Schedule 4 - Security and Network

• Legal >
• Terms >
• Master Services Agreement - Cloud >
• Schedule 4 - Security and Network

This Schedule forms part of the Cloud Master Services Agreement and describes the scope, responsibilities and limitations relating to Administration and Licensing.

1. Firewall management

1. We operate perimeter and, where applicable, internal firewalls for the Cloud Platform.
2. Where firewall management is included, we will:
   • maintain baseline rulesets and security policies;
   • implement rule changes requested by you, subject to security review;
   • apply firmware and software updates during maintenance windows; and
   • monitor firewall availability and core health.
3. You:
   • must tell us which services or ports you require to be exposed to the internet or to specific networks;
   • must not attempt to circumvent firewall controls; and
   • accept that we may decline or adjust firewall rules that create unreasonable risk.

2. VPN and secure connectivity

1. Where VPN services are included, we will:
   • configure site-to-site or client VPNs using supported standards;
   • provide connection details and, where applicable, client configurations; and
   • test connectivity with nominated endpoints.
2. The types of VPN supported and any limitations will be described in the relevant quote or design document.
3. You are responsible for:
   • configuring your on-premise or third-party devices to establish the VPN;
   • managing endpoint security on devices connecting via VPN; and
   • ensuring VPN credentials or keys are kept secure.

3. Web filtering and outbound security

1. Where provided, web filtering or DNS filtering services may be applied to traffic leaving the Cloud Platform.
2. We may:
   • block known malicious domains and content categories (for example malware, phishing);
   • apply content categories agreed with you; and
   • log and review security-related events.
3. Filtering is intended to reduce risk, not guarantee prevention of all threats. You remain responsible for user behaviour and for application-level security measures.

4. Logging and monitoring

1. We may collect and retain logs from firewalls, VPN devices, remote desktop gateways and other security devices for operational and security purposes.
2. Where a more advanced log analysis or SIEM service is included, this will be described in your Order or in a separate Security Schedule.
3. Retention periods for standard logs may vary depending on platform capabilities and storage considerations. If you require extended log retention or specific formats, this may be provided as a separate service.

5. Certificates and encryption

1. We may assist with:
   • installing SSL/TLS certificates on web servers or gateways;
   • renewing certificates we manage on your behalf; and
   • configuring supported encryption protocols.
2. You are responsible for:
   • procuring certificates where they are not included in the service; and
   • renewing any certificates you manage directly.
3. We may deprecate older, insecure protocols or ciphers in line with industry good practice, even if this affects legacy systems. We will give reasonable notice where such changes are likely to impact you.

6. Customer responsibilities

1. You remain responsible for:
   • defining your own acceptable level of security and ensuring your use of the Cloud Services aligns with that level;
   • enforcing policies for user access, passwords and multi-factor authentication;
   • application-level security (for example input validation, access control, logging); and
   • security of any local networks and devices that connect to the Cloud Platform.
2. If we identify a configuration or behaviour that poses a serious security risk (for example an exposed administrative interface, weak VPN configuration or open relay), we may take reasonable temporary mitigation steps, including blocking traffic, while we work with you on a longer-term fix.

7. Exclusions

1. Unless explicitly stated, this Schedule does not cover:
   • full Security Operations Centre (SOC) services;
   • threat hunting or advanced incident response;
   • complex network or security architecture design (these are project services); or
   • compliance or certification projects (for example PCI, ISO, DORA, etc.).
2. We are not responsible for security weaknesses that arise from:
   • application design or coding practices;
   • unsupported or end-of-life software; or
   • decisions you make that go against our documented recommendations.