Master Services Agreement

Status: Version 1.1 effective 2026-05-14. These revisions are an internal editorial pass intended to make the document complete and accurate. The text remains under outside-counsel review. Material legal positions (entity definition, liability cap carve-outs, AI Article 22 disclosures, Transfer Impact Assessment) are flagged for counsel and may change before final publication.

This page summarises the MSA template. The signable template itself is under counsel review and will be available to qualified Enterprise prospects under NDA before launch. Contact hello@qehsethos.com.

A signable MSA template is available to qualified Enterprise prospects under non-disclosure agreement. Contact hello@qehsethos.com to request the template along with an order form template.

Subscription term, seat count, usage add-ons (storage, API call volume), renewal mechanics, and price protection are set out in the order form referencing the MSA.

AI feature add-ons, where available, are subject to supplemental AI feature terms negotiated as part of the order form.

Service credits follow the SLA schedule with a cumulative cap of 50% of monthly fees in any billing cycle. The SLA service-credit mechanism is Customer's sole and exclusive remedy for failure to meet the uptime commitment.

Standard two-way confidentiality with customary exceptions (publicly available, independently developed, lawfully received). Confidentiality survives for 3 years after termination, indefinitely for trade secrets.

Each party retains ownership of its pre-existing intellectual property. QEHS owns the Service, including all improvements, modifications, and derivative works. Customer retains ownership of Customer Data.

Feedback licence: Customer grants QEHS a perpetual, royalty-free licence to use any feedback, suggestions, or ideas Customer provides about the Service for any purpose, without obligation to Customer.

IP indemnity from QEHS: QEHS will defend Customer against third-party claims that the Service infringes intellectual property rights, with customary obligations to pay damages and reasonable costs awarded against Customer or agreed in settlement, subject to Customer cooperation and QEHS control of the defence.

Customer indemnity: Customer will defend QEHS against third-party claims arising from (a) Customer Data placed in the Service in violation of applicable law, (b) Customer's violation of the AUP, or (c) Customer's violation of applicable export-control or sanctions law. This indemnity does NOT apply to claims arising from QEHS's breach of its security obligations under the DPA.

Aggregate liability is capped at 12 months of fees paid or payable by Customer in the period preceding the claim. The cap and the exclusion of indirect or consequential damages do NOT apply to: (a) either party's IP indemnification, (b) breach of confidentiality, (c) breach of obligations under the DPA or applicable data-protection law, (d) gross negligence or wilful misconduct, (e) death or personal injury caused by negligence, or (f) any liability that cannot lawfully be excluded.

QEHS will maintain insurance appropriate to the services provided, including: (a) cyber liability and privacy coverage with limits not less than $5 million per claim and in aggregate, (b) professional liability / errors and omissions coverage with limits not less than $2 million per claim and in aggregate, and (c) commercial general liability with limits not less than $1 million per occurrence and $2 million in aggregate. Certificates of insurance will be provided on request.

Note: QEHS's insurance procurement is in progress; minimum limits in the executed MSA will reflect actual policies in force. The figures above are the target structure for Enterprise contracts. Counsel will confirm jurisdiction-specific minimums before execution.

Customer will maintain insurance appropriate to its use of the Service, including cyber liability coverage commensurate with the sensitivity of the data Customer processes in the Service.

Beyond the DPA audit right (which covers data-protection compliance), Enterprise Customers may, no more than once per calendar year on 30 days' written notice, audit QEHS's compliance with the security and operational obligations of the MSA, subject to reasonable confidentiality and security undertakings.

On obtaining SOC 2 Type 1 attestation (in progress) and any future attestations (SOC 2 Type 2, ISO 27001), QEHS may offer the attestation report under NDA as a substitute for on-site audit at Customer's election.

Neither party is liable for failure or delay in performance caused by events beyond its reasonable control, including acts of God, war, terrorism, pandemic, government action, internet failure, third-party infrastructure failure, or cyber-attack. The affected party will notify the other and use reasonable efforts to resume performance. Payment obligations are not excused.

The MSA continues until terminated. Each order form has its own subscription term, which renews automatically unless either party gives 30 days' written notice of non-renewal.

Termination for cause: either party may terminate the MSA or any affected order form for material breach not cured within 30 days of written notice.

Termination for convenience by QEHS is permitted only at the end of the then-current subscription term on 60 days' written notice.

Effect of termination follows the corresponding section of the Terms of Service and the Data deletion and return on termination section of the DPA.

Either party may assign the MSA to a successor in a merger, acquisition, or sale of substantially all of its assets, on notice to the other party. If QEHS undergoes a change of control to a direct competitor of Customer, Customer may terminate the MSA for convenience on 60 days' written notice within 90 days of receiving notice of the change of control.

The following sections survive termination: Confidentiality and intellectual property; Indemnities and liability; Insurance (with respect to accrued claims); Audit rights (with respect to the period prior to termination); applicable provisions of the DPA; Governing law and dispute resolution; and any accrued payment obligation.

If any provision of the MSA is held invalid, illegal, or unenforceable, that provision will be modified to the minimum extent necessary to make it valid; the remaining provisions remain in full force.

The MSA is governed by the law of the jurisdiction specified in the order form (defaulting, in the absence of a specified jurisdiction, to England and Wales). The courts of that jurisdiction have exclusive jurisdiction over disputes, subject to the data-protection carve-out in the Terms of Service.