Service Description – Sophos Security Services Retainer

This Service Description describes the Sophos Security Services Retainer (“Service”).  All capitalized terms in this Service Description have the meaning ascribed to them in the Agreement (defined below) or in the Definitions section below.

This Service Description is part of and incorporated into, as applicable: (i) Customer’s or Managed Service Provider’s manually or digitally‐signed agreement with Sophos covering the purchase of a Service subscription; (ii) Managed Service Provider’s manually or digitally-signed agreement(s) with Sophos covering its purchase of Offerings of which the Service is a part; or (iii) if no such signed agreement exists, then this Service Description will be governed by the terms of the Sophos End User Terms of Use posted at https://www.sophos.com/legal (collectively referred to as the “Agreement”). To the extent there is a conflict between the terms and conditions of the Agreement and this Service Description, the terms and conditions of this Service Description will take precedence.

Notwithstanding anything to the contrary in the Agreement, Customer/MSP acknowledges and agrees that: (i) Sophos may modify or update the Service from time to time without materially reducing or degrading its overall functionality; and (ii) Sophos may modify or update this Service Description at any time to accurately reflect the Service being provided, and any updated Service Description will become effective upon posting to https://www.sophos.com/legal.

 I. DEFINITIONS 

Capitalized terms used in this Service Description, and not otherwise defined in the Agreement, have the meaning given below:

“Emergency Incident Response”, “Emergency IR” or “EIR” means Sophos Emergency Incident Response service as described at https://www.sophos.com/legal/emergency-incident-response-description.

“Engagement” means each Customer/MSP authorized delivery of a single Security Service. For example, delivering one Incident Response Tabletop Exercise to Customer/MSP is referred to as delivering one Engagement, and delivering one Internal Penetration Test is another Engagement.

“Engagement Start” means the time at which Sophos will commence work remotely to perform the Engagement pursuant to an approved Engagement Work Order.

“Engagement Work Order” means a written documentation prepared by Sophos describing the type, scope and associated Service Unit consumption or cost of a proposed Engagement, which requires Customer/MSP approval prior to commencement.     

"Incident" means a suspected compromise or unauthorized access of system(s) that poses an imminent concern or threat to Customer/MSP assets, which includes but is not limited to interactive attackers, data encryption or destruction, or exfiltration.

“Initial Response” means Sophos making initial contact with Customer/MSP, by email or telephone, following a request for Emergency IR services, to schedule a call to discern the nature, scope and action plan for the request. 

“Onsite Response” means the time at which Sophos will have personnel attend Customer/MSP’s physical location to support Customer/MSP in connection with Emergency IR service delivery.

“Onsite Response Supported Locations” means these locations in which Sophos offers SLAs for Onsite Response: the European Union member states, the Schengen Area, the United Kingdom, Japan, Australia and the United States of America. 

“Security Service” means any information security related service, including advisory, incident response, deployment or consulting services, as listed and/or described in the Security Services Retainer Catalog.

“Security Services Retainer Catalog” means the online catalog of services available to be consumed by redeeming Service Units, available at https://docs.sophos.com/servicescatalog .  

“Service Description” means Sophos’s description of a Security Service’s features, including any additional Service-specific terms and requirements, as made available at https://www.sophos.com/legal or in the Security Services Retainer Catalog.

“Service Units” or “SUs” means prepaid credits that Customer/MSP may apply towards Emergency Incident Response and covered Security Services, with each covered service consuming a predefined number of units based on scope and complexity of the Engagement.  Applicable Service Unit values are set out in the Security Services Retainer Catalog.

“Services Liaison” means a named Sophos personnel assigned to Level 3 and Level 4 service tiers who serves as the primary point of contact for Customer/MSP for all Security Services and helps coordinate timely, aligned and in-scope service delivery.

“Subscription Term” means the period specified in the applicable entitlement document or purchase confirmation document during which Customer’s/MSP’s subscription to the Service is active.

 II. OVERVIEW OF SERVICE

The Service is a subscription-based retainer designed to support proactive cyber security readiness and to enable timely, coordinated, and effective response in the event of an Incident.

