For the benefit of other members, I thought it would be helpful to define Key Injection. Key injection involves injecting encryption keys for payment processors that handle electronic transactions at POS terminals.
ESOs, or encryption support organizations, are the only organizations qualified to perform key injection for businesses. ESO status requires strict security guidelines regarding payment data, hardware, and networks.
This type of technology service is relatively high-risk, so your due diligence efforts should reflect that. In addition to your standard technology due diligence, you should pay attention to PCI Certification and their SOC2 Type 2. Additional requirements may exist if federal or state government agencies or facilities use the POS terminals.
While I don't have a sample agreement to share, I recommend that your contract include all certifications, cybersecurity and privacy requirements, standards of service or Service Level Agreements, and the right to audit.
I hope my answer was helpful, but I would love to hear from other members who have experience with Key Injection services.