• Legal >
  • Terms >
  • Master Services Agreement – IT Services

This Master Services Agreement (“Agreement”) sets out the general terms on which Cultrix Limited (“Cultrix”, “we”, “us”) provides IT services to the customer identified in the relevant order, quotation or statement of work (“you”, “your”).

Service-specific details - including scope, inclusions, exclusions, service levels and operational requirements - are set out in the relevant Service Schedules, which form part of this Agreement.

1. Structure of this Agreement

  1. This Agreement consists of:
    1. this Master Services Agreement - IT;
    2. the Service Schedules applicable to the services you purchase, including but not limited to:
      • Schedule 1 - IT Support;
      • Schedule 2 - Patch Management;
      • Schedule 3 - Monitoring & Alerting;
      • Schedule 4 - Microsoft 365 Administration & Licensing;
      • Schedule 5 - Backup and Recovery;
      • Schedule 6 - Security (including EDR, SIEM, vulnerability scanning and SaaS security);
    3. Annexes that may include:
      • Annex A - Service Level Agreement (SLA);
      • Annex B - Acceptable Use Policy (AUP);
      • Annex C - Shared Responsibility Model;
      • Annex D - Fair Use Policy (FUP);
    4. Any order form, online checkout confirmation, quotation or statement of work we agree with you (each an “Order”).
  2. If any part of this Agreement conflicts with another, the order of priority is:
    1. the applicable Order;
    2. the relevant Service Schedule;
    3. Annexes A-D;
    4. this Master Services Agreement.

Not every Service described in a Service Schedule will apply to you. You will only receive the Services that are included in your Order.

2. Definitions

In this Agreement:

“Business Day”
Monday to Friday, excluding English bank holidays.
“Business Hours”
08:30-17:30 UK time on a Business Day, unless stated otherwise.
“Devices”
Desktops, laptops, servers and endpoints recorded in our asset records for a Service.
“Endpoint Protection”
The collective term for security and continuity services relating to physical devices, including but not limited to antivirus, EDR, ransomware protection, DNS filtering, SOC monitoring, and endpoint backup/continuity services.
“Guardian”
A support package that includes Support + Shield plus RocketCyber Security Operations Centre (SOC) services.
“Managed Services”
Ongoing, recurring services we provide under this Agreement.
“Modular Activation”
The ability for the Customer to enable or disable individual security components within Shield, Support + Shield, Guardian or User Protection, whether purchased as a package or standalone.
“Service Desk”
Our support team and ticketing system.
“Services”
Any services provided under the relevant Schedule(s) and Order(s).
“Shield”
The managed security stack consisting of Antivirus, Endpoint Detection and Response, Ransomware Protection and DNS Filtering. Shield may be purchased standalone or as part of a Support package.
“Support + Shield”
A support package that includes Shield and enhanced Service Desk coverage, including Security Policy Management, Out-of-Hours Urgent Support without additional charge, and management of VOIP phones, mobiles and tablets.
“Third-Party Services”
Software, platforms or infrastructure provided by third parties (for example Microsoft 365 or other external software, hosting, monitoring or security services).
“User Protection”
A suite of cloud-security services (including Cloud Backup, Cloud Threat Detection & Response, Dark Web Monitoring, Email Security, and Phishing Awareness Training) which can be purchased as a package or as standalone components.

3. Term, renewal and termination

  1. Services begin on the start date in the Order or when we begin providing the Service.
  2. Unless otherwise stated, each Service has a minimum initial 12-month term.
  3. After the initial term, Services continue on a rolling monthly basis unless cancelled.
  4. You may cancel by giving at least 30 days’ written notice, subject to any minimum terms.
  5. We may terminate if you materially breach the Agreement, become insolvent, or fail to pay on time.
  6. On termination:
    • you must pay all outstanding charges;
    • we will cease providing the affected Services;
    • we will assist with a reasonable, orderly handover on a time-and-materials basis.

4. Our responsibilities

  1. We will provide Services with reasonable skill and care.
  2. We will operate our systems in line with our internal Information Security Management System.
  3. We will use reasonable efforts to meet the targets in Annex A (SLA).
  4. We will keep you informed of material issues that affect your Services.

4A. Platform support & limitations

The Services rely on the installation and operation of our management, monitoring and security tools, including remote monitoring and management (RMM) agents and related software. Platform support, software management capabilities and any functional limitations (including supported Windows, macOS and Linux versions, limitations on Linux desktop support, compatibility notes for Windows-on-ARM/Prism emulation and constraints affecting third-party application patching) are defined in the applicable Service Schedule. These details may change as platform vendors and tool providers update their requirements. Where a platform or version falls outside supported parameters, we may limit support for the affected device or system until appropriate corrective action is taken.