The Service is available in four tiers- Level 1, Level 2, Level 3 and Level 4. Each Service tier includes a defined allocation of Service Units that may be redeemed during the Subscription Term for Security Services listed in the Security Services Retainer Catalog. The Service also includes defined entitlements relating to professional services, Service Units, Emergency Incident Response, and tier-specific benefits, as set out in the table below:

Upon Service purchase, Customer/MSP will receive an email confirming their enrollment in the Service which will include all relevant information and documentation regarding the Service and instructions for how to access the Service and its components. Sophos will also provide Customer/MSP with contact details to access priority technical support. Customer/MSP must provide all requested information and perform all Customer/MSP obligations set forth below to receive full benefit of the Service.

 III. SERVICE COMPONENTS

1. Service Units. 
   1. Each Service tier will include a predefined quantity of Service Units as set forth in Section II. Customer/MSP may redeem the Service Units for any of the services listed in the Security Services Retainer Catalog.
   2. Service Units are deducted upon scheduling or commencement of the applicable Security Service.
2. Security Services.
   1. Customer/MSP may request Security Services by emailing [email protected]. Sophos will confirm scope, availability, and estimated Service Unit consumption for each Engagement and will issue an Engagement Work Order reflecting such details prior to scheduling.
   2. Sophos will commence each Engagement following Customer/MSP’s written approval of the applicable Engagement Work Order.
   3. All Security Services will be provided in accordance with the applicable Service Description, unless specified herein. All obligations and restrictions specified in the applicable Service Description will apply to the parties.
3. Emergency Incident Response. The Service allows Customer/MSP to access Emergency Incident Response Service as set forth below:
   
   3.1. Converting Service Units to Emergency Incident Response Service Hours.
   1. Level 2, Level 3 and Level 4 tiers- Customer/MSP may convert Service Units into Emergency Incident Response Service hours (“EIR Hours”) towards an Emergency Incident Response Engagement. Customer/MSP may also purchase additional EIR Hours at a predefined hourly rate applicable to each tier during the Subscription Term.
   2. Level 1 tier- Customer/MSP may separately purchase Sophos Security Services Standalone IR Retainer (“Standalone IR Retainer”), which allows Customer/MSP to: (i) convert Service Units into EIR Hours and (ii) purchase additional EIR Hours at a predefined rate during the Subscription Term, so long as both of the service subscriptions are simultaneously active.
   3. Service Units may only be converted in whole increments of one (1) Service Unit. Partial conversions are not permitted.
   4. Each converted Service Unit is deemed fully consumed upon conversion and provides three (3) EIR Hours. Unused EIR hours from a converted Service Unit may not be retained, carried over, or reconverted into Service Units.

    3.2 Emergency IR Initiation.

   1. In the event the Customer/MSP believes they have experienced an Incident and desires to engage Sophos for Emergency Incident Response during the Subscription Term, Customer/MSP must call the Emergency Incident Response telephone numbers listed by the “Get immediate help” button on https://www.sophos.com/en-us/products/incident-response-services/emergency-response
   2. The Sophos Emergency Incident Response team will perform initial triage; confirm scope and Engagement approach; and provide an estimate of hours of effort required for Customer/MSP approval prior to commencement of the Engagement.
   3. Sophos will quote the estimated Emergency Incident Response cost to Customer/MSP or their chosen Partner reflecting the applicable predefined price for each Service tier and/or applicable Service Units, as applicable.
   4. Sophos’ provision of Emergency Incident Response will be subject to the Emergency Incident Response Service Description and any applicable Statement of Work (“SOW”). All obligations and restrictions specified in the Service Description and the SOW will apply to the parties.

   3.3 Service Level Agreement. Service Level Agreements applicable to Emergency Incident Response for each Service tier are set forth in Article VIII below.

 IV. SERVICE DELIVERY

1. Remote Service Delivery. All Service elements are delivered remotely unless Customer/MSP requests onsite Engagement in which case Sophos will provide the Service pursuant to Onsite Service Engagement under Section V below.
2. Service Delivery Hours.  Unless otherwise specified in the Service Description,  the Service is conducted Monday through Friday, 09:00 to 17:00 (Customer/MSP local time). Sophos will make reasonable efforts to align its Service delivery hours with the Customer's/MSP’s scheduling requirements, subject to resource availability. Any onsite work is conducted Monday through Friday, 09:00 to 17:00 (Customer/MSP local time).

