Sophos Emergency Incident Response - Service Description

This Service Description describes Sophos Emergency Incident Response service, which includes a suite of the following services: Engagement Management, Incident Response, Digital Forensics, Business Email Compromise, Compromise Assessment, Threat Hunting, Threat Intelligence and Research, Ransom Negotiation, Engagement Report, and Service Software Deployment (individually or collectively referred to as the “Service”). All capitalized terms in this Service Description have the meaning ascribed to them in the Agreement (defined below) or in the Definitions section below.

This Service Description is part of and incorporated into, as applicable: (i) Customer’s or Managed Service Provider’s (“MSP”) manually or digitally‐signed agreement with Sophos covering the purchase of a Service; (ii) MSP’s manually or digitally-signed agreements with Sophos covering its purchase of Offerings of which the Service is a part; or (iii) if no such signed agreement exists, then this Service Description will be governed by the terms of the Sophos End User Terms of Use posted at https://www.sophos.com/legal (collectively referred to as the “Agreement”). To the extent there is a conflict between the terms and conditions of the Agreement and this Service Description, the terms and conditions of this Service Description will take precedence.

Notwithstanding anything to the contrary in the Agreement, Customer/MSP acknowledges and agrees that: (i) Sophos may modify or update the Service from time to time without materially reducing or degrading its overall functionality without notice to Customer/MSP; and (ii) Sophos may modify or update this Service Description at any time to accurately reflect the Service being provided, and any updated Service Description will become effective upon posting to https://www.sophos.com/legal.

I. DEFINITIONS

Capitalized terms used in this Service Description, and not otherwise defined in the Agreement, have the meaning given below:

“Active Threat” is an infection, compromise, or un-authorized access of an asset or data.

“Contain” or “Containment” means the actions taken during Incident Response to limit the spread and impact of a threat prior to Neutralization. This may include network segmentation, isolation of affected endpoints, account suspension, and other defensive measures intended to interrupt the threat actor’s operations and prevent further compromise or damage.

"Incident" is a suspected compromise or un-authorized access of system(s) that poses an imminent concern or threat to Customer/MSP assets, which includes but is not limited to interactive attackers, data encryption or destruction, or exfiltration.

“Incident Commander” is Sophos personnel responsible for the managing the overall Service engagement lifecycle, including stakeholder coordination, action prioritization, cross-functional alignment and communication. The Incident Commander serves as the primary liaison between the Customer/MSP and Security Services Team to ensure timely, aligned and in-scope Service delivery.

“Incident Lead” is the primary Sophos personnel responsible for managing the execution of the Service engagement. Incident Lead oversees forensic analysis, evidence collection, timeline reconstruction, and technical findings development, while coordinating the efforts of Sophos personnel to ensure investigative rigor and alignment with Service engagement’s objectives and scope.

"Incident Response" is the technical process performed by the Security Services Team to Investigate, mitigate, and perform Containment and Threat Neutralization.

"Investigation" is the formal process and methods used by the Security Services Team to confirm whether activity is malicious and requires Threat Response.

“Neutralize” or “Neutralization” is the outcome of the “Threat Neutralization”, when Security Services Team reasonably determines the Incident is no longer present on Service Endpoints based on available evidence. Threat Neutralization process involves conducting Investigation and Response Action to: (i) remove the attacker’s access and (ii) prevent further damage to compromised asset or data.

“Response Action” is an interaction with Service Endpoints to perform Investigation and Threat Hunting, including but not limited to remote query, host isolation, terminating a process, blocking an IP address, disabling accounts, collecting samples files and deleting malicious artifacts.

“Service Endpoint(s)”is any physical or virtual endpoint device or a server system that are in the scope of Service delivery.

“Security Services Team” is the Sophos team delivering the Service, including but not limited to conducting Investigations, Threat Hunting, Response Actions, Incident Response, and Deployment.

"Systems of Interest" refers to any digital systems, devices, infrastructure services or other data relevant to understanding the scope and impact of the Incident.