5. Your responsibilities

  1. Provide access, information and approvals we reasonably need.
  2. Ensure staff cooperate with us and follow reasonable instructions.
  3. Maintain suitable power, connectivity and licensed software.
  4. Follow the Acceptable Use Policy, Fair Use Policy and Shared Responsibility Model.
  5. Meet your obligations regarding user management, licensing and backups where applicable.

5A. Services not purchased and residual risk

We are not responsible for preventing, mitigating or recovering from security incidents, data loss or downtime to the extent that the relevant security, backup or business continuity services are not in scope of your Order. Where you choose not to purchase a recommended service, you accept the associated risks for the affected systems and data.

5B. Customer-Caused Incidents

Cultrix is not responsible for service interruptions, faults, system behaviour or data loss caused by customer actions, including but not limited to:

  1. changes made using administrative or elevated permissions
  2. installation, removal or modification of software
  3. alteration of configuration or security settings
  4. replacement or reconfiguration of routers, firewalls or network equipment
  5. use of unsupported hardware, operating systems or services

Any investigation or remediation required due to customer-caused incidents will be treated as chargeable consultancy and is not subject to SLA response or resolution times. Assigning administrative access to staff indicates acceptance of the associated risks.

6. Access, tools and changes to your environment

  1. You authorise us to install our remote access, monitoring, security and backup tools on in-scope devices.
  2. Remote sessions may be logged or recorded.
  3. You must not remove or disable our tools without agreement.
  4. Where configuration changes (for example policies, security baselines, firewall rules) are required to deliver a Service, we will apply these carefully, planning changes with you where practical.

6A. Out of Scope and Project-Only Work

The following work is always delivered on a project basis and is not included under any support package unless expressly stated in a separate Statement of Work:

  • Network segmentation
  • Firewall configuration and logging
  • Zero Trust architecture
  • Privileged Access Management setup
  • Device encryption rollout
  • MDM or BYOD setup and policy creation
  • Microsoft Secure Score improvement (“Fortify”)
  • Security hardening or compliance alignment (CE/CREST/PCI/DORA/ISO)
  • Any migration activities
  • Office moves, new office setups or relocations

7. Third-Party Services

  1. You must comply with applicable third-party terms (for example platform, hosting, software or infrastructure providers).
  2. We are not responsible for the design or availability of Third-Party Services but will assist you in managing issues where in scope.
  3. Changes made by third parties may affect how we deliver Services. We will act reasonably to adapt and will discuss any material impact with you.

8. Data protection

  1. Each party will comply with applicable data protection laws.
  2. Our role as controller or processor depends on context, as set out in our Privacy Policy and Shared Responsibility Model.
  3. Where we process personal data as your processor, our Data Processing Agreement applies.
  4. We will implement appropriate technical and organisational measures to protect personal data.

9. Security

  1. We operate an information security framework aligned with recognised standards such as ISO?27001 and Cyber Essentials.
  2. Security-related Services (for example EDR, SIEM, vulnerability scanning, SaaS threat detection) are set out in the relevant Schedule.
  3. No system can be perfectly secure. We will take proportionate steps to manage security and respond promptly to incidents.

10. Charges, invoicing and payment

  1. Charges are set out in the Order and/or relevant Schedule.
  2. Recurring fees are invoiced monthly in advance unless otherwise agreed.
  3. Time-and-materials work is invoiced in arrears.
  4. Payment terms are 30 days from invoice date.
  5. If you dispute an invoice, you must notify us before the due date. Undisputed amounts must still be paid.
  6. If you fail to pay without genuine dispute, we may charge interest and/or suspend Services.

11. Suspension

  1. We may suspend Services if:
    • you fail to pay after reminder;
    • you breach this Agreement or the AUP;
    • your environment poses an immediate security risk;
    • a third-party supplier requires suspension.
  2. We will act reasonably and normally contact you before suspension unless the risk is urgent.

12. Limitation of liability

  1. We do not limit liability for death, personal injury or fraud.
  2. Otherwise:
    • we are not liable for loss of profit, revenue, anticipated savings, business interruption, or indirect loss;
    • our total liability is limited to the amount paid or payable for the affected Service during the previous 12 months.

13. General

  1. Subcontracting. We may use carefully chosen subcontractors and partners. We remain responsible for their performance.
  2. Force majeure. Neither party is liable for delays caused by events outside reasonable control.
  3. Variation. We may update this Agreement to reflect legal or operational changes. Material changes will be communicated with reasonable notice.
  4. Governing law. This Agreement is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction.