Product Description and Terms

UNIT OF MEASURE

1. We measure the service quantity as a number of "seats".
2. Seats means a combined total of "users" and "servers" where;
   1. A user for the definition of counting seats is a distinct individual (employee, contractor, offshore worker, third-party user, etc.) who uses or has access to any Service Component under these Terms (for example: Helpdesk support, Microsoft 365, Cybersecurity Training, Cloud Phone, etc.), irrespective of how they connect or whether their device is actively monitored.
   2. A server for the definition of counting seats is any operating system dedicated to providing shared, business-critical services to two or more users, and;
      1. Hosts one or more server roles (for example: domain controller, file server, application server, database/mail/web/print/backup server, virtual desktop host, or similar).
      2. Excludes any endpoint primarily used by a single person for their own work (laptops, desktops, workstations, tablets, phones, even if monitoring or security agents are installed).
3. This service has a minimum quantity of 10 seats.
4. All User and Server Seats must be included - no exclusions for unmanaged email (e.g. Gmail), unmonitored endpoints, offshore devices, offshore staff, subcontracted staff, etc, unless they are;
   1. Managed, supported, and monitored by a third party to a similar level of security as what is included in this service or to a level we agree to in writing and,
   2. at no point request any of the products, services, or components in this service.
5. The components of this service may have different units of measure and/or the individual features of components in this service may have different units of measure as defined in their quantity ratio definition.

ABOUT COMPONENTS

1. This service consists of multiple components.
2. Each component has its own description, client obligations, limitations, and optionally a quantity ratio.
3. The description of a component describes how the service operates, is delivered, and what inclusions if any.
4. The client obligations list your obligations that we require to deliver the services as outlined in this document.
5. The limitations describe examples where we may not be able to supply the services or where the description may be limited by additional factors.
6. the quantity ratio defines the maximum quantity of assets, devices, domains, or other unit of measure covered by the component, represented as a ratio against the total number of seats. For example, 1 domain per 5 users. Where a ratio is defined, the ratio is rounded down to the nearest whole number. Exceeding the quantity ratio for a component will require you to either reduce your usage, increase your seats, or pay a fee for exceeding the quantity included in the component.

Managed Cyber Security Component

Description

Our Managed Cyber Security component is designed to provide a layered cybersecurity approach to protect your organisation from cyber threats. This component includes:

1. Managed Antivirus. We manage your systems built-in antivirus, or the antivirus provided through other inclusive licensing like Microsoft Defender for Endpoint when you subscribe to a plan that provides this antivirus. In the absence of a suitable antivirus, we will supply an antivirus product.
2. Endpoint Detection and Response. We will provide Endpoint Detection and Response capabilities, backed by a 24x7 security operations centre. The Endpoint Detection and Response service will employ techniques such as ransomware canaries, open port detection, malicious process behaviour detection, and persistent foothold detection. Refer to the "Security Operations Centre Response" for how incidents are responded to.
3. Identity Threat Detection and Response. We will provide Identity Threat Detection and Response capabilities, backed by a 24x7 security operations centre. The Identity Threat Detection and Response service will employ techniques such as session hijacking protection, credential theft protection, location and VPN anomaly detection, rogue application detection, and other signal monitoring methods. Refer to the "Security Operations Centre Response" for how incidents are responded to.
4. Security Operations Centre Response. The security operations centre will respond to threats and alerts in a timely manner.
   1. Where the security operations centre can confirm a compromise with confidence the security operations team will remotely isolate the impacted device or user account.
   2. Where the security operations centre cannot confirm a compromise with confidence;
      1. an incident report will be supplied to our frontline helpdesk who will perform additional investigation, contact the impacted user or assigned user of the impacted device, and
      2. if we are unable to contact the user, out of an abundance of caution, isolate the impacted device or user account.
   3. when isolating a device or user account;
      1. isolating a device means to restrict its ability to communicate with any network, and
      2. isolating a user means to restrict its ability to log in and revoke any existing sessions.
5. DNS Security Filtering. We will provide at the device or network level, Domain Name Service (DNS) security and category filtering. We will use DNS Security filtering to block threats through blocking known malicious domain names, risky Top Level Domain (TLD) extensions, domains that do not satisfy minimum age requirements, and similar. You may optionally use the DNS filtering service to block categories of domains such as gambling, artificial intelligence, recruitment, social media, and similar.
6. Domain Registration and DNS Management. We will register your gTLD and auTLD domains (.com, .net, .org, .com.au, .net.au, .org.au) domains as part of the service. We will keep the domain registered, protect it from unauthorized transfers and modification, manage its DNS records, and provide valid SPF, DKIM, and DMARC configuration for your domains to prevent impersonation and spoofing attacks.
7. Backups for Servers. We will provide a backup service for your servers and retain those backups with an agreed upon retention period. We will provide 1 Terabyte of backup storage per server (pooled) held offsite from your organisations environment. If your backup requirements exceed the allocated storage, we will notify you and either lower your retention period to reduce your storage requirements or charge you for the additional storage. Backups will be taken once per day, or at an agreed upon cadence.
8. Backups for Microsoft 365. Where we are providing your Microsoft 365 licensing, we will include backups as a service, retain information for up to 7 years or until you cancel your service with us, performing a backup at least once per day. It will include features such as point in time restore, eDiscovery search, with unlimited storage. We will back up the following workloads inside of Microsoft 365;
   1. Exchange Online
      1. Outlook Mail​
      2. Folders​
      3. Contacts​
      4. Calendars​
      5. Tasks​
      6. Attachments​
      7. In-place Archives​
      8. Public Folders and Subfolders
      9. Shared Mailboxes​
   2. SharePoint
      1. Sites​
      2. Sub-Sites​
      3. Documents​
      4. Folders​
      5. Lists
      6. Site Assets​
      7. Site Pages​
      8. Style Library​​
      9. Permissions​
   3. OneDrive
      1. Drives
      2. Folders​
      3. Permissions​
   4. Groups & Teams
      1. Channels (Private & Public)​
      2. Conversations
      3. Permissions
      4. Tasks
      5. Mailbox​
      6. Drives
      7. Sites
      8. Calendar​
      9. Files​
      10. Notebooks
      11. Planner
      12. Private Chats
9. Regular Backup Testing. We will validate and test the backups we take on an automated basis once every business day. We will perform disaster recovery testing of the backups we take, once per year.

