.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
.png?width=1024&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Legal: Banner with Media - Background")
Service Description –Sophos Security Services Standalone IR Retainer
This Service Description describes the Sophos Security Services Standalone IR Retainer service (“Service”). All capitalized terms in this Service Description have the meaning ascribed to them in the Agreement (defined below) or in the Definitions section below.
This Service Description is part of and incorporated into, as applicable: (i) Customer’s or Managed Service Provider’s manually or digitally‐signed agreement with Sophos covering the purchase of a Service subscription; (ii) Managed Service Provider’s manually or digitally-signed agreement(s) with Sophos covering its purchase of Offerings of which the Service is a part; or (iii) if no such signed agreement exists, then this Service Description will be governed by the terms of the Sophos End User Terms of Use posted at https://www.sophos.com/legal (collectively referred to as the “Agreement”). To the extent there is a conflict between the terms and conditions of the Agreement and this Service Description, the terms and conditions of this Service Description will take precedence.
Notwithstanding anything to the contrary in the Agreement, Customer/MSP acknowledges and agrees that: (i) Sophos may modify or update the Service from time to time without materially reducing or degrading its overall functionality; and (ii) Sophos may modify or update this Service Description at any time to accurately reflect the Service being provided, and any updated Service Description will become effective upon posting to https://www.sophos.com/legal.
I. DEFINITIONS.
Capitalized terms used in this Service Description, and not otherwise defined in the Agreement, have the meaning given below:
“Emergency Incident Response”, “Emergency IR” or “EIR” means Sophos Emergency Incident Response service as described at https://www.sophos.com/legal/emergency-incident-response-description.
“Engagement Start” means the time at which Sophos will commence Emergency IR service performance remotely pursuant to a Customer/MSP approved Engagement Work Order.
"Engagement Work Order” means a written documentation prepared by Sophos describing the type, scope and associated cost of a proposed Emergency IR engagement, which requires Customer/MSP approval prior to commencement.
“Incident” means a suspected or confirmed compromise or un-authorized access of system(s) that poses an imminent threat to Customer/MSP assets, which may include interactive attackers, data encryption or destruction, and exfiltration.
“Initial Response” means Sophos making initial contact with Customer/MSP, by email or telephone, following a request for Emergency IR services, to schedule a call to discern the nature, scope and action plan for the request.
II. SCOPE OF SERVICE
The Service allows Customers/MSPs to engage Sophos during an Incident and entitles Customer/MSP to engage Sophos at predefined hourly rate towards the purchase of Sophos Emergency Incident Response services during the Subscription Term.
The Service consists of activities described below:
- Onboarding
1.1. Customer/MSP will receive an email confirming their enrollment in the Service after purchase which will include all relevant information and documentation regarding the Service and instructions for how to access the Service and its components.
1.2 Customer/MSP must provide all requested information and perform all Customer/MSP obligations set forth below to receive full benefit of the Service. - Emergency IR Initiation.
2.1. In the event the Customer/MSP believes they have experienced an Incident and desires to engage Sophos for Emergency Incident Response during the Subscription Term, Customer/MSP must call the Emergency Incident Response telephone numbers listed by the “Get immediate help” button on https://www.sophos.com/en-us/products/incident-response-services/emergency-response.
2.2 Sophos will perform initial triage; confirm scope and engagement approach; and provide an estimate of hours of effort required for Customer/MSP approval prior to initiating the Emergency IR service.
2.3 Sophos will quote the estimated Emergency Incident Response cost to Customer/MSP or their chosen Partner reflecting the applicable predefined hourly rate.
2.4 Sophos will commence each Engagement following Customer/MSP’s written approval of the applicable Engagement Work Order.
2.5 Sophos’ provision of Emergency Incident Response will be subject to the Emergency Incident Response Service Description. All obligations and restrictions specified in the Service Description will apply to the parties.
2.6 Service Level Agreement (“SLA”).
2.6.1. Sophos will use commercially reasonable efforts to meet the service levels related to Initial Response and Engagement Start for Emergency Incident Response as set forth below:- Initial Response – 4 hours
- Engagement Start – 24 Hours
2.6.2. Service Credit. Customer/MSP is entitled to six (6) hours toward Emergency IR service for each business day that a defined SLA is not met.
