MySummitKeep

Cloud Service Agreement

Effective:
June 1, 2026

This Cloud Service Agreement (“CSA”) supplements and is incorporated by reference into the Terms of Service (together, the “Agreement”) between MySummitKeep LLC, a Florida limited liability company (“MySummitKeep,” “we,” “us,” or “our”), and the customer accepting or subject to the Agreement (“Customer,” “you,” or “your”). This CSA describes the operational, security, and infrastructure commitments associated with MySummitKeep’s cloud-hosted Service.

1. Definitions

Capitalized terms not defined here have the meanings given in the Terms of Service or the Data Processing Addendum.

  • “Authorized User” means an individual user permitted by Customer to access the Service under Customer’s account.
  • “Cloud Provider” means Microsoft Azure, operated by Microsoft Corporation, including its successors and assigns.
  • “Documentation” means MySummitKeep’s then-current online help and policy materials.
  • “Microsoft Online Services Terms” or “MOST” means the Microsoft Online Services Terms and the related Data Protection Addendum and Service Level Agreements applicable to Azure.

2. Hosting and Infrastructure

2.1 Architecture

The Service is hosted on Microsoft Azure infrastructure-as-a-service and platform-as-a-service components, including Azure App Service, Azure SQL Database, Azure Storage, Azure Communication Services (for SMS), Azure Key Vault, and Azure Application Gateway / Web Application Firewall.

2.2 Multi-tenancy

The Service is multi-tenant. Tenant data is logically separated by tenant identifier and access controls.

2.3 Updates

We update the Service regularly. Updates are deployed in a manner intended to avoid disruption. Material reductions in functionality of an existing paid feature will be communicated to Customer at least thirty (30) days in advance.

3. Service Availability

3.1 No Service Credits

MySummitKeep does not provide service credits, refunds, or other monetary remedies for service availability issues. Customer’s sole remedy for material, persistent unavailability is termination of the Agreement under the Terms of Service.

3.2 Availability Goal

MySummitKeep targets best-effort availability of the production Service consistent with commercially reasonable industry practices for cloud-hosted SaaS. Because the Service is hosted on Microsoft Azure, the practical ceiling on MySummitKeep’s availability is determined by the composite Service Level Agreements of the Azure components in the critical path (Section 3.3). MySummitKeep does not commit to availability beyond what the underlying Azure infrastructure provides.

3.3 Underlying Azure Component SLAs

The Microsoft-published SLAs for the Azure components in the Service’s critical path, as of the effective date, are:

ComponentMicrosoft Published SLA
Azure App Service (Standard / Premium tier, multi-instance)99.95%
Azure SQL Database (General Purpose, single instance)99.99%
Azure Storage (LRS / GPv2 Blob)99.9%
Azure Application Gateway / WAF (zone-redundant)99.95%
Azure Key Vault99.9%
Azure Communication Services (SMS)99.9%

When multiplied across the full critical path, these component SLAs yield a theoretical composite availability of approximately 99.59%. Actual availability for individual transactions depends on which components are in the request path (e.g., reading documents requires App Service + Storage; sending SMS requires only Azure Communication Services).

Microsoft’s published SLAs are subject to change; the current version is at Microsoft Azure Service Level Agreements.

3.4 Status Page and Communication

MySummitKeep maintains a public status page at status.mysummitkeep.com where service incidents and planned maintenance are communicated. Subscribe to incident notifications via the status page.

3.5 Planned Maintenance

Planned maintenance is scheduled in advance and announced at least seven (7) days before, except for emergency maintenance required to address a security vulnerability or infrastructure incident. Planned maintenance does not constitute unavailability for purposes of any commitment in this CSA.

3.6 Free Tier

The free tier of the Service is provided on a best-effort basis without any availability commitment.

4. Security Commitments

4.1 Security Program

MySummitKeep maintains a written information security program designed to protect the confidentiality, integrity, and availability of Customer Data. The program is reviewed at least annually and aligned with the principles of ISO/IEC 27001 and the NIST Cybersecurity Framework.