Client Obligations

For the Managed Cyber Security component, clients and their staff are required to:

1. Attend any cyber security incident response sessions we hold.
2. Participate any cyber security audits we may perform when requested.
3. Implement changes in your businesses processes that we recommend, where the recommendations would increase your cyber security. This may include changes such as regularly reviewing access to systems, implementing approval workflows, modifying your employment and termination procedures to correctly add and remove users from IT systems.
4. Notify us in a timely manner of all employee hires and terminations.
5. Notify us of any expected travel before the travel date.
6. Notify us of any suspected cyber security incident, such as accidentally clicking on a phishing link, running a file that had unexpected behaviour, or unusual behaviour within your systems.
7. Assign as us your Partner of Record in Microsoft 365, and grant what permissions and access that we ask for.
8. Provide us with access to your systems when required to install, reinstall, configure, repair, or diagnose issues with our software and services.
9. Purchase and maintain suitable onsite storage that meets our requirements as requested by us, to facilitate server backups.

Service Limitations

The Workstation Monitoring component has the following limits:

1. DNS Security Filtering Limitations: The categorization systems for domains may from time to time, incorrectly categorize a domain, allowing it through the filter, or blocking it as a false positive. If any domain is miscategorized, you may notify us, and we will submit it for reclassification.
2. Backup Licensing Limitations:
   1. Deactivated Mailboxes: We grant up to 20% (rounded down) free deactivated backups. For the avoidance of doubt, this means that if we are providing the service for ten users, we will keep up to two mailboxes under a 'Deactivated' status. This will retain the existing backup data but will not receive new backup information.
   2. Shared Mailboxes: We grant up to 50% (rounded down) free shared mailbox backups. For the avoidance of doubt, this means that if we are providing the service for ten users, we will include the backups for up to five shared mailboxes as part of the service.
   3. License Overages: All mailboxes must be backed up; we do not exclude any mailboxes from our backup service. If your backup requirements exceed our backup allowances, we will contact you and either remove mailboxes from your Microsoft 365 service or charge you for the overages at our current backup service rates.
3. Supported Operating Systems for EDR: The Endpoint Detection and Response service can only run on supported operating systems. The supported versions will change as new operating systems are released, and older operating systems reach end of life. You may request the list of currently supported operating system versions from us. The supported operating system types are as follows;
   • Microsoft Windows Editions
   • Microsoft Windows Server Editions
   • macOS
4. Supported Operating Systems for Managed Antivirus: The Antivirus Management features are only available on supported operating systems. The supported versions will change as new operating systems are released, and older operating systems reach end of life. You may request the list of currently supported operating system versions from us. The supported operating system types are as follows;
   • Microsoft Windows Editions
   • Microsoft Windows Server Editions
5. Supported Operating Systems for DNS Security Filtering: The DNS Security Filtering features are only available on supported operating systems. If your device is not supported, we will deploy network level filtering or DNS forwarding as an alternative. The supported versions will change as new operating systems are released, and older operating systems reach end of life. You may request the list of currently supported operating system versions from us. The supported operating system types are as follows;
   • Microsoft Windows Editions
   • Android and iOS
   • Chromebook (through chrome extensions)
   • macOS
6. Supported Operating Systems for Backups: We can only back up supported operating systems, that have not reached end-of-life support from their manufacturer. The supported versions will change as new operating systems are released, and older operating systems reach end of life. You may request the list of currently supported operating system versions from us. The supported operating system types are as follows;
   • Microsoft Windows Editions
   • Microsoft Windows Server Editions
   • Linux
   • macOS
7. Recovery Time Objectives: The time to recover from backups are subject to the amount of data stored and available bandwidth. Recovery is performed as fast as the technology allows. Once we complete our first annual disaster recovery test, we will report on the time it takes to restore from backups.

