Virtual Desktop Infrastructure (VDI) Service Addendum

Last Updated July 7, 2026

1. Overview

This Addendum governs the provision of Virtual Desktop Infrastructure (“VDI Services”) by PreVeil under the Enterprise Services Agreement (“Agreement”). VDI Services are part of “Services” under the Agreement. In the event of a conflict between this Addendum and the Agreement, this Addendum controls with respect to VDI Services. Capitalized terms not defined herein have the meanings set forth in the Agreement.

2. VDI Managed Services

PreVeil will provision, configure, and deliver (“Delivery”) a Virtual Desktop Infrastructure (“VDI”) hosted within a FedRAMP-authorized environment in accordance with the Baseline Configuration (Exhibit A), deploy baseline security tooling, provide logging and alerting from PreVeil-managed systems, and deliver an attestation of PreVeil’s tri-annual CMMC level 2 certification.

3. Customer Responsibility

3.1 Transfer of Responsibility

Upon Delivery and acceptance of the VDI, Customer assumes responsibility for the configuration, operation, security, and use of the VDI environment, including but not limited to Virtual Machines (“VMs”) except for those items expressly identified as PreVeil’s sole responsibility in Exhibit B (CMMC Responsibility Matrix).

3.2 Customer Responsibilities

Customer is solely responsible for all configuration changes, user account management, installation and maintenance of Customer-installed software, monitoring and responding to alerts, incident response, forensic analysis, regulatory reporting, and compliance with all applicable laws and regulations, including CMMC.

3.3 PreVeil Responsibilities

PreVeil is responsible for patching and updating the operating system and software provisioned by PreVeil as part of the baseline configuration of the VDI, as well as those items expressly identified as PreVeil’s responsibility in Exhibit B. These responsibilities do not extend to Customer-installed software, or Customer modifications.

3.4 Effect of Customer Modifications

Customer acknowledges that any modification to the VDI, including installation of software, configuration changes, or access control changes, may affect the security posture and compliance status of the VDI.

3.5 No Implied Responsibilities

Except as expressly set forth in this Addendum and Exhibit B, PreVeil has no responsibility for the configuration, operation, security, or compliance of the VDI following Delivery.

4. Delivery and Acceptance

The VDI will be deemed accepted unless Customer provides written notice of material non-conformance within forty-eight (48) hours after Delivery. Upon acceptance, responsibility transfers to Customer as described in Section 3.

5. Security and Incidents

Customer is solely responsible for security monitoring, incident response, and regulatory reporting within the VDI environment. PreVeil does not provide incident response services.

6. Compliance

PreVeil provides a baseline configuration aligned with certain security frameworks but does not guarantee compliance with any specific standard. PreVeil is responsible only for those controls and requirements expressly identified as its sole responsibility in Exhibit B. Customer is solely responsible for all other controls, achieving and maintaining compliance (including CMMC), and engaging any required assessors or certification bodies.

7. Government Data (CUI / DFARS)

To the extent Customer uses the VDI Services to store, process, or transmit Controlled Unclassified Information (“CUI”) or Federal Contract Information (“FCI”), the following applies.

PreVeil provides VDI hosted in a FedRAMP-authorized environment (Amazon Web Services) and configured in accordance with Exhibit A. However, PreVeil does not determine whether Customer data constitutes CUI or FCI, does not control Customer use of the VDI after Delivery, and does not guarantee that the VDI Services alone satisfy DFARS, NIST SP 800-171, CMMC, or any other regulatory requirement.

Customer is solely responsible for determining whether CUI or FCI is present, ensuring proper safeguarding of such data, complying with DFARS 252.204-7012 and applicable regulations, and ensuring its use of the VDI meets all contractual obligations.

7.1 DFARS Incident Reporting

Customer acknowledges that it may have obligations under DFARS 252.204-7012 to report cyber incidents. Except as expressed in Exhibit C, PreVeil is not responsible for DFARS incident reporting and does not assume any obligation to investigate, determine reportability, or submit reports to any government agency. Customer is solely responsible for all such obligations.

7.2 Forensics and Data Preservation

PreVeil does not provide forensic investigation, incident response, or media preservation services under this Addendum. Customer is solely responsible for collecting and preserving forensic data, maintaining logs, and complying with DFARS evidence preservation requirements. PreVeil may provide reasonable cooperation subject to feasibility, applicable law, and reasonable fees.

7.3 Flow-Down Obligations

Customer is responsible for ensuring that any subcontractors, users, or third parties accessing the VDI environment comply with applicable DFARS, CMMC, and CUI handling requirements. PreVeil has no responsibility for downstream compliance obligations.