 V. ONSITE SERVICE ENGAGEMENT

1. Onsite Delivery and Cost Estimate. If Customer/MSP requests onsite Engagement delivery and Sophos accepts, Sophos will provide a written estimate of anticipated costs and travel time for Customer/MSP to review and to approve. If actual billing is requested, Sophos will invoice following Engagement completion. No travel will commence, and no travel-related costs shall be incurred, unless and until the Customer/MSP approves the estimate in writing.
2. Onsite Costs. The Customer/MSP shall be responsible for the following categories of costs, which the Customer/MSP may opt to pay for with Service Units, where applicable:
   
   2.1 Actual Expenses.  These include all reasonable and necessary out-of-pocket costs incurred in connection with the onsite Engagement, such as round-trip airfare (Economy class for flights under 4 hours, Economy Plus for 4 to 8 hours, and Business class for over 8 hours); round-trip train travel (Economy class for trips under 6 hours and Business class for over 6 hours); fuel and toll costs (if driving); hotel accommodations; meals and incidental expenses; ground transportation (e.g., taxi, ride-share, or rental car); visa or entry documentation; and any applicable taxes or fees.
   
   2.2 Standby Time. Any time spent by Sophos personnel onsite or on standby due to Customer/MSP's failure to provide timely access, information, or readiness to begin the Engagement will be billable at the standard hourly rate applicable to the Service, up to eight (8) hours per day per person assigned to onsite Service Engagement.
   
   2.3 Travel time. For Emergency Incident Response Engagements, Sophos will bill up to eight (8) hours per travel day for each participating Sophos employee. For all other Security Service Engagements, Sophos will add an appropriate number of additional Service Units, based on the Engagement scope, for each Sophos employee required to travel onsite.
3. Customer/MSP Obligations for Onsite Engagement. Customer/MSP must take the following actions to facilitate and enable delivery of the Service onsite:
   
   3.1. Arrange all required site access, entry authorizations, and security clearances in advance of the Engagement, including after-hours access if necessary.
   
   3.2. Provide timely access to all systems, environments, infrastructure, and personnel identified in the agreed scope.
   
   3.3. Respond promptly to Sophos requests for information, documentation, and decisions necessary to support the Engagement.
   
   3.4. Obtain all approvals and permissions for tools, software, or access mechanisms used by Sophos during the Engagement.
   
   3.5. Provide suitable workspace, including power, network connectivity, and required physical or virtual system access.
   
   3.6 Ensure attendance of designated stakeholders at all scheduled updates, technical briefings, and post-Engagement reviews.
   
   3.7 Comply with all applicable health, safety, and security protocols to ensure a safe working environment.
4. Onsite Engagement Disruption. Sophos reserves the right to cancel or postpone any scheduled onsite Engagement due to circumstances beyond its reasonable control, including but not limited to war, civil unrest, natural disasters, travel restrictions, pandemics, or other force majeure events. Sophos shall provide prompt notice to the Customer/MSP and shall make reasonable efforts to reschedule the Engagement or deliver services remotely where feasible. Neither party shall be liable for delays or non-performance resulting from such circumstances.

 VI. SERVICE SCHEDULING, COMPLETION, AND CANCELLATION

1. Service Scheduling. Customer/MSP must provide at least eight (8) weeks’ advance notice to schedule Incident Readiness and Red Team services and at least four (4) weeks’ advance notice  to schedule all other Security Services. Sophos will make commercially reasonable efforts to accommodate Customer’s/MSP’s requested dates and times for Service delivery, subject to personnel and resource availability. Customer’s/MSP’s written confirmation of an agreed schedule shall constitute acceptance of that schedule. If Customer/MSP requests multiple Engagements simultaneously, Sophos will schedule the first request and will schedule additional Engagements on a best effort basis, subject to resource and personnel availability.
   
   1.1 Rescheduling. Once Sophos and Customer/MSP agree on the schedule for an onsite Engagement, any schedule change requested by Customer within two (2) weeks of the scheduled date will incur a USD $2,000 rescheduling fee, payable by Service Units. This fee does not apply to Engagements that do not require travel by Sophos personnel.
   