4.2 Specific Measures

  • Encryption in transit: TLS 1.2 or higher for all customer-facing traffic.
  • Encryption at rest: AES-256 for all stored Customer Data, including database storage and object storage.
  • Network security: Azure Web Application Firewall, DDoS protection, segmented virtual networks, restricted egress.
  • Identity: Role-based access control; multi-factor authentication required for administrator accounts; least-privilege principle for personnel access.
  • Key management: Azure Key Vault with hardware-security-module-backed key storage.
  • Monitoring: Centralized audit logging; access to children’s records is logged; tamper-resistant log storage.
  • Vulnerability management: Dependency scanning on every build; periodic penetration testing by an independent third party (at least annually).
  • Personnel: Background checks where permitted by law; written confidentiality obligations; annual security training.

4.3 Customer Security Responsibilities

Customer is responsible for: (a) managing Authorized Users and their access; (b) protecting account credentials; (c) configuring role-based access controls appropriately for the unit; and (d) promptly notifying MySummitKeep of any suspected unauthorized access at security@mysummitkeep.com.

5. Data Location and Residency

5.1 Primary Location

Customer Data is processed and stored within the United States, in Microsoft Azure regions located in the continental United States (primary) and U.S. paired regions (for redundancy).

5.2 SMS Routing

SMS messages are delivered through Microsoft Azure Communication Services on a U.S. toll-free number. Mobile carriers’ networks are outside MySummitKeep’s control, and message routing through carrier infrastructure may transit jurisdictions other than the United States as required to reach the recipient device. No SMS message content is stored outside the United States by MySummitKeep.

5.3 Cross-Border Transfers

MySummitKeep does not transfer Customer Data outside the United States. If Customer requires processing in a specific U.S. region or U.S. government cloud (Azure Government), contact support@mysummitkeep.com to discuss available options.

6. Backup, Recovery, and Business Continuity

6.1 Backups

Encrypted backups of the production database are taken at least daily and retained for up to ninety (90) days. Backup storage is replicated to a paired U.S. Azure region. Backups are tested periodically.

6.2 Recovery Objectives

  • Recovery Time Objective (RTO): 4 hours for tier-1 services (login, core data access).
  • Recovery Point Objective (RPO): 1 hour for tier-1 data.

6.3 Business Continuity

MySummitKeep maintains a documented business continuity and disaster recovery plan, reviewed and tested at least annually.

7. Sub-processors and Vendor Management

MySummitKeep engages Sub-processors to provide elements of the Service. The current list of Sub-processors is published at https://www.mysummitkeep.com/sub-processors and reproduced in Annex C of the Data Processing Addendum. Sub-processor engagement, change notification, objection rights, and flow-down obligations are governed by Section 4 of the DPA.

8. Customer Responsibilities

Customer is responsible for:

  • Maintaining the accuracy of Customer Data.
  • Configuring Authorized User accounts, roles, and access permissions.
  • Promptly removing former Authorized Users.
  • Obtaining all required consents (including COPPA parental consent through the Service’s workflows).
  • Complying with applicable law and the Acceptable Use Policy.
  • Backing up any Customer Data that Customer maintains outside the Service.

9. Incident Response

9.1 Security Incident Notification

In the event of a Security Incident affecting Customer Data, MySummitKeep will notify Customer’s account administrator without undue delay, and in any event no later than the timelines set forth in the DPA Section 3.5 and, where ePHI is involved, the BAA Section 2.4.

9.2 Cooperation

MySummitKeep will provide information reasonably necessary for Customer’s regulatory or contractual notification obligations.

10. Insurance

MySummitKeep maintains the following insurance coverage with commercially reasonable insurers:

  • Commercial General Liability: at least $1,000,000 per occurrence / $2,000,000 aggregate.
  • Cyber Liability / Technology Errors & Omissions: at least $2,000,000 per claim and aggregate, covering data breach response, regulatory defense costs, and third-party claims arising from the Service.
  • Workers’ Compensation: as required by applicable law.