“Threat Hunting” is the process of proactively and iteratively searching through data using a combination of manual, semi-automated activity to identify signals and indicators of malicious activity.

“Threat Response” includes the methods, processes, communications, and Response Actions utilized by the Security Services Team and the Customer/MSP, as applicable, to Contain or disrupt malicious activity.

Note:

  • Sophos Intercept X Advanced with XDR is hereinafter referred to as "Sophos XDR" and Sophos XDR Sensor is hereinafter referred to as"XDR Sensor."
  • Where the term Service Software is used within this Service Description, it shall be deemed to mean Sophos XDR, Sophos NDR and/or XDR Sensor as the context dictates.

II. DESCRIPTION OF SERVICES

Sophos will provide Service(s) that are specified in Customer’s Service Schedule in accordance with this Service Description. All Services are delivered remotely unless Customer/MSP request Onsite Service Engagement under Section III below. Service delivery commences with a kick-off call with Customer/MSP to:

a) obtain information about Customer/MSP’s/Beneficiary’s infrastructure;
b) agree the service engagement’s initial objectives, scope and priorities;
c) identify key stakeholders from Customer/MSP and their role in Service delivery; and
d) establish communication frequency and preferences for Customer/MSP.

MSP must act as the contact for any Service to be provided to a Beneficiary of MSP's.

  1. ENGAGEMENT MANAGEMENT

               1.1 Deliverables In Scope

The deliverables for Engagement Management may include one or more of the following:

  • Assign an Incident Lead and if requested by Customer/MSP, an Incident Commander to oversee the coordination of the Service delivery.
  • Coordinate planning and scheduling of Service activities in alignment with Customer/MSP priorities and available resource.
  • Facilitate regular status updates covering progress, risks, blockers, and key milestones.
  • Maintain documentation related to the Service scope, findings, actions taken, and outcomes of the Service, including updates to shared tracking artifacts as needed.
  • Coordinate across technical and non-technical workstreams to ensure alignment between forensic, response, negotiation, and customer stakeholders.
  • Serve as a central point of contact for escalation management and Service-related queries during the engagement.

              1.2 Deliverables Out of Scop

Any activities not explicitly mentioned above are outside the scope of the Service, including the following:

  • Acting as a substitute for formal legal, regulatory, or executive functions.

              1.3 Customer/MSP Obligations

Customer/MSP must take the following actions to facilitate and enable delivery of the Service, and Sophos shall have no liability for any degraded, incomplete, or failed Service delivery which may result from Customer/MSP’s failure to take the required actions:

  • Assign up to three (3) named Customer/MSP personnels to support Sophos with Service delivery, including Response Actions.
  • Attend and participate in scheduled status and coordination calls.
  • Review and respond to documentation, recommendations, and task assignments in a timely manner.
  • Ensure participation from relevant business and technical stakeholders to support cross-functional coordination.
  1. INCIDENT RESPONSE

            2.1 Deliverables In Scope

The deliverables for Incident Response may include one of more of the following:

  • Conduct technical analysis of the Incident and to identify Systems of Interest, attack vectors, persistence mechanisms, and threat actor behavior.
  • Determine and recommend Containment and Threat Neutralization strategies based on findings.
  • Review the configuration and telemetry of Service Software to validate its effectiveness in the current environment.
  • If needed, conduct offensive operations to validate Investigation findings, including but not limited to penetration tests, vulnerability scans, Active Directory assessment.
  • If an Active Threat or ongoing malicious activity is detected, at the request of the customer/MSP we can undertake appropriate Response Actions to Contain or Neutralize the Active Threat, including but not limited to isolating systems, blocking indicators, and terminating malicious processes.
  • Provide technical recommendations for hardening, remediation, and future prevention based on the nature of the Incident.
  • Deliver a written or verbal summary of Incident Response activities, outcomes, and findings.

           2.2 Deliverables Out of Scope

Any activities not explicitly mentioned above are outside the scope of the Service.

  • Engagement management tasks such as coordination, project tracking, or escalation handling (covered under the Engagement Management service).

