. Each party agrees to: (a) hold the other party's Confidential Information in strict confidence using at least the same degree of care used to protect its own confidential information, but no less than reasonable care; (b) use Confidential Information only as necessary to exercise rights and fulfill obligations under these Terms; and (c) limit disclosure to personnel who have a need to know and are bound by confidentiality obligations no less protective than those herein.

9.3 Exceptions. Confidentiality obligations do not apply to information that: (a) is or becomes publicly known through no breach by the Receiving Party; (b) was rightfully known before disclosure; (c) is rightfully received from a third party without restriction; or (d) is independently developed without reference to the Confidential Information. Disclosure required by law or court order is permitted provided the Receiving Party gives prompt written notice to the Disclosing Party to the extent legally permitted.

9.4 Duration. Confidentiality obligations survive termination of these Terms for a period of three (3) years, except with respect to trade secrets, which remain protected for as long as they qualify as trade secrets under applicable law.

10.1 Fees. Client shall pay the fees specified in each SOW or subscription agreement. All fees are stated in US dollars unless otherwise specified. Polaris reserves the right to adjust subscription fees upon renewal with at least 90 days' written notice.

10.2 Payment Terms. Unless otherwise specified in the applicable SOW, invoices are due and payable within 30 days of the invoice date. Consulting retainer engagements are invoiced monthly in advance. Project-based engagements are invoiced according to the milestone schedule in the applicable SOW.

10.3 Late Payment. Amounts outstanding beyond 30 days accrue interest at the lesser of 1.5% per month or the maximum rate permitted by law. Polaris reserves the right to suspend Services upon 10 days' written notice for accounts overdue by 60 or more days.

10.4 Taxes. All fees are exclusive of applicable taxes. Client is responsible for all taxes, levies, or duties imposed by taxing authorities on Client's purchase of the Services, excluding taxes based on Polaris's income.

10.5 Disputes. Client must notify Polaris in writing of any fee dispute within 30 days of the invoice date. Undisputed amounts remain due and payable. Parties will negotiate fee disputes in good faith.

11.1 Polaris Warranties. Polaris warrants that: (a) consulting services will be performed in a professional and workmanlike manner by qualified personnel; (b) the Governance Hub 365 platform will perform materially in accordance with its documentation during the applicable subscription term; and (c) Polaris has the authority to enter into these Terms and will comply with all applicable laws in its performance of the Services.

11.2 Disclaimer. EXCEPT AS EXPRESSLY SET FORTH IN SECTION 11.1, THE SERVICES ARE PROVIDED "AS IS." POLARIS DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. POLARIS DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED, ERROR-FREE, OR THAT ALL DEFECTS WILL BE CORRECTED. GOVERNANCE RECOMMENDATIONS AND ASSESSMENTS REFLECT POLARIS'S PROFESSIONAL JUDGMENT AT THE TIME OF DELIVERY AND DO NOT CONSTITUTE LEGAL, REGULATORY, OR COMPLIANCE ADVICE.

11.3 Regulatory Compliance. Client acknowledges that Polaris's services support but do not guarantee regulatory compliance. Responsibility for compliance with applicable laws and regulations rests solely with Client. Clients with specific legal or regulatory compliance requirements should consult qualified legal counsel.

12.1 Consequential Damages Waiver. IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING LOSS OF PROFITS, LOSS OF REVENUE, LOSS OF DATA, LOSS OF GOODWILL, OR COST OF SUBSTITUTE SERVICES, ARISING OUT OF OR RELATED TO THESE TERMS, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

12.2 Liability Cap. EACH PARTY'S TOTAL CUMULATIVE LIABILITY TO THE OTHER ARISING OUT OF OR RELATED TO THESE TERMS WILL NOT EXCEED THE TOTAL FEES PAID OR PAYABLE BY CLIENT TO POLARIS IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM. FOR CLAIMS ARISING FROM A SPECIFIC CONSULTING ENGAGEMENT, LIABILITY IS CAPPED AT THE FEES PAID FOR THAT ENGAGEMENT.

12.3 Exceptions. The limitations in Sections 12.1 and 12.2 do not apply to: (a) Client's payment obligations; (b) either party's indemnification obligations under Section 13; (c) either party's breach of confidentiality obligations; or (d) damages arising from gross negligence, willful misconduct, or fraud.

12.4 Basis of Bargain. The parties acknowledge that the limitations of liability in this Section reflect a reasonable allocation of risk and form an essential basis of the bargain between the parties.