Quantity Ratios

1. Domain Registration and DNS Management: 1 Domain per 5 seats.
2. Managed Antivirus: 1.35 devices per seat.
3. Endpoint Detection and Response: 1.35 devices per seat.

Microsoft 365 Component

Description

Our Microsoft 365 component is designed to provide each user with a Microsoft 365 Business Premium License, manage your Microsoft 365 environment, increase adoption of the Microsoft 365 range of features, and secure your Microsoft 365 environment. This component includes:

1. Microsoft 365 Business Premium. We will provide each user with one Microsoft 365 Business Premium license.
2. Microsoft 365 Environment Management. We will manage your Microsoft 365 Environment including;
   1. License Management
   2. Configuration and Management of Security Policies
   3. Configuration and Enablement of the features included in your Microsoft 365 licenses
3. Microsoft 365 Intune Management. We will configure and manage Microsoft 365 Intune with an aim to provide a consistent and secure experience among your owned devices, deploy applications, patches, policies, and controls.
4. Microsoft 365 Secure Score Monitoring. We will monitor, manage, and implement Microsoft 365 Secure Score recommendations to improve your security posture.
5. Microsoft 365 Best Practices. We will configure and manage the implementation of our Microsoft 365 best practices, with an aim to reduce complexity, increase security, and standardise your environment with our recommendations.

Client Obligations

For the Microsoft 365 component, clients and their staff are expected to:

1. Adhere to Microsoft 365's licensing terms and other terms of service.
2. Participate in discovery and onboarding sessions we may run from time to time, to configure the Microsoft 365 environment to be suitable for your organisation.
3. Implement policies and processes to support our security recommendations.
4. Use company owned, or devices enrolled in Microsoft 365 Intune, for work purposes only and not for personal use.
5. Use personal devices for personal use only, not for work purposes.

Service Limitations

The Microsoft 365 component service has the following limits:

1. Maximum Licenses: Microsoft 365 Business Premium Licenses have a maximum limit of 300 per organisation. If you would exceed this limit, you will be required to purchase an equivalent or higher Enterprise license, beyond the first 300 licenses.
2. Service Enablement Cadence: You may request at any time, that we assist with any new feature implementation or improvement to an existing feature within your Microsoft 365 platform. The order, rate, and cadence with which we provide assistance, configuration, and improvements to Microsoft 365 features is at our discretion, acting in good faith.

Email Signature Management Component

Description

Our Email Signature Management component is designed to provide centralised management of email signatures for the Microsoft 365 platform to deliver email signatures with templates, consistent branding, and seasonal promotional information. This component includes:

1. Email Signature Management. We will configure and manage your Microsoft 365 email signatures for automatic deployment.
2. Custom Templates. We will design your email signatures to be consistent with your branding.
3. Dynamic Content. We will create and schedule dynamic content such as promotional messages, legal disclaimers, booking links, and other content.

Client Obligations

For the Email Signature Management component, clients and their staff are expected to:

1. Provide existing signatures or branding guides.
2. Provide a complete list of staff, including all required contact information to be included in their signatures such as email address, phone number, mobile number, office location, etc.

Service Limitations

The Email Signature Management component service has the following limits:

1. Signature Formatting: Email signatures must be interpreted by multiple email clients, devices, languages, screen sizes, and printable formats. Therefore, some design styles may not be possible such as gradients, rounded corners, rounded images, and image overlaps.
2. Attachment and Embedding Size Limits: To allow reliable delivery of your emails;
   • images embedded are limited to 150kb,
   • custom font files limited to 1MB,
   • a maximum of 250 elements in a single signature,
   • at most 50 images in a signature, and
   • at most 20 child elements in a container (such as a table or a table cell).
3. Externally Hosted Signature Images: Images hosted externally instead of being embedded in the template will not display on most email clients, due to privacy controls.