            2.3 Customer/MSP Obligations

Customer/MSP must take the following actions to facilitate and enable delivery of the Service, and Sophos shall have no liability for any degraded, incomplete, or failed Service delivery which may result from Customer/MSP’s failure to take the required actions:

  • Deploy the Service Software on Service Endpoints, and provide access to Systems of Interest.
  • Assign up to three (3) named Customer/MSP personnels to support Sophos with Service delivery, including Response Actions.
  • Complete all actions identified by Sophos for the Customer/MSP in a timely manner.
  • Attend all agreed conference calls.
  1. DIGITAL FORENSICS

            3.1 Deliverables In Scope

The deliverables for Digital Forensics may include one or more of the following:

  • Capture digital evidence related to the Incident from Service Endpoints and/or Systems of Interest, as applicable.
  • Analyze collected evidence using forensic tools and techniques to identify indicators of compromise (“IOC”) and trace adversary activity as part of the Investigation.
  • Review applicable telemetry for ongoing or previous threats.
  • Perform static and/or dynamic analysis of suspected malware identified during the Investigation and forensic analysis.
  • Deliver a written or verbal summary with the timeline of key events identified during evidence analysis, including a list of IOCs identified during the Investigation.

            3.2 Out of Scope Deliverables

Any activities not explicitly mentioned above are outside the scope of the Service, including the following:

  • Generate formal legal chain-of-custody documentation or court-admissible evidence.
  • Perform advanced malware disassembly, reverse engineering, or exploit development analysis, unless explicitly agreed upon in writing.
  • Provide long-term storage, management, or archiving of collected forensic data.

            3.3 Customer/MSP Obligations

Customer/MSP must take the following actions to facilitate and enable delivery of the Service, and Sophos shall have no liability for any degraded, incomplete, or failed Service delivery which may result from Customer/MSP’s failure to take the required actions:

  • Provide Sophos with administrative privileges, and log and forensic data from Systems of Interest.
  • Deploy the Service Software on Service Endpoints, if applicable.
  • Assign up to three (3) named Customer/MSP personnel to support Sophos with Service delivery, including with gathering of digital evidence form Systems of Interest.
  • Attend all agreed conference calls.
  • Complete all actions identified by Sophos for Customer/MSP in a timely manner.
  1. COMPROMISE ASSESSMENT

            4.1 Deliverables In Scope

The deliverables for Compromise Assessment may include one of more of the following:

  • Collaborate with Customer/MSP to gather information about any potential threats and to identify Service Endpoints that Customer/MSP wants covered by the Service.
  • Conduct an Investigation for indicators of compromise (“IOCs”) on Service Endpoints where the Service Software is installed or based on relevant data provided to Sophos by the Customer/MSP.
  • If an Active Threat is identified, notify the Customer/MSP, provide the findings and recommend actions for further Investigation and Containment.
  • If no evidence of compromise is found within the scope of Service, provide written notice to Customer/MSP documenting the absence of IOCs in the analyzed dataset and the methodology used.
  • Deliver a written summary of threat hunting activities, outcomes, and recommendations.

           4.2 Deliverables Out of Scope

Any activities not explicitly mentioned above are outside the scope of the Service, including the following:

  • Implementing fixes or patching systems based on threat findings

           4.3 Customer/MSP Obligations

Customer/MSP must take the following actions to facilitate and enable delivery of the Service, and Sophos shall have no liability for any degraded, incomplete, or failed Service delivery which may result from Customer/MSP’s failure to take the required actions:

  • Deploy the Service Software on Service Endpoints.
  • Assign up to three (3) named Customer/MSP personnels to support Sophos with Service delivery.
  • Provide requested data to Sophos in a timely manner.
  • Attend all agreed conference calls.
  1. THREAT INTELLIGENCE AND RESEARCH

            5.1 Deliverables In Scope

The deliverables for Threat Intelligence and Research may include one or more of the following:

  • Provide high-level analytical enrichment of submitted IOC data, including threat context, relevance, potential attribution, and any identifiable tactics, techniques, or procedures linked to known threat actors or campaigns.
  • Conduct open-source and dark web searches on Customer/MSP submitted data such as hashes, URLs, and IPs, and communicate key findings to Customer/MSP.
  • Conduct open-source research on Customer/MSP data potentially associated with breaches.
  • Perform reverse engineering of malicious files or artifacts, where applicable, to extract behavioral characteristics, IOCs, and support threat attribution and contextual analysis.
  • Deliver a written or verbal summary of the findings and recommendations.

