This Annex forms part of the IT Master Services Agreement and describes the scope, responsibilities and limitations relating to the Shared Responsibility Model.
The aim of this Annex is to make it clear who does what so there are no gaps or assumptions, particularly in relation to security, backup and business continuity. Not every responsibility listed here will apply to you; what applies in practice depends on the Services included in your Order.
1. Principles
The Shared Responsibility Model is based on the following principles:
- Cultrix is responsible for the design, delivery and management of the Services you have ordered from us;
- you remain responsible for your business processes, data classification, and how your users make use of technology;
- some responsibilities are shared - for example keeping devices secure requires both technical controls and user behaviour;
- if a Service is not included in your Order, you remain fully responsible for that area unless agreed otherwise in writing.
2. High-level responsibility overview
At a high level:
- Cultrix is generally responsible for:
- managing in-scope devices, systems, platforms and security tools under your Order;
- deploying and maintaining agreed configurations, updates and security policies;
- monitoring and responding to alerts where monitoring or SOC services are in place;
- providing advice and guidance on good practice.
- You (the Customer) are generally responsible for:
- deciding which Services to purchase and ensuring they remain appropriate to your risk profile;
- how your staff, contractors and partners use systems and data;
- internal HR, disciplinary and compliance processes;
- meeting regulatory obligations that extend beyond the scope of the Services.
- Shared responsibilities include:
- keeping information up to date (for example joiners/leavers, changes to locations or systems);
- implementing recommended controls where reasonable;
- responding promptly to incidents and following agreed procedures.
Administrative Access and Customer Responsibility
Where customers or their staff are granted administrative or elevated permissions, they accept responsibility for any changes made using those privileges. Cultrix is not responsible for service interruptions, misconfiguration or data loss resulting from customer-initiated administrative actions. Any remediation required will be handled as chargeable consultancy.
Cultrix may recommend limiting or removing administrative privileges where repeated incidents arise from misuse.
3. Devices and endpoints
Where Cultrix provides endpoint management, patching or security services under your Order:
- Cultrix responsibilities typically include:
- installing and managing agreed agents (for example RMM, antivirus, EDR);
- configuring and maintaining patch policies for supported operating systems and software;
- deploying security policies and controls where packages such as Support + Shield or Guardian are in place;
- monitoring device health and security where Monitoring or Endpoint Protection is included.
- Customer responsibilities typically include:
- ensuring users do not tamper with, disable or remove agents and security controls;
- keeping devices physically secure and reporting lost or stolen devices promptly;
- ensuring unsupported or unmanaged devices are not assumed to be covered by Cultrix;
- deciding which devices are in scope for management under your Order.
4. Cloud services (Microsoft 365, Google Workspace and others)
Where Cultrix provides administration or security services for cloud platforms under your Order:
- Cultrix responsibilities typically include:
- configuring and maintaining agreed tenant-level settings and security policies;
- setting up and managing users, groups and licences as requested by your authorised contacts;
- linking supported tenants into monitoring, backup and security platforms;
- providing guidance on secure configuration and best practice.
- Customer responsibilities typically include:
- ensuring that only authorised users have accounts and that leavers are reported promptly;
- deciding which data is stored in which cloud services and how it is structured;
- ensuring that users follow acceptable use, data protection and information handling policies;
- purchasing and maintaining the necessary licences via your chosen licensing provider.
5. Backup and recovery
Where Backup and Recovery Services are included in your Order:
- Cultrix responsibilities typically include:
- configuring and monitoring agreed backup jobs for in-scope systems and data;
- working with you to restore data or systems when requested via the Service Desk;
- maintaining documented backup schedules and retention settings in line with the Service description;
- escalating backup failures and issues to you where they require your action.
- Customer responsibilities typically include:
- defining which systems, folders and data should be included in backup scope;
- ensuring that critical data is stored in locations covered by backup services;
- reviewing backup summaries or reports where provided and raising concerns promptly;
- requesting restore tests or DR tests where required by your risk appetite.
Where you choose not to purchase a particular backup or continuity service, you remain responsible for any data or systems that are not covered by another backup solution.
6. Security and incident response
Where Endpoint Protection, User Protection or other security services are included in your Order:
- Cultrix responsibilities typically include:
- deploying and managing agreed security tools (for example antivirus, EDR, email security, Dark Web monitoring);
- monitoring alerts and, where SOC services are in place, escalating threats in line with the Incident Response Policy;
- providing guidance on remediation steps and helping to contain incidents;
- keeping security tools up to date within the capabilities of vendors and platforms.
- Customer responsibilities typically include:
- ensuring users follow the Acceptable Use Policy and complete awareness training where provided;
- reporting suspected incidents, phishing attempts or unusual activity promptly;
- implementing recommended process or policy changes to reduce risk;
- making risk-based decisions where you choose not to implement certain recommendations.
7. Compliance and regulatory obligations
Cultrix Services can assist with aspects of regulatory compliance (for example by providing logs, security controls and documentation). However:
- Cultrix is not your legal or compliance adviser and does not guarantee regulatory compliance;
- you are responsible for understanding and meeting your own legal, regulatory and contractual obligations;
- where you have specific compliance frameworks (for example Cyber Essentials, ISO 27001, PCI DSS, DORA), you are responsible for identifying requirements and requesting appropriate Services or advice.
8. Customer choices and risk acceptance
You may decide not to purchase certain Services, to limit the scope of coverage, or to delay recommended changes. Where this occurs:
- we will explain, where reasonably possible, the associated risks and potential impact;
- you are responsible for accepting those risks and documenting them internally if required;
- Cultrix will not be responsible for outcomes that arise from Services or controls that you have chosen not to adopt.
9. Changes to this Annex
Cultrix may update this Shared Responsibility Model to reflect changes in Services, best practice or roles and responsibilities. Updated versions will be published on our website and, for material changes, we will provide reasonable notice.