2.6.3. Service Credit Request Procedure. Customer/MSP must request the Service Credit in writing to [email protected] with "Security Services Retainer Service Credit" in the subject line within thirty (30) calendar days from the time Customer/MSP becomes eligible to receive a Service Credit. Customer’s/MSP’s Service Credit request must be supported with evidence from log or report data. If not requested during this time, the Service Credit will expire and no longer be claimable. Provisioning of Service Credits shall be Customer’s/MSP’s sole and exclusive remedy for failure to meet or exceed the foregoing SLAs. All Service Credit requests will be subject to verification by Sophos.
2.6.4. Exclusions. Sophos shall not be responsible for meeting the SLA in whole or in part due to: i) Customer’s/MSP’s failure to initiate the Emergency Incident Response Service in accordance with Section 2.1 above, ii) Customer’s/MSP’s breach of any obligations under the Agreement or the applicable Service Description or iii) conditions provided in Article IV below.
III. CUSTOMER/MSP RESPONSIBILITIES.
Customer/MSP acknowledges and agrees that, in addition to the actions required of the Customer/MSP in Article I above, Customer/MSP must take the following actions to facilitate and enable delivery of the Service, and Sophos shall have no liability for any degraded, incomplete, or failed Service delivery which may result from Customer’s/MSP’s failure to take the required actions. Failure to complete the required actions after written notice from Sophos shall constitute a material breach by Customer/MSP of the Agreement.
- Onboarding. Customer/MSP will perform all required activities during the onboarding process.
- Customer/MSP Personnel. Customer/MSP must identify an appropriate number of suitably skilled personnel who will work with Sophos during the provision of the Service. Customer/MSP personnel must have the necessary technical and business knowledge and authority to make decisions concerning the Service.
- Timely Response. Customer/MSP must promptly acknowledge receipt of Sophos communications in writing and must timely respond to Sophos’s requests.
- Actions Outside the Scope of Service. All activities that are not expressly provided in this Service Description are outside of the scope of the Service. Customer/MSP is solely responsible and liable for: (i) taking any actions that are outside of the scope of the Service (e.g., Sophos’s suggestions regarding on-site response; all litigation and e-Discovery support; and collaboration with law enforcement); and (ii) for any actions undertaken by Sophos that are not provided in this Service Description under Customer’s/MSP’s specific direction.
- MSP Additional Responsibilities. MSP is solely responsible for ensuring that any Beneficiary for which MSP performs this Service has agreed to accept all risks described in this Service Description or otherwise inherent in the Service. MSP will indemnify and hold Sophos harmless for any claim brought against Sophos by a Beneficiary if such claim results, in whole or in part, from MSP’s failure to fully perform its obligations under this Service Description, the Agreement with respect to the Service.
IV. ADDITIONAL TERMS.
- Service Exclusion. Customer/MSP agrees and acknowledges that Sophos will not be liable or be considered in breach of this Service Description or the Agreement: (i) due to any delay or failure to perform its obligations hereunder as a result of industry or infrastructure wide ransomware, cyberwarfare or other cyberattacks that causes Sophos to be unable to provide resources to address an Incident in a timely manner; (ii) due to unforeseen circumstances or to causes beyond Sophos reasonable control including but not limited war, strike, riot, crime, acts of God, or shortage of resources; (iii) due to legal prohibition, including but not limited to, passing of a statute, decree, regulation, or order; (iv) during any period of Service suspension by Sophos in accordance with the terms of the Agreement; (v) if Customer/MSP is in breach of the Agreement (including without limitation if Customer/MSP has any overdue invoices); or (vi) during any scheduled maintenance windows.
- Service Capabilities. Customer/MSP agrees and acknowledges while Sophos has implemented commercially reasonable technologies and process as part of the Service, Sophos makes no guarantee that the Service will detect, prevent, or mitigate all Incidents. Customer/MSP agrees not to represent to anyone that Sophos has provided such a guarantee or warranty.
Revision Date: May 5, 2026