8. Liability and Risk Allocation

PreVeil’s liability under this Addendum is limited to failure to Deliver the services as specified. PreVeil is not responsible for Customer modifications, Customer-installed software, compliance failures, or security incidents arising from Customer actions. All liability remains subject to the Limitation of Liability provisions in the Agreement.

9. Indemnification

Customer will indemnify, defend, and hold harmless PreVeil from third-party claims arising from Customer’s configuration or use of the VDI, failure to comply with applicable laws, or any security incident caused by Customer actions.

10. Disclaimers

The VDI is provided as a configured baseline environment. PreVeil makes no representation or warranty that the VDI will remain secure or compliant after Delivery or Customer modification, that the baseline alone is sufficient to meet regulatory requirements, or that it will provide ongoing IT support unless separately agreed in writing.

Exhibits

Exhibit A — Baseline Configuration Specification

Exhibit B — CMMC Responsibility Matrix

Exhibit C — PreVeil Incident Reporting Responsibilities

Exhibit A – Baseline Configuration Specification

ComponentProduct / Service
Virtual Desktop InfrastructureAWS GovCloud Workspaces
Identity & MFAOkta (SAML/SSO, Okta Verify)
Managed Active DirectoryAWS Managed AD (synced from Okta)
Endpoint Control & PatchingThreatLocker
Threat DetectionThreatLocker and AWS GuardDuty
Audit LoggingAWS CloudTrail + CloudWatch
CUI Storage & TransmissionPreVeil PVCS
Encrypted Email Relay (if Customer is using the service)PreVeil EMR (ECS/Fargate)
Container Vulnerability ScanningTrivy
Infrastructure as CodeAWS CloudFormation

Exhibit A continued

The authorization boundary encompasses all hardware, software, data, personnel, and processes that handle, store, process, or transmit CUI on behalf of Customer. The boundary is logically defined and hosted within AWS GovCloud (FedRAMP High authorized). Physical infrastructure controls are inherited from AWS GovCloud.

The boundary includes:

  • AWS GovCloud VPC — 4 subnets: two Workspaces subnets (separate AZs), one NAT Relay subnet, one EMR subnet (if Customer is using the EMR service)
  • Okta tenant — identity source of truth; MFA enforcement for all VDI access
  • AWS Managed Active Directory — downstream sync from Okta via Okta AD Sync
  • ThreatLocker agents installed on all VDI Workspace instances
  • AWS GuardDuty, CloudWatch, and CloudTrail within the GovCloud account
  • PreVeil PVCS — end-to-end encrypted CUI storage and transmission
  • PreVeil Email Relay (EMR) — ECS/Fargate encrypted external email relay (if Customer is using the PreVeil EMR service)

Exhibit B – CMMC Shared Responsibility Matrix

{Available Upon Request}

Exhibit C – PreVeil Incident Reporting Responsibilities

PreVeil Inc. accepts the requirements of DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. Should PreVeil (or a PreVeil customer) discover a cyber incident that affects customer information, the PreVeil information assurance compliance program includes the following:

Cyber Incident Reporting: PreVeil will coordinate with the Customer to conduct a review and report cyber incidents to DoD at https://dibnet.dod.mil, per paragraph (c) requirements including: a review shall include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the Contractor’s network(s), that may have been accessed as a result of the incident, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts in accordance with applicable laws and regulations on the monitoring, access, use, and disclosure of electronic communications and data. PreVeil is an end-to-end encryption system, and PreVeil has no access to customer messages and files stored as encrypted blocks on PreVeil servers. However, the customer can decrypt and access their own messages, files, and logs via PreVeil eDiscovery/data export features if needed for analysis.

Malicious Software: If and when malicious software is discovered and isolated as part of incident review, PreVeil will submit malicious software to DC3 as instructed in paragraph (d).

Media Preservation and Protection: PreVeil will preserve and protect images of all known affected information systems identified and all relevant monitoring data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest per paragraph (e).

Access to Additional Information: Upon request from the DoD, PreVeil will grant access to additional information or equipment to support a forensic analysis per paragraph (f).

Cyber Incident Damage Assessment: If the client or the DoD elects to conduct a damage assessment, PreVeil will provide all the information collected in the incident review and media preservation activities conducted under paragraphs (c) and (e), to assist in the damage assessment activities upon request under paragraph (g).

PreVeil maintains a Governance Risk and Compliance (GRC) program that complies with FedRAMP Moderate baseline equivalent under NIST 800-53 and SOC-2, Type 2 certification for all production operations. PreVeil cryptographic module is validated by NIST CSRC under FIPS 140-2.