Managed IT - Product Description.

ABOUT THIS DOCUMENT

1. This document is referred to as the Managed IT Terms, Base Plan Terms, or Managed IT Base Plan Terms
2. This document outlines the Managed IT service that the Service Provider provides to its clients.
3. Completion by both the Client and the Service Provider of an Order Form for this service, constitutes acceptance of these Terms.
4. The Service Provider advises its clients that its terms are published at https://ccp.com.au/terms
5. For definitions and our Master Terms of Service, read our Master Terms of Service available at https://ccp.com.au/terms/terms-of-service

GLOSSARY OF TERMS

See the Legal Glossary for the full glossary. It is shared across all four plan product descriptions and is referenced here rather than inlined.

UNIT OF MEASURE

1. We measure the service quantity as a number of “seats”.
2. Seats means a combined total of “users” and “servers” where;
   1. A user for the definition of counting seats is a distinct individual (employee, contractor, offshore worker, third-party user, etc.) who uses or has access to any Service Component under these Terms (for example: Helpdesk support, Microsoft 365, Cybersecurity Training, Cloud Phone, etc.), irrespective of how they connect or whether their device is actively monitored.
   2. A server for the definition of counting seats is any operating system dedicated to providing shared, business-critical services to two or more users, and;
      1. Hosts one or more server roles (for example: domain controller, file server, application server, database/mail/web/print/backup server, virtual desktop host, or similar).
      2. Excludes any endpoint primarily used by a single person for their own work (laptops, desktops, workstations, tablets, phones, even if monitoring or security agents are installed).
3. This service has a minimum quantity of 10 seats.
4. All User and Server Seats must be included - no exclusions for unmanaged email (e.g. Gmail), unmonitored endpoints, offshore devices, offshore staff, subcontracted staff, etc, unless they are;
   1. Managed, supported, and monitored by a third party to a similar level of security as what is included in this service or to a level we agree to in writing and,
   2. at no point request any of the products, services, or components in this service.
5. The components of this service may have different units of measure and/or the individual features of components in this service may have different units of measure as defined in their quantity ratio definition.

ABOUT COMPONENTS

1. This service consists of multiple components.
2. Each component has its own description, client obligations, limitations, and optionally a quantity ratio.
3. The description of a component describes how the service operates, is delivered, and what inclusions if any.
4. The client obligations list your obligations that we require to deliver the services as outlined in this document.
5. The limitations describe examples where we may not be able to supply the services or where the description may be limited by additional factors.
6. the quantity ratio defines the maximum quantity of assets, devices, domains, or other unit of measure covered by the component, represented as a ratio against the total number of seats. For example, 1 domain per 5 users. Where a ratio is defined, the ratio is rounded down to the nearest whole number. Exceeding the quantity ratio for a component will require you to either reduce your usage, increase your seats, or pay a fee for exceeding the quantity included in the component.

Client Security Baseline Obligation

Commitment Overview

To maintain a secure and resilient IT environment, all clients are required to meet a defined set of baseline security requirements. These standards are essential for protecting both the client’s and the Service Provider’s systems, data, and operations from cyber threats.

We acknowledge that implementation may take time. However, to the extent permitted by law, the Service Provider is not liable for any security incident, breach, data loss, or related service issue that could reasonably have been prevented by timely implementation or ongoing maintenance of the security controls outlined in this document. Until the security baseline is fully met, any related remediation work will fall outside the scope of our standard service coverage.

Baseline Security Requirements

These baseline requirements apply where the relevant security control is included in your selected services or, if not included, are expected to be implemented via an equivalent solution internally or from a third-party provider unless otherwise agreed to by us in writing:

1. Regular Operational Reviews:
   Engage in any regular meeting we schedule to;
   • Review reports and address any security concerns with the service provider.
   • Reconcile the list of staff and devices, identifying any discrepancies in reports.
   • Address any excessive use of our services as defined in our Master Terms of Service.
2. Multifactor Authentication (