13.1 Polaris Indemnification. Polaris will defend and indemnify Client against third-party claims alleging that the Governance Hub 365 platform, as delivered and used in accordance with these Terms, infringes a valid US patent, copyright, or trade secret. This indemnification does not apply to claims arising from: (a) Client's modification of the platform; (b) use of the platform in combination with products or services not provided by Polaris; or (c) Client's failure to implement updates or patches provided by Polaris.

13.2 Client Indemnification. Client will defend and indemnify Polaris against third-party claims arising from: (a) Client's use of the Services in violation of these Terms; (b) Client's violation of applicable law; (c) Client's data or content processed by Polaris on Client's behalf; or (d) Client's implementation of Polaris recommendations in Client's M365 environment.

13.3 Indemnification Process. The indemnified party must: (a) promptly notify the indemnifying party of the claim; (b) give the indemnifying party sole control of the defense; and (c) provide reasonable cooperation. The indemnifying party may not settle any claim that imposes obligations on the indemnified party without prior written consent.

14.1 Term. These Terms are effective from the date Client first accesses the Services or executes an SOW and continue until terminated in accordance with this Section.

14.2 Termination for Cause. Either party may terminate these Terms or any SOW upon 30 days' written notice if the other party materially breaches its obligations and fails to cure the breach within the notice period. Some breaches, including failure to pay, unauthorized use of the Services, or breach of confidentiality, may entitle the non-breaching party to immediate termination.

14.3 Termination for Convenience. Either party may terminate a subscription or specific SOW for convenience in accordance with the terms of that subscription or SOW. These Terms as a whole may be terminated for convenience upon 90 days' written notice provided no active SOWs or subscriptions remain in effect.

14.4 Effect of Termination. Upon termination: (a) all licenses granted under these Terms immediately cease; (b) each party returns or destroys the other party's Confidential Information; (c) Client's access to Governance Hub 365 is revoked; and (d) accrued payment obligations survive. Polaris will provide Client a 30-day data export window following termination. Provisions that by their nature should survive termination — including Sections 8, 9, 11.2, 12, 13, 15, and 16 — remain in effect.

15.1 Governing Law. These Terms are governed by the laws of the State of Delaware, United States, without regard to conflict of law principles.

15.2 Informal Resolution. Before initiating formal dispute resolution, the parties agree to attempt to resolve disputes informally for at least 30 days. Either party may initiate informal resolution by providing written notice describing the dispute.

15.3 Binding Arbitration. Except for disputes arising from intellectual property infringement or breach of confidentiality (which may be brought in courts of competent jurisdiction), all disputes arising from or related to these Terms will be resolved through binding arbitration administered by JAMS under its Streamlined Arbitration Rules, with one arbitrator, proceedings in Wilmington, Delaware, and hearings conducted in English. The arbitration award is final and binding and may be entered as judgment in any court of competent jurisdiction.

15.4 Class Action Waiver. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, EACH PARTY WAIVES THE RIGHT TO PARTICIPATE IN ANY CLASS, COLLECTIVE, OR REPRESENTATIVE ACTION. CLAIMS MAY ONLY BE BROUGHT IN AN INDIVIDUAL CAPACITY.

16.1 Entire Agreement. These Terms, together with any executed SOWs, MSA, DPA, and subscription agreements, constitute the entire agreement between the parties regarding the Services and supersede all prior agreements, representations, and understandings.

16.2 Amendments. Polaris may update these Terms with 30 days' notice to Client. Continued use of the Services after the effective date of changes constitutes acceptance. Material changes will be separately communicated to active clients.

16.3 Severability. If any provision is found unenforceable, the remaining provisions remain in full force and effect.

16.4 Waiver. Failure to enforce any provision does not constitute a waiver of future enforcement rights.

16.5 Assignment. Client may not assign these Terms without Polaris's prior written consent. Polaris may assign these Terms in connection with a merger, acquisition, or sale of substantially all assets, with notice to Client.

16.6 Force Majeure. Neither party is liable for delays or failures caused by events beyond reasonable control, including acts of God, government actions, or Microsoft Azure service disruptions, provided the affected party provides prompt notice and uses reasonable efforts to mitigate the impact.

16.7 Independent Contractors. The parties are independent contractors. Nothing in these Terms creates an employment, partnership, or joint venture relationship.

16.8 Notices. Notices under these Terms must be in writing and delivered to the address or email specified in the applicable SOW or subscription agreement. Legal notices to Polaris should be directed to: legal@polarisgovernance.com.

16.9 Headings. Section headings are for convenience only and do not affect interpretation of these Terms.