            5.2 Deliverables Out of Scope

Any activities not explicitly mentioned above are outside the scope of the Service, including the following:

  • Containment, Neutralization, or recovery activities related to active Incidents.
  • Definitive conclusions and guaranteed threat attribution. Customer/MSP acknowledges and agrees that all findings and analysis provided by Sophos are based on the information and threat intelligence available at the time of assessment, and such findings are not conclusive and are provided “as is,” without any representation, warranty, or guarantee.

           5.3 Customer/MSP Obligations

Customer/MSP must take the following actions to facilitate and enable delivery of the Service, and Sophos shall have no liability for any degraded, incomplete, or failed Service delivery which may result from Customer/MSP’s failure to take the required actions:

  • Provide all relevant and accurate data or artifacts to enable the Threat Intelligence and Research activities.
  • Assign up to three (3) named customer/MSP personnel to support Sophos with Service delivery, including to facilitate coordination and communication throughout the engagement.
  • Ensure that any sensitive or proprietary information shared with Sophos is properly authorized for use within Service scope, and is provided in compliance with all applicable laws and confidentiality agreements.
  • Attend all agreed conference calls.
  1. THREAT HUNT

            6.1 Deliverables In Scope

The deliverables for Threat Hunt Service may include one or more of the following:

  • Utilize the Service Software on Service Endpoints for up to 30 days to conduct Investigation for IOCs on Service Endpoints, or based on relevant data provided to Sophos by the Customer/MSP.
  • Provide a written or verbal summary with the timeline of key events identified during evidence analysis, including a list of IOCs identified during the Investigation, as well as methodology used.
  • Provide high-level recommendations based on the Investigation findings.
  • If no evidence of compromise is found within the scope of the Service, provide a written notice to Customer/MSP documenting the absence of IOCs in the analyzed dataset and the analysis methodology used.

           6.2 Deliverables Out of Scope

Any activities not explicitly mentioned above are outside the scope of the Service, including the following:

  • Implementing fixes or patching systems based on threat findings

            6.3 Customer/MSP Obligations

Customer/MSP must take the following actions to facilitate and enable delivery of the Service, and Sophos shall have no liability for any degraded, incomplete, or failed Service delivery which may result from Customer/MSP’s failure to take the required actions:

  • Deploy the Service Software on Service Endpoints.
  • Assign up to three (3) named Customer/MSP personnels to support Sophos with Service delivery.
  • Provide requested data to Sophos in a timely manner.
  • Attend all agreed conference calls.
  1. RANSOM NEGOTIATION

           7.1 Deliverables In Scope

The deliverables for Ransomware Negotiation Support may include one or more of the following:

  • Conduct a conference call with the Security Services Team and Customer/MSP to gather relevant information related to the ransomware incident, including ransom notes, threat actor communications, and impacted systems.
  • Assess the threat actor’s behavior and profile based on known TTPs, and historical activity.
  • Advise on potential negotiation strategies, including recommended communication tone, pacing, and responses.
  • Collaborate with Customer/MSP to define negotiation objectives.
  • Engage with the threat actor to facilitate discussion pertaining to ransom demands. All negotiation activities will be conducted strictly in accordance with Customer/MSP feedback and instructions.
  • Provide regular updates to the Customer/MSP throughout the negotiation process, including summaries of threat actor communications and suggested next steps.
  • Where appropriate, recommend third-party service providers that specialize in facilitating ransom payments. Customer/MSP acknowledge and accept that: (i) any engagement of such third-party service providers will be at the sole discretion of the Customer/MSP and is subject to their own due diligence, legal review, and compliance with all applicable laws and regulations, including sanctions and anti-money laundering requirements; and (ii) Sophos does not control, endorse, or assume responsibility for the services provided by any such third-party.
  • Deliver a written summary of negotiation-related activities, observed threat actor behavior, and outcomes.