Cloud Printer Management Component

Description

Our Cloud Printer Management component is designed to provide automatic deployment, universal configurations, and real-time control for your printers. This component includes:

1. Central Printer Management. We will configure and manage your printers through our cloud printer management platform.
2. Automated Printer Deployment. We will configure your systems for automated printer deployment and configuration to maintain a consistent experience among your devices.
3. Cloud Printing. We will deploy our print agent that will allow you to print from supported Windows, MacOS, iOS, Chromebook, and Android devices.
4. Usage Tracking and Auditing. We will provide upon request, usage reports and print activity.

Client Obligations

For the Cloud Printer Management component, clients and their staff are expected to:

1. Provide at least one computer that is powered on and connected to the internet for each location or network where you have printer.
2. Provide timely access to printers and devices when required by our staff to support the service.

Service Limitations

The Cloud Printer Management component service has the following limits:

1. Supported Printers: We support printers from Brother, Canon, Epson, Fujifilm, HP, Konica Minolta, Kyocera, Lexmark, Ricoh, and Xerox. Some models may not support all features. 
2. Internet Connectivity: Cloud printing is delivered over the internet and requires a reliable internet connection to operate.

Cloud Phone System Component

Description

Our Cloud Phone System component delivers a modern digital voice communication system over the internet, providing advanced call features and flexible management. The service includes;

1. Included Calls. Unlimited calls to Local, Mobile and National Numbers Included.
2. White-Glove Setup. We will configure and design your phone system, call routing, users, and groups for you.
3. Configuration Changes. We include all system configuration changes.
4. Lines Included. We allow unlimited number of simultaneous inbound and outbound calls.
5. Call Features. We will support the following phone system features;
   • IVR Menus
   • Ring Groups
   • Call Transfer
   • Fax to Email
   • Email to Fax
   • Conferencing
   • Group Pickup
   • Distinctive Ring
   • Blacklist
   • Time of Day Routing
   • Operator Toggled Routing
   • Busy Lamp Field
   • Call Forwarding
   • Hot Desking
   • Call Recording

Client Obligations

For the Cloud Phone System component, clients and their staff are expected to;

1. Provide and maintain either;
   1. an approved supported handset device (available for lease or purchase) as required,
   2. an approved supported headset device (for use with our desktop application) as required or,
   3. an approved supported mobile device (for use with our mobile application) as required
2. Ensure a reliable broadband internet connection at each location utilizing the service.
3. Supply accurate contact details, account information, and necessary details for number porting and service setup.
4. Cooperate with service provider staff during setup, management, and troubleshooting activities.
5. Provide accurate location information where the system is being used so that we can maintain correct information in the IPND (Integrated Public Number Database) database.
6. Comply with Australian Privacy Laws, the Spam Act, and Telecommunications Act.

Service Limitations

The Cloud Phone System component has the following limitations;

1. Emergency Calls: This service may not support emergency calls (e.g., Triple Zero, ‘000’). Clients should have alternative means such as a landline or mobile for emergencies.
2. Location Data: The accuracy of location information relies on the address registered with the IPND (Integrated Public Number Database). Updates should be provided to ensure correct emergency data.
3. International Calls: International calling is disabled by default but may be enabled on an account or country basis upon request.
4. Marketing Call Centres: Our service is not suited to outbound marketing firms or call centres. Call inclusions are subject to acceptable use policies.
5. Premium Numbers: Calls to premium and toll numbers are prohibited.
6. Call Limits: Outgoing call charges are subject to limits to prevent toll fraud. If we detect an abnormally high number of calls originating from your account, we may restrict outbound calls. Notifications are sent as thresholds are approached, and limits can be increased upon request.
7. Transfer of Ownership: Only the account holder may pay for the service. If the account holder is a business entity and is sold, any agreement regarding the service automatically transfers to the new owners. If the service needs to be transferred to a new entity, you must request a change of lessee.
8. Number Porting Fees: Porting may incur fees depending on the complexity:
   • Cat A (simple): $30
   • Cat C (complex): Up to $330 Port rejection or reversal may incur additional charges if incorrect details are provided or porting fails.

