Xians ACP Commercial Support & Assurance Agreement

0 Parties & nature of this document

This Commercial Support & Assurance Agreement (the "Agreement") is entered into between 99x, a software engineering company and the maintainer of Xians ACP (the "Provider"), and [Customer Legal Name], of [Address] (the "Customer").

The Xians ACP software remains licensed to everyone under the MIT License. This Agreement does not alter, restrict, or replace that license. It adds support and assurance services provided by 99x on top of the open-source software.

1 Definitions

Software

Xians ACP (the Agent Control Plane) as published under the MIT License at the Provider's public repositories.

Supported Deployment

A single production installation of the Software operated by the Customer on infrastructure it controls. Non-production environments are covered as set out in clause 9.

Business Hours

[09:00–17:00, Mon–Fri, customer's primary timezone], excluding Provider public holidays.

Response Time

The time between the Customer logging a valid support request and a Provider engineer acknowledging it and beginning active work - not an automated acknowledgement.

Resolution / Workaround

A fix, patch, or practical workaround that restores the affected functionality to a usable state.

Severity Level

The classification of an incident's business impact (S1–S4), defined in clause 3.

2 Scope of support services

During the Term, the Provider will:

• Provide technical support for the Software via the agreed channels (email, ticket portal, and a named-contact channel);
• Triage, diagnose, and work to resolve defects in the Software according to the SLAs in clause 3;
• Issue security advisories and patches per clause 4;
• Maintain a supported, hardened build line with timely dependency upkeep per clause 5;
• Operate the supply-chain governance controls in clause 6;
• Accept and prioritise feature requests per clause 7;
• Make available the included expert hours in clause 8.

3 Support tiers & response SLAs

Incidents are classified by severity. Response targets depend on the subscribed tier. The figures below are illustrative and finalised per engagement.

Response targets commit the Provider to begin work, not to a guaranteed resolution time. For S1 incidents the Provider works continuously during the applicable support window until a workaround or fix is in place. Status updates are issued at an agreed cadence ([e.g. every 4 hours for S1]).

4 Security & vulnerability management

The Provider runs continuous automated scanning (SAST and dependency analysis) against the Software's repositories and conducts periodic manual assessments. Remediation targets are mapped to CVSS severity rather than the support tiers above (illustrative):

• CVSS ≥ 9.0 (Critical): patch or mitigation within [24 hours] of confirmation;
• CVSS 7.0–8.9 (High): within [72 hours];
• CVSS < 7.0: within [30 days] or the next scheduled release.

Commercial Support customers receive private CVE advisories with remediation guidance ahead of public disclosure, under the confidentiality terms of this Agreement.

5 Maintenance, dependencies, LTS & migration

The Provider maintains a Long-Term Support (LTS) build line for the Software, including timely dependency updates, compatibility testing, and security backports. Critical fixes and security patches are backported to the Customer's supported version for the duration of the Term, so the Customer is not forced to take a major upgrade to receive a fix.

Backward compatibility within an LTS major version. Within a given LTS major version, patch and minor releases introduce no breaking changes to public APIs or documented behaviour without prior notice and a deprecation period of at least [one minor release cycle].

Migration path across major versions. Before a new LTS major version is released, the Provider publishes a tested migration guide covering all breaking changes, recommended upgrade steps, and any tooling to assist the transition. The Customer will not be left without a clear, documented path from their current supported version to the next.

Deprecation notice. Features or APIs scheduled for removal in the next major LTS version are flagged as deprecated at least [one full LTS release cycle] in advance, giving the Customer time to plan the transition without urgency.

6 Supply-chain governance

• Gated external contributions: code from outside the core team requires a signed contributor licence agreement and passes mandatory maintainer review before inclusion in a supported build;
• Signed releases & provenance: supported release artifacts are cryptographically signed and accompanied by a build provenance attestation that the Customer's pipeline can verify;
• Auditable chain: the Provider maintains records linking each supported release to the exact source commit it was built from.

7 Feature requests & roadmap input

The Customer may submit feature requests through its named-contact channel. The Provider will triage these in a recurring review ([quarterly]) and prioritise eligible requests ahead of the general community queue. Prioritisation does not guarantee delivery; scheduling is agreed jointly. Bespoke feature development is handled as Additional Services under clause 8.

8 Entitlements, hours & additional services

Each tier includes a quarterly allowance of expert time and a set of access entitlements. Support hours cover incident handling, upgrade planning, and integration guidance; coaching & enablement hours cover training, architecture reviews, and onboarding workshops. The figures below are illustrative and finalised per engagement.

Unused hours [do / do not] roll over. Coaching & enablement hours are tracked separately from support & advisory hours.

Work beyond the included hours - such as custom feature development, implementation, data migration, or bespoke integrations - is provided as Additional Services under a separate statement of work and is billed separately at [rate].

9 Fees & payment

Commercial Support is an annual subscription priced per Supported Deployment. The bands below are illustrative and are confirmed during contracting based on scale, environments, and support intensity:

Non-production environments are included or discounted as agreed. Fees are exclusive of applicable taxes. Invoiced [annually in advance]; payable within [30] days. Multi-year and volume discounts available.

10 Term, renewal & termination

The initial Term is [12 months] from the effective date, renewing for successive [12-month] periods unless either party gives [60 days'] written notice. Either party may terminate for material breach not cured within [30 days] of notice.

On expiry or termination, the Customer's deployment of the Software is unaffected because it is MIT-licensed and continues to run. Only the support services, SLAs, security advisories, and LTS access provided under this Agreement cease.

11 Exclusions

Unless agreed in writing, support does not cover:

• Defects in Customer or third-party code, agents, models, or integrations built on top of the Software;
• Builds the Customer has modified or forked away from the supported release line;
• Third-party infrastructure, cloud, networking, or hardware issues;
• Custom development and professional services (handled under clause 8).

12 Warranties & limitation of liability

The Provider warrants that support services will be performed in a professional and workmanlike manner. The Software itself is provided under the MIT License "as is", without warranty of any kind. To the maximum extent permitted by law, the Provider's aggregate liability under this Agreement is limited to the fees paid by the Customer in the [12 months] preceding the claim. Neither party is liable for indirect or consequential loss. (Final legal terms are set by the parties' counsel.)

13 Signatures

For illustration only. No signature here creates any obligation.