           7.2 Deliverables Out of Scope

Any activities not explicitly mentioned above are outside the scope of the Service, including the following:

  • Providing any legal or regulatory advice, including regarding sanctions, export controls, or anti-money laundering requirements.
  • Facilitating, fronting, or making ransom payments on behalf of Customer/MSP.
  • Assisting with decryption and/or recovery of encrypted data.
  • Guaranteeing the actions or performance of threat actor, including restoration of data or continued communication/engagement following ransom payment.

            7.3 Customer/MSP Obligations

Customer/MSP must take the following actions to facilitate and enable delivery of the Service, and Sophos shall have no liability for any degraded, incomplete, or failed Service delivery which may result from Customer/MSP’s failure to take the required actions:

  • Assign up to three (3) named Customer/MSP personnel authorized to make decisions regarding ransomware negotiation strategy and payment, and to support Sophos with Service delivery.
  • Provide timely and complete access to all available threat actor communications and ransom notes.
  • Respond promptly to Sophos inquiries or recommendations during Service delivery.
  • Attend all agreed conference calls.

Risk Acknowledgment and Indemnification: Customer/MSP acknowledges and accepts the inherent risks associated with engaging in communications or negotiations with criminal threat actors, including but not limited to the risk of non-performance, continued extortion, data destruction, reputational harm, or legal and regulatory exposure. Customer/MSP further understands that Sophos does not control the behavior or outcomes of such threat actors and does not guarantee any result from the negotiation process, including the restoration of data or cessation of malicious activity. Customer/MSP agrees to indemnify, defend, and hold harmless Sophos, its affiliates, and their respective directors, officers, employees, and agents from and against any and all claims, liabilities, losses, damages, costs, or expenses (including reasonable attorneys’ fees) arising out of or relating to the Customer/MSP’s decisions or actions in connection with any ransom payment or negotiation strategy, including any failure to comply with applicable laws, regulations, or sanctions regimes.

  1. ENGAGEMENT REPORT

            8.1 Deliverables In Scope

The deliverables for Engagement Report Support may include one or more of the following:

  • Provide a high-level summary of the Incident tailored for executive and non-technical stakeholders.
  • Provide a graphical timeline presented in chronological order, detailing the threat actor’s key movements and activities throughout the Incident.
  • Provide an enriched summary of the threat actor’s TTPs, as identified during the Investigation, along with structured mapping to the MITRE ATT&CK framework, including applicable mitigations aligned to observed TTPs.
  • A comprehensive table of IOCs identified during the Investigation.
  • High-level advisory recommendations based on the Investigations findings.

            8.2 Deliverables Out of Scope

Any activities not explicitly mentioned above are outside the scope of the Service, including the following:

  • Provision of legal advice, recommendations, or legal opinions
  • Provision of compliance advice or regulatory assessments
  • Definitive conclusions and guaranteed threat attribution. Customer/MSP acknowledges and agrees that all findings and analysis provided by Sophos are based on the information and threat intelligence available at the time of assessment, and such findings are not conclusive and are provided “as is,” without any representation, warranty, or guarantee.