Internet Services Component

Description

Our Internet Services component is designed to provide reliable connectivity through NBN (National Broadband Network). Our services include;

1. Installation and Configuration. We will provision, install, and configure a suitable NBN or eNBN service to each of your business locations.
2. Management and Support. We will monitor, maintain, and support the NBN or eNBN service remotely and onsite.
3. Managed Router. We will provide as an included leased asset, a suitable firewall or router device for the internet service we install and configure it for performance and security.
4. Unlimited Bandwidth. We will allocate unlimited upload and download bandwidth for the internet services we supply.
5. Service Level Agreements. We will supply service SLAs based on your network requirements and the quantity ratios defined in this component. Failure to achieve Uptime Guarantees result in a rebate back on your monthly service. The uptime guarantees and SLAs provided are one of the following;
   1. Basic SLA
      1. Best Effort Uptime Guarantee.
      2. Standard 8am to 5pm Business Support Availability.
      3. All nbn® faults on your account will be actioned as soon as possible.
   2. Bronze SLA
      1. Best Effort Uptime Guarantee.
      2. 24/7 Support Availability.
      3. 12hr eSLA: Guarantees that all nbn faults on your account will be actioned within 12 hours, 24/7.
   3. Silver SLA
      1. 99% Uptime Guarantee.
      2. 24/7 Support Availability.
      3. 8hr eSLA: Guarantees that all nbn faults on your account will be actioned within 8 hours, 24/7.
   4. Gold SLA
      1. 99.95% Uptime Guarantee.
      2. 24/7 Support Availability.
      3. 4hr eSLA: Guarantees that all nbn faults on your account will be actioned within 4 hours, 24/7.

Client Obligations

Clients and their staff are expected to:

1. Provide clear access to the premises for onsite installations and support activities.
2. Ensure their network equipment remains compatible and connected according to our configuration requirements.
3. Communicate any network or equipment issues promptly to facilitate timely resolution.
4. Provide accurate details for service setup and any required updates to suit any specific configuration needs.

Service Limitations

1. Onsite Support Availability: The availability of onsite support and configuration depends on your location being within our service area.
2. Speed & Traffic: During peak times, shared network infrastructure may result in lower speeds than advertised, or may otherwise be limited by the technology available in your area, or the quality of the physical infrastructure in your area.
3. Delivery Timelines: eNBN fibre installation can take a significant amount of time from when you place your order and depend on network rollout timings.
4. Technology Availability: We can only supply services available through the NBNCo network, therefore, if NBN services are unavailable at your location, we may be unable to provide an internet service to that location.
5. SLAs: Base plans offer "Best Effort" service, with optional upgraded SLAs available for higher uptime guarantees and support responsiveness.
6. Setup Fees: Setup fees will apply for any new standard NBN internet connection less than 12 months, and for any new enterprise NBN internet Connection less than 36 months.

Quantity Ratios

1. Any combination of the following standard NBN internet connections where the total seat ratio does not exceed the number of seats;
   1. Per 10 seats
      • 100Mbps download
      • 40Mbps upload
      • Basic SLA
   2. Per 15 seats
      • 250Mbps download
      • 100Mbps upload
      • Gold SLA
   3. Per 20 seats
      • 1000Mbps download
      • 400Mbps upload
      • Gold SLA
2. Instead of/in addition to, and in combination to the standard NBN internet connection ratios above, any combination of the following enterprise NBN internet connections where the total seat ratio does not exceed the number of seats;
   1. Per 35 seats
      • 250Mbps download
      • 250Mbps upload
      • Bronze SLA or
        • Silver SLA for 40 seats
        • Gold SLA for 45 seats
   2. Per 45 seats
      • 500Mbps download
      • 500Mbps upload
      • Bronze SLA or
        • Silver SLA for 50 seats
        • Gold SLA for 55 seats
   3. Per 65 seats
      • 1000Mbps download
      • 1000Mbps upload
      • Bronze SLA or
        • Silver SLA for 70 seats
        • Gold SLA for 75 seats

Web Hosting Component

Description

Our Web Hosting and Management component is designed to provide reliable and secure web hosting for your website. This component includes;

1. Web Hosting Platform. We will migrate supported websites and host them on our web hosting platform designed around performance and security. You will be provided upon request, access to our web hosting management platform so that you or a third party may manage your website.
2. Web Hosting Security. We will provide and enable by default, our web hosting fortification system, which prevents unauthorised modifications to your website through common exploits and vulnerabilities.
3. Web Hosting Backups. We will provide a snapshot service which you may optionally enable to take regular snapshots of your website either on demand, or automatically prior to any automated updates (if they are triggered by our platform). In addition, we will perform regular backups of your website to a physically separate location no less than once every two days.
4. Website Application Updates. We will automatically update any supported website content management system where possible, attempted at least once per week.

Client Obligations

Clients and their staff are expected to:

1. Provide a complete copy of your existing website and its database to us or provide access to your existing website files and its database to facilitate the migration of your website to our service.
2. Ensure you maintain correct and valid licensing for any plugins or themes that your website requires.
3. Keep your website code up to date to support the current version of the Content Management System it is operating on.
4. Fix errors on the website that prevent it from being updated.
5. Protect contact forms, and sign-up forms to prevent abuse by using a CAPTCHA service or similar.