   1.2. Cancellation. Customer/MSP may cancel an Engagement at any time before Sophos begins work and may reuse the applicable Service Units for another Engagement. If Customer/MSP cancels an Engagement after Sophos has commenced work, Customer/MSP forfeits any Service Units allocated to that Engagement. If Sophos has booked travel, Customer/MSP will incur a USD $2,000 cancellation fee, payable by Service Units.
2. Service Completion. Customer/MSP acknowledges and agrees that Sophos must complete all Security Service delivery within the Subscription Term. As such, Customer/MSP is solely responsible for timely scheduling of Security Service Engagements, taking all required actions, and meeting all prerequisites, readiness, and enablement requirements necessary to allow Sophos to complete Engagement within the Subscription Term.   Any failure by Customer/MSP to do the foregoing will result in expiration of the Service Units without refund, and Sophos will have no further obligation to perform.
3. Deliverables. If mutually agreed at the kickoff of an Engagement, Sophos will deliver a final report (the “Final Report”) to the Customer/MSP’s designated point of contact within three (3) weeks following completion of the Engagement. The Final Report will detail the methodologies used, key findings related to the Customer/MSP’s security posture (including supporting data), the potential impact to the Customer/MSP, and recommended remediation actions. Unless otherwise specified in the applicable Service Description, Customer/MSP must review the Final Report and provide any comments to Sophos within three (3) weeks of delivery. If Customer/MSP does not respond within this period, the Final Report will be deemed accepted and the Engagement deemed complete. If Customer/MSP provides comments, the Final Report will be deemed complete upon the earlier of (i) Sophos providing responses to such comments or (ii) Sophos delivering a revised Final Report.

 VII. TIER SPECIFIC BENEFITS

1. Level 3 and Level 4. The following activities are included in Level 3 and Level 4 tiers and do not consume Service Units from Customer/MSP’s balance.
   
   1.1. Services Liaison. Customer/MSP will be assigned a Services Liaison.
   1. Service review sessions. The Services Liaison will conduct quarterly reviews  via teleconference, each not to exceed two (2) hours. These sessions may cover Engagement results, upcoming scheduled Engagements, and recommendations to help Customer/MSP maximize the value of the Service.
   2. Status Report. Following each review session, Sophos will provide a quarterly status report to Customer/MSP via a mutually agreed method. The report will summarize completed Engagements, remaining Service Units, upcoming scheduled Engagements, and recommended future activities.
   1.2. Service Planning Session. Upon purchase of the Service, Sophos will facilitate an online session in which Sophos and Customer/MSP will discuss available services, objectives, and broader cybersecurity strategy. During this session, the parties will develop an initial services consumption roadmap, including a delivery timeline for scheduled Security Services and ongoing periodic deliverables.  
2. Level 4. The following activities are included in Level 4 tier and do not consume Service Units from Customer/MSP’s balance.
   
   2.1 Annual Executive Briefing. Upon request, Sophos will conduct one executive briefing per year of the Subscription Term through teleconference at a mutually agreed time (no earlier than month ten (10) of the applicable subscription year). The briefing will cover lessons learned from Engagements, current state of Customer/MSP’s Incident Response capabilities, relevant trends, and recommendations.
   
   2.2 Annual Password Cracking Engagement. Upon request, Sophos will conduct one  Password Cracking Engagement per year during the Subscription Term, which can be scheduled at any point during the applicable subscription year.

 VIII. EMERGENCY INCIDENT RESPONSE - SERVICE LEVEL AGREEMENTS (SLA)

1. SLA. Sophos will use commercially reasonable efforts to meet the service levels related to Initial Response, Engagement Start and Onsite Response for Emergency Incident Response as set forth in the table in Article II above. 
2. Service Credit. Customer/MSP is entitled to six (6  ) EIR Hours for each business day that a defined SLA is not met.
3. Service Credit Request Procedure. Customer/MSP must request the Service Credit in writing to  [email protected] with "Security Services Retainer Service Credit" in the subject line within thirty (30) calendar days from the time Customer/MSP becomes eligible to receive a Service Credit. Customer’s/MSP’s Service Credit request must be supported with evidence from log or report data. If not requested during this time, the Service Credit will expire and no longer be claimable. Provisioning of Service Credits shall be Customer’s/MSP’s sole and exclusive remedy for failure to meet or exceed the foregoing SLAs. All Service Credit requests will be subject to verification by Sophos. 
4. Exclusions. Sophos shall not be responsible for meeting the SLA in whole or in part due to: (i) Customer’s/MSP’s failure to initiate the Emergency Incident Response Service in accordance with Article III, Section 3.2 above, (ii) Customer’s/MSP’s breach of any obligations under the Agreement or the applicable Service Description  or (iii) conditions provided in Article X (Additional Terms) Section 3 below.

 IX. CUSTOMER/MSP RESPONSIBILITIES. 

Customer/MSP acknowledges and agrees that, in addition to the actions required of the Customer/MSP in Article I above, Customer/MSP must take the following actions to facilitate and enable delivery of the Service, and Sophos shall have no liability for any degraded, incomplete, or failed Service delivery which may result from Customer’s/MSP’s failure to take the required actions, including meeting the SLA listed in this Service Description. Failure to complete the required actions after written notice from Sophos shall constitute a material breach by Customer/MSP of the Agreement.  