            8.3 Customer/MSP Obligations

Customer/MSP must take the following actions to facilitate and enable delivery of the Service, and Sophos shall have no liability for any degraded, incomplete, or failed Service delivery which may result from Customer/MSP’s failure to take the required actions:

  • Provide a valid email address or access to a secure file-sharing platform where the Engagement Report can be delivered securely.
  • Assign up to three (3) named Customer/MSP personnel to facilitate Service delivery, including for receiving the Engagement Report and facilitating any follow-up questions or clarifications.
  • Identify relevant stakeholders and ensure their participation in the review of the report and any related discussions, if a verbal presentation of the Engagement Report is requested.
  • Provide timely feedback or raise any follow-up questions within five (5) business days of receiving the report to ensure that any clarifications or revisions can be addressed within the scope of the initial hourly Service engagement. Any requests made after this period will require the purchase of additional Service hours.
  • Attend all agreed conference calls.
  1. BUSINESS EMAIL COMPROMISE

            9.1 Deliverables In Scope

The deliverables for Business Email Compromise may include one of more of the following:

  • Conduct conference call with the Security Services Team and Customer/MSP to gather information about their email environment and the suspected unauthorized access of an email account(s) (“Business Email Compromise” or “BEC”).
  • Investigate BEC scope and report key findings to Customer/MSP throughout Service delivery.
  • If a BEC is confirmed, conduct analysis to identify the cause, attack vectors, persistence mechanisms, and techniques used by the threat actor, and communicate key findings to the Customer/MSP throughout Service delivery.
  • Deliver a written or verbal summary of the BEC findings.

            9.2 Deliverables Out of Scope

  1. Any activities not explicitly mentioned above are outside the scope of the Service, including the following:
  • Setting up or configuring Customer/MSP email environment.

             9.3 Customer/MSP Obligations

Customer/MSP must take the following actions to facilitate and enable delivery of the Service, and Sophos shall have no liability for any degraded, incomplete, or failed Service delivery which may result from Customer/MSP’s failure to take the required actions:

  • Provide Sophos with all necessary access to the email environment in support of Service delivery.
  • Assign up to three (3) named Customer/MSP personnels to support Sophos with Service delivery.
  • Attend all agreed conference calls.
  1. SERVICE SOFTWARE DEPLOYMENT

            10.1 Deliverables In Scope

The deliverables for Service Software Deployment Service may include one or more of the following:

  • Assign Customer/MSP with a Security Services Team.
  • Conduct conference call with Customer/MSP to identify Service Endpoints that Customer/MSP wants covered by the Service.
  • Install and deploy the Service Software on to the Customer/MSP defined Service Endpoints.
  • Provide Customer/MSP with 24/7 access to Sophos deployment engineers via the communication channel established during kick-off call for support and guidance on Service delivery.
  • Provide a written summary on the Service Software installation status on the Service Endpoints.

           10.2 Out of Scope Deliverables

Any activities not explicitly mentioned above are outside the scope of the Service, including the following:

  • Configuration and/or troubleshooting of non-Sophos products and services
  • OS upgrades, patching, and restoring of Customer/MSP devices.
  • Troubleshooting of boot issues on Customer/MSP devices.

            10.3 Customer/MSP Obligations

Customer/MSP must take the following actions to facilitate and enable delivery of the Service, and Sophos shall have no liability for any degraded, incomplete, or failed Service delivery which may result from Customer/MSP’s failure to take these required actions:

  • Identify and prioritize the Service Endpoints for Sophos to deploy the Service Software.
  • Assign up to three (3) named Customer/MSP personnels to support Sophos with Service delivery.
  • Ensure Customer/MSP personnel with administrative access and technical expertise are available to timely assist. Sophos with installing Service Software on Service Endpoints.
  • Attend all agreed conference calls.

III. ONSITE SERVICE ENGAGEMENT

If Customer/MSP requests onsite support for any Service listed above, and Sophos accepts the request, both parties will first engage in a planning discussion to define the objectives, scope, required skill sets, and duration of the onsite engagement. Based on this discussion, Sophos will identify the appropriate Sophos Services Team personnel to deploy and provide a written estimate of anticipated costs and travel time for Customer/MSP review and approval. No travel will commence, and no travel-related costs shall be incurred, unless and until the Customer/MSP has approved the estimate in writing. Customer/MSP agrees that Sophos personnel will work during the local business hours (not to exceed eight (8) hours per day) unless otherwise mutually agreed in writing.