Service Limitations

1. Supported Websites: We can only host websites that run on technologies that our web servers support. Due to the large variety of programming languages, database engines, and other web hosting platforms, you must contact us to verify compatibility.
2. Shared Hosting: The hosting servers are shared with our other customers, so while you are allocated a set amount of resources, there may be times at peak usage where your resources are congested. We monitor resource usage and allocate additional resources should our servers ever get close to capacity.
3. Automatic Updates: Automatic updates are dependant upon you running a supported CMS system. We currently support automatic updates for WordPress, Nextcloud, Laravel, Joomla!, Drupal, Ghost and Discourse. It also requires that any plugins and themes your website uses are licensed and in good standing. Invalid licensing for plugins and themes will prevent the website from updating.
4. Support We Provide: While support for the web hosting platform, backups, updates, and similar functionality is included, support for the code your website runs, the design of your website, and management of the content on your website is not included and is considered outside of scope.
5. Brute Force and Abuse Protection: Our fortification system bans abusive visitors that are detected by our systems to be attempting brute force attacks or requesting content at a rate that exceeds our safety standards. When this is detected, our web hosting platform may temporarily restrict the source IP from visiting any website we host for up to 24 hours, based on the severity. At your request, we can alter the rate limits from our standards, but the limits we impose are at our sole discretion.

Quantity Ratios

1. You may host any number of websites on your plan, provided it fits within the resource limits we assign to you. These limits are;
   • 1GB of storage per 2 seats
   • 1GB of ram per 5 seats (minimum of 3GB)
   • 120GB of bandwidth per 10 seats

Cybersecurity Training Component

Description

Our Cybersecurity Training component is designed to integrate with Microsoft 365, provide regular training and phishing testing through email, to educate your staff on common cyber security threats with an aim to reduce the likelihood of your staff falling victim to a phishing or scam attack. This component includes:

1. Training Content. We will deliver to your staff via email, training content involving a mixture of video, image and text content, with over 100 training modules covering a range of cyber security topics. This content will be delivered once every two weeks.
2. Phishing Testing. We will design, produce, and deliver phishing testing content designed to test the effectiveness of the training content and your staff's awareness to common attack methods.
3. Learning Moments. When a user fails a phishing test, we will deliver timely training modules or micro-content to provide further education as to how to spot attacks similar to the test content that they failed.
4. Live Education Sessions. We may, from time to time, deliver in person or online, live educational content regarding emerging threats.
5. Reporting. We will provide regular reports every month or quarter showing staff training progress, phishing test failures, and other similar metrics.

Client Obligations

For the Cybersecurity Training component, clients and their staff are expected to:

1. Participate in necessary onboarding sessions and implement an internal review process to review the reports we provide and ensure staff are caught up on their training.
2. When training content is delivered, complete the training within a reasonable timeframe.

Service Limitations

The Cybersecurity Training service has the following limits:

1. Training Delivery Cadence: We recommend that you deliver training content once every two weeks, but we will take into account your requests for setting the cadence for delivering training content. While we may alter the frequency with which training content is delivered at your request, the final decision as to how the campaigns are delivered are at our sole discretion.
2. Platform Changes and Progress Tracking: We may from time to time, change which platform or training content we use for delivering our training content, if it would provide a better training experience or provide improved content. When we change platforms or content providers, historical statistics and training progress may be reset.
3. Live Education: Is delivered in person or online at our sole discretion.

Password Manager Component

Description

Our Password Manager component is designed to provide a secure, zero-knowledge, end-to-end encrypted password storage and management for your organisation. This component includes:

1. Password Management. We will provide and implement a password manager service, for you to securely store, use, and share passwords and other secrets or sensitive information.
2. Single Sign-On. We will configure and enable Single Sign-On with your Microsoft 365 Environment, to facilitate a secure login process with your password manager.
3. Password Manager Applications. We will provide apps for compatible devices for you to access your passwords and secrets and enable password autofill functionality, including multi-factor authentication autofill.
4. Platform Management. We will manage the policies that apply to your password manager service, including password strength requirements, dark web monitoring, auditing, and alerts.
5. Vault Transfer. To mitigate the risk of data loss due to loss of access, we may enable a feature called "Vault Transfer" that allows us to transfer all records from one user within the Password Manager, to another user within the same organisation. When this feature is enabled, staff will be notified that this feature is enabled when they log in for the first time.