Certificates of insurance are available upon written request from Customer.

11. Audits and Certifications

11.1 Third-Party Reports

MySummitKeep relies on the certifications and audit reports maintained by Microsoft Azure (including SOC 1, SOC 2 Type II, ISO 27001, ISO 27018, HITRUST, and HIPAA attestations) for the underlying cloud infrastructure. Customer may request a copy of MySummitKeep’s most recent third-party security assessment, if any, by emailing compliance@mysummitkeep.com.

11.2 Customer Audits

Customer audit rights are governed by Section 6 of the Data Processing Addendum.

11.3 Compliance Roadmap

MySummitKeep targets the following compliance milestones (subject to change):

  • SOC 2 Type II report — by [target date].
  • HITRUST CSF self-assessment — by [target date].
  • COPPA Safe Harbor enrollment (e.g., kidSAFE or PRIVO) — under evaluation.

12. Microsoft Azure Flow-Down Provisions

The Service is built on Microsoft Azure. Certain Microsoft commitments flow down to Customer through this CSA and are reproduced or referenced below:

12.1 Azure SLA

Microsoft Azure publishes per-service SLAs at https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA. MySummitKeep’s SLA in Section 3 is MySummitKeep’s commitment to Customer; Microsoft’s Azure SLAs are between Microsoft and MySummitKeep and do not create direct rights for Customer.

12.2 Azure Data Protection

Microsoft commits to data-protection obligations under the Microsoft Online Services Data Protection Addendum (DPA), which is incorporated by reference solely as a description of the Cloud Provider’s commitments to MySummitKeep. Customer’s rights under privacy law are stated in MySummitKeep’s DPA and Privacy Policy.

12.3 Azure HIPAA BAA (Forward-Looking)

MySummitKeep does not currently process Protected Health Information (PHI) through the Service. If and when health-record functionality is enabled, MySummitKeep will execute (or rely on the existing) Microsoft Azure Business Associate Agreement covering Azure services used to process PHI, and the terms of that BAA will flow down to Customer through MySummitKeep’s Business Associate Agreement (where Customer is a HIPAA Covered Entity that has executed the BAA per its Section 0).

12.4 Microsoft Subprocessor Obligations

Where Microsoft engages subcontractors to provide Azure services, Microsoft is responsible to MySummitKeep for those subcontractors’ compliance with Microsoft’s terms. MySummitKeep remains responsible to Customer for the Service.

12.5 No Direct Microsoft Contract

This CSA does not create a direct contractual relationship between Customer and Microsoft. Customer’s contractual remedies are against MySummitKeep, subject to the limitations in the Agreement.

13. Term, Suspension, and Termination

13.1 Term

This CSA is effective for so long as Customer has an active account on the Service.

13.2 Suspension

We may suspend the Service to address a security threat, regulatory requirement, or material breach of the Agreement. We will use reasonable efforts to notify Customer in advance of suspension where practicable.

13.3 Effect of Termination

On termination of the Agreement, Section 8 of the DPA governs the return and deletion of Customer Data.

14. Order of Precedence

In the event of a conflict between this CSA and another document in the Agreement stack:

  • The Business Associate Agreement controls with respect to PHI.
  • The Data Processing Addendum controls with respect to Processing of Personal Data.
  • An executed Order Form controls with respect to commercial terms (subscription level, fees, term).
  • This CSA controls with respect to hosting, security, and operational commitments.
  • The Terms of Service controls in all other respects.

Contact

MySummitKeep LLC Attn: Compliance Team 5005 W Laurel St, Ste 100 #3250 Tampa, FL 33607 Phone: (813) 418-6800 Compliance: compliance@mysummitkeep.com Security: security@mysummitkeep.com Suppor

↑ Back to top

Other Legal Documents

Terms of Service · Privacy Policy · Acceptable Use Policy · Cookie Policy · Children's Privacy (COPPA) · Data Processing Addendum · Business Associate Agreement · Cloud Service Agreement · SMS Notifications