  1. Cost Categories

    The Customer/MSP shall be responsible for the following three categories of costs:

    1. Actual Expenses: These include all reasonable and necessary out-of-pocket costs incurred in connection with the onsite engagement, such as round-trip airfare (economy for flights under 4 hours, economy plus for 4 to 8 hours, and business class for over 8 hours); round-trip train travel (economy class for trips under six6 hours and business class for over 6 hours); fuel costs (if driving), hotel accommodations; meals and incidental expenses; ground transportation (e.g., taxi, ride-share, or rental car), visa or entry documentation; and any applicable taxes or fees.

    2. Travel Time: In addition to the Actual Expenses specified above, Sophos will charge for travel time to and from the Customer/MSP location (measured door-to-door from the Sophos personnel’s residence to Customer/MSP site or local hotel, as applicable). Travel time will be billed at an hourly rate equal to fifty percent (50%) of the Customer/MSP’s standard hourly rate for the corresponding Service.

    3. Standby Time: Any time spent by Sophos personnel onsite or on standby due to Customer/MSP’s failure to provide timely access, information, or readiness to begin the engagement will be billable at the standard hourly rate applicable to the Service, up to eight (8) hours per day per person assigned to onsite Service engagement.

  • Cancellation or Postponement of the Engagement

If the Customer/MSP cancels or postpones the onsite engagement prior to the scheduled start date, or after travel arrangements have been confirmed or commenced, the Customer/MSP will reimburse Sophos in full for any non-refundable or non-recoverable travel expenses already incurred, including any Travel Time charges as specified above.

Customer/MSP Obligations for Onsite Engagement:

Customer/MSP must take the following actions to facilitate and enable delivery of the Service, and Sophos shall have no liability for any degraded, incomplete, or failed Service delivery which may result from Customer/MSP’s failure to take these required actions:

  • Arrange all necessary site access permissions, physical entry authorization, and security clearances as needed in advance of the onsite engagement, including after-hours access as required.
  • Provide timely access to all relevant systems, environments, infrastructure components, and personnel identified in the agreed scope of the engagement.
  • Respond timely to all Sophos requests for information, documentation, or decision-making required to support the engagement.
  • Obtain and provide approvals or permissions for any tools, software, or access mechanisms to be used by Sophos during the engagement.
  • Designate appropriate workspace and ensure availability of power, network connectivity, and physical or virtual access to required systems or tooling.
  • Attend all agreed scheduled updates and briefing meetings and ensure the presence and participation of designated stakeholders in all scheduled status updates, technical briefings, and post-engagement reviews.
  • Comply with applicable health, safety, and security protocols to ensure a safe working environment during onsite engagement. 

IV. CUSTOMER/MSP RESPONSIBILITIES

Customer/MSP acknowledges and agrees that, in addition to the actions identified in Section II above, Customer/MSP must promptly take the following actions to facilitate and enable delivery of the Service, and Sophos shall have no liability for any degraded, incomplete, or failed Service delivery which may result from Customer/MSP’s failure to do so. Sophos reserves the right to suspend Service delivery until such time as Customer/MSP performs the required actions. Failure to complete the required actions after written notice from Sophos (including email notice from the Security Services Team to the Customer/MSP designated contacts) shall constitute a material breach by Customer/MSP of the Agreement.