Client Obligations

For the Password Manager component, clients and their staff are expected to:

1. Participate in necessary onboarding sessions and training.
2. Change passwords for services and websites that our reports indicate are compromised, weak, reused, or otherwise determined to be a risk.
3. To facilitate regular audits, detection of risky passwords, and aid in employee offboarding, store all your passwords ONLY within the provided password manager.

Service Limitations

While our Password Manager service has the following limits:

1. Zero-Knowledge Password Storage: Passwords and secrets belong to the user of staff member who created the record, even if the record is shared. Due to the nature of a Zero-Knowledge platform, if a user loses access to their account, the records they own within the platform cannot be recovered unless vault transfer is enabled.
2. Limitations of Backups: As the platform is end-to-end encrypted with zero knowledge, no recovery is possible by us if access or data is lost by the Client and backups of your data stored inside the password manager service is the client's responsibility.

Centralised Logging Component

Description

Our Centralised Logging component is designed to bring log events and signals from Firewalls, Servers, Computers, and more into a central location for auditing purposes, and for threat signal monitoring. This component includes:

1. Logging Data Sources. We will collect logging information from supported devices and store them in a central Security information and event management (SIEM) platform, over the internet through a secure connection.
2. 24x7 SOC Threat Hunting. We will provide a 24x7 security operations centre service to monitor the logging information for threat signals and identify malicious behaviour and respond to these events.
3. Data retention. We will store your logging data for at least 1 year. We will not charge for the amount of data stored, but is subject to our acceptable use policies, as per our master terms of service.

Client Obligations

For the Centralised Logging component, clients and their staff are expected to:

1. Provide access to devices, services, and systems for us to enable system logging
2. Aid in locating and identifying devices such as modems, routers, networking equipment, wireless access points, sound systems, printers, and similar devices and services to facilitate the enablement of logging.

Service Limitations

Centralised Logging component service has the following limits:

1. Supported Devices: Our centralised logging service supports specific operating systems and network equipment. The method of log collection and ability to parse and filter information depends on the hardware and software supported. You may request a list of current supported devices and software from us and the list may change from time to time. The list of devices includes, but is not limited to;
   • HARDWARE
     • Fortinet
     • Meraki
     • Palo Alto
     • pfSense
     • SonicWALL
     • Sophos
     • Ubiquiti
     • WatchGuard
   • SOFTWARE
     • LastPass
     • Duo
     • Keeper Security
     • DNS Filter
     • Windows Security Logs
     • Windows PowerShell Logs
     • 1Password

Quantity Ratios

1. Centralised Logging Component: 1.5 devices or data sources per seat.

Vulnerability Scanning Component

Description

Our Vulnerability Scanning component is designed to mitigate risks through identification of assets, vulnerabilities, patching, remediation, and reporting. It is designed to go beyond our standard Monitoring and Patching service by extending its coverage to more applications, and supported network devices. This component includes:

1. Comprehensive Asset Discovery. We will provide asset scanning, to discover assets, applications and networks within your environment.
2. Vulnerability Tracking. We will track all publicly disclosed Common Vulnerability and Exposures (CVEs) through the National Vulnerability Database.
3. Extended Application Patching. We will install security patches for over 600 third-party software titles to protect against vulnerabilities.
4. Manual Remediation. We will manually remediate vulnerabilities in a timely manner where possible, based on their risk rating through our Exploit Prediction Scoring System (EPSS), targeting any vulnerabilities with the highest EPSS score first.

Client Obligations

For the Vulnerability Scanning component, clients and their staff are expected to:

1. Provide access to devices, services, and systems for us to enable vulnerability scanning.
2. Perform actions to enable us to apply vulnerability remediations, such as turning on or rebooting devices, providing access, restarting applications, and similar actions.

Service Limitations

The Vulnerability Scanning component service has the following limits:

1. Vulnerability Remediation Availability: It is possible for there to be a known vulnerability, but no known patch or remediation. If possible, we will remove the offending software entirely if there is no known remediation or rely upon alternate controls like Application Control to mitigate the vulnerability.
2. Automated Patching and Remediation: Required the device to be online and powered on in order for patches and remediations to be applied. Attempts to patch and remediate will be attempted automatically at least once per day.
3. Manual Patching and Remediation: Where our systems have detected a failure to automatically patch or remediate a vulnerability, it will automatically submit a request to our managed helpdesk for manual intervention. The priority of this request will be determined by its EPSS score, then subject to our SLAs as per our Master Terms of Service.