1. Onboarding. Customer/MSP will perform all required activities during the onboarding and Service initiation process. Customer/MSP will promptly implement all system and infrastructure changes necessary to enable Sophos to deliver the Service.
2. Customer/MSP Personnel. Customer/MSP must identify an appropriate number of suitably skilled personnel who will work with Sophos during the provision of the Service.  Customer/MSP personnel must have the necessary technical and business knowledge and authority to make decisions concerning the Service. 
3. Timely Response. Customer/MSP must promptly acknowledge receipt of Sophos communications in writing and must respond to Sophos’s requests in a timely fashion.
4. Access Enablement. Customer/MSP must (i) promptly inform its personnel and relevant third parties of Sophos’s activities, as necessary, to avoid disruption to Sophos’s performance of the Engagement (e.g., takedown requests or ISP blacklisting); and (ii) whitelist Sophos’s designated testing source addresses and domains within any active security controls, including Network Access Control (NAC), Intrusion Prevention Systems (IPS), and Web Application Firewalls (WAF). Additionally, Customer/MSP’s scheduled interruptions, change freezes, and maintenance windows must provide sufficient time for Sophos to perform the Engagement.
5. Actions Outside the Scope of Service. All activities that are not expressly provided in this Service Description are outside of the scope of the Service. Customer/MSP is solely responsible and liable for: (i) taking any actions that are outside of the scope of the Service (e.g., Sophos’s suggestions regarding on-site response; all litigation and e-Discovery support; and collaboration with law enforcement); and (ii) for any actions undertaken by Sophos that are not provided in this Service Description under Customer’s/MSP’s specific direction. 
6. MSP Additional Responsibilities. MSP is solely responsible for ensuring that any Beneficiary for which MSP performs this Service has agreed to accept all risks described in this Service Description or otherwise inherent in the Service. MSP will indemnify and hold Sophos harmless for any claim brought against Sophos by a Beneficiary if such claim results, in whole or in part, from MSP’s failure to fully perform its obligations under this Service Description or the Agreement with respect to the Service.

 X. ADDITIONAL TERMS.

1. Additional Purchase. Customer/MSP may purchase additional Service Units or Emergency Incident Response hours (“EIR Hours”) at the applicable pre-negotiated rate during the Subscription Term. Any additional Service Units or EIR Hours will be co-termed with the applicable Subscription Term.
2. Unused Service Units.  Customer/MSP acknowledges and agrees that all unused Service Units will expire at the end of the then current Subscription Term without any refund.
3. Service Exclusion. Customer/MSP agrees and acknowledges that Sophos will not be liable or be considered in breach of this Service Description or the Agreement: (i) due to any delay or failure to perform its obligations hereunder as a result of industry or infrastructure wide ransomware, cyberwarfare or other cyberattacks that causes Sophos to be unable to provide resources to address an Incident in a timely manner; (ii) due to unforeseen circumstances or to causes beyond Sophos reasonable control including but not limited war, strike, riot, crime, acts of God, or shortage of resources; (iii) due to legal prohibition, including but not limited to, passing of a statute, decree, regulation, or order; (iv) during any period of Service suspension by Sophos in accordance with the terms of the Agreement; (v) if Customer/MSP is in breach of the Agreement (including without limitation if Customer/MSP has any overdue invoices); or (vi) during any scheduled maintenance windows.
4. Service Capabilities. Customer/MSP agrees and acknowledges while Sophos has implemented commercially reasonable technologies and processes as part of the Service, Sophos makes no guarantee that the Service will detect, prevent, or mitigate all Incidents. Customer/MSP agrees not to represent to anyone that Sophos has provided such a guarantee or warranty.
5. Service Impact. Customer/MSP acknowledges that Service provision described may result in service interruptions or degradation of Customer/MSP systems and accepts those risks and consequences. Customer/MSP further acknowledges that it is solely responsible for restoring its network and computer systems to a secure configuration after Sophos completes testing.
6. Record Retention. Sophos will retain all materials created in connection with each Engagement, including reports, recordings, and other deliverables, in accordance with its record retention policy. Any request for extended retention must be made in writing in advance and will be subject to additional storage costs borne by Customer /MSP.

Revision Date: May 4, 2026