  1. Installation Requirements. Customer/MSP/Beneficiary must: a) have a valid, active Sophos Central account, where applicable; b) take action to meet minimum system requirements on Service Endpoints, including but not limited to, applying system patches and upgrading Operating Systems to supported versions; c) deploy and configure the Service Software to all Service Endpoints, and d) provide necessary access to Systems of Interest and necessary administrative credentials/privileges to enable Sophos to perform the Service.
  2. Remediating Known Compromises. Customer/MSP must make reasonable efforts to timely remediate any Active Threats reported by Sophos or by other third-party technologies that Customer/MSP/Beneficiary utilizes for cybersecurity detection and protection. Sophos will not be responsible or liable for any issues caused by Customer's/MSP's failure to take remediation steps in a timely manner. Additionally, the Security Services Team has no obligation to notify Customer/MSP or take Response Actions or any mitigation actions for which Sophos has already provided recommended remediation steps.
  3. Time and Date Settings. Customer/MSP must ensure that all Service Endpoints have accurate time and date settings. Sophos will not be responsible for errors, issues, and residual risk experienced or incurred by Customer/MSP due to inaccurate time and date settings (including on Systems of Interest).
  4. Supporting Data. During the course of providing the Service, the Security Services Team may request additional supporting data, and Customer/MSP will ensure that Sophos has access to such supporting data at all times. Such supporting data may include, but is not limited to: a) endpoint, server or network logs, b) architecture diagrams, and c) materials and resources related to Customer’s/MSP’s/Beneficiary’s business and technical environment. Supporting data removal from Sophos systems will be initiated upon Customer/MSP’s written request.
  5. Customer/MSP Personnel. Customer/MSP must identify at least one (1) suitably skilled personnel who will work with Sophos during the provision of the Service. Customer/MSP’s personnel must have the necessary technical and business knowledge and authority to make decisions concerning the Service.
  6. Timely Response. Customer/MSP must promptly acknowledge receipt of Sophos communications in writing and must timely respond to Sophos’s requests.
  7. Actions Outside the Scope of Service. All activities that are not expressly provided in this Service Description are outside the scope of the Service. Customer/MSP is solely responsible and liable for (i) taking any actions that are outside of the scope of the Service (e.g., Sophos's suggestions regarding on-site response; all litigation and e-Discovery support, including responding to discovery requests or subpoenas; collaboration with law enforcement, etc.); and (ii) for any actions undertaken by Sophos that are not provided in this Service Description under Customer's/MSP's specific direction.
  8. Actions Taken by Partners. Customer may allow Partners to take certain actions within the scope of the Service on Customer's behalf, in which case Customer is responsible for all actions or omissions of such Partner. Sophos will not be liable for Partners' actions or omissions.
  9. MSP Additional Responsibilities.MSP is solely responsible for: (i) obtaining any consents or information required from its Beneficiaries in order for Sophos to perform the Service, (ii) ensuring that Beneficiaries take all actions required of Customers in this Service Description; (iii) ensuring that its Beneficiaries understand the risks associated with performance of this Service, and (iv) that any Beneficiary for which MSP performs this Service has agreed to accept all such risks. MSP will indemnify and hold Sophos harmless for any claim brought against Sophos by a Beneficiary if such claim results, in whole or in part, from MSP’s failure to fully perform its obligations under this Service Description, the Sophos End User Terms of Use or the Agreement with respect to the Service.

V. ADDITIONAL TERMS

1. Service Exclusion. Customer/MSP agrees and acknowledges that Sophos will not be liable or be considered in breach of this Service Description or the Agreement (including any applicable SLA): (i) due to any delay or failure to perform its obligations hereunder as a result of industry or infrastructure wide ransomware, cyberwarfare or other cyberattacks that causes Security Services Team to be unable to provide resources to address any aspect of a Service in a timely manner; (ii) due to unforeseen circumstances or to causes beyond Sophos reasonable control including but not limited war, strike, riot, crime, acts of God, or shortage of resources; (iii) due to legal prohibition, including but not limited to, passing of a statute, decree, regulation, or order; (iv) during any period of Service suspension by Sophos in accordance with the terms of the Agreement; (v) if Customer/MSP is in breach of the Agreement (including without limitation if Customer has any overdue invoices); or (vi) during any scheduled or emergency maintenance windows.

2. Service Capabilities. Customer/MSP agrees and acknowledges while Sophos has implemented commercially reasonable technologies and process as part of the Service, Sophos makes no guarantee that the Service, or Sophos’s recommendations and plans made by Sophos as a result of that Service, will result in the identification, detection, containment, eradication of, or recovery from all of threats, vulnerabilities, malware, or other malicious threats. Customer/MSP agrees not to represent to anyone that Sophos has provided such a guarantee or warranty.

Revision Date: 12 June 2025