Quantity Ratios

1. Vulnerability Scanning Component: 2 monitored assets per seat.

Vendor Management Component

Description

Our Vendor Management component is designed to provide management for third-party software as a service (SaaS) platforms and other third-party vendors with an aim to ensure they meet baseline security and compliance requirements and meet business needs. This component includes:

1. Discovery & Qualification. We will source and/or review a list of SaaS solutions to evaluate if they fit your business needs, goals, and security requirements. We will attend any sales, scoping, or technical calls between you and these vendors for this purpose.
2. Implementation and Project Management. We will manage, track, coordinate, and assist in the implementation of new SaaS applications and services, such as CRMs, ERPs, Marketing Platforms, and similar.
3. Communication Management. We will manage technical communications between you and SaaS providers to aid in providing support.
4. Risk Identification and Compliance Reviews. We will on a regular cadence, review your list of SaaS platforms, the data they hold on your behalf, the security controls they implement, and if they meet your current security and compliance requirements. We will assist you with auditing user access and your business processes around allowing and revoking user access.

Client Obligations

For Vendor Management component, clients and their staff are expected to:

1. Communicate with third-party vendors and SaaS providers to authorise us as a contact to act on your behalf.
2. Attend the Risk Identification and Compliance Reviews when we schedule them and implement changes to your business processes to ensure ex-staff and unauthorized users have their access revoked from SaaS platforms.
3. Complete in a timely manner, tasks generated by us, to complete the implementation of SaaS platforms.

Service Limitations

The Vendor Management component service has the following limits:

1. Competing Products: If we are asked to assist with the implementation of a third-party vendor or SaaS platform, where we are capable of providing a similar product or service, it is excluded from this service as per our Master Terms of Service.

Technology Success Program Component

Description

Our Technology Success Program component is designed to establish a regular meeting cadence to provide consulting services aimed at delivering on compliance requirements, growth, automation, and optimisation. Where the Security & Tech Review component is reporting and reviewing, this component is about future strategy planning and proposing improvements to your organisation. This component includes:

1. Regular Meetings. We will on a regular cadence, meet with you to provide consulting services to discuss, advise, and manage the inclusions of this service.
2. Compliance Management. We will discuss, review, manage, and track your compliance requirements imposed upon you by external parties. For example, implementation of the ACSC's Essential 8 guidance.
3. Growth Acceleration. We will discuss with you and other staff in management positions their systems, processes, and operations to identify optimisations and new methods to aid in growth.
4. Process Automation. We will discuss with you and your staff their daily tasks and duties to identify administrative overhead and repetitive tasks that could be replaced with automation and other technologies.
5. Technology Roadmap. We will leverage our Technology Success Roadmap processes to work with you to understand your business, it's goals, challenges, targets, organisations structure, operational processes. We will use that information to enhance the services we provide to you with an aim to align our efforts with your goals. We will then provide an IT roadmap outlining projects and future goals related to technology to prioritise and manage any related projects and tasks.

Client Obligations

For the Technology Success Program component, clients and their staff are expected to:

1. Respond in a timely manner to scheduling requests and/or schedule with us a regular meeting schedule such as "the First Monday of Every Quarter at 10am".
2. Set aside no less than 120 minutes per meeting and dedicate that time to the meeting.
3. Join or Attend meetings at the time they are scheduled.
4. Provide no less than 5 full business days' notice for rescheduling a meeting or as soon as reasonable able where rescheduling is due to an illness or personal emergency.
5. Reschedule a meeting for no later than 30 days after it was originally scheduled.
6. Consider and where reasonable, implement our recommendations given during the Technology Success Program meetings.

Service Limitations

The Technology Success Program component service has the following limits:

1. Scheduling Limitations: You will be assigned a single, dedicated Technology Success Director. Where your Technology Success Director is unavailable due to;
   1. planned scheduled leave, we will notify you at least 5 business days in advance.
   2. illness, personal emergency, or an incident requires their attention that is logged as Priority 1 critical, we will notify you as soon as we are reasonable able.
   3. we may opt to assign another senior manager to attend the meeting in their stead. You may choose to accept the new assignment or opt to reschedule.
2. Reporting Limitations: Reports are gathered from a variety of first party and third-party sources. Where these sources are not accessible, reporting may be unavailable or delayed.
3. Minimum Users: This service is only included on agreements with a minimum commitment of 30 users or more. If you have less than 30 users, you may opt in for this service for an additional fee.
4. Meeting Cadence: The meeting cadence of this service is at our discretion, acting in good faith, based on your needs and compliance requirements. We will meet with you no less than once per year and no more frequently than once every quarter. You may opt for more regular meetings than what we have decided for an additional fee.
5. Project Proposals: The project work and tasks we propose are not covered by this component and may be considered out of scope. If the project proposal would be covered by this service or another service you have with us, we will notify you as a part of the proposal. Otherwise, the work required to complete the proposed project should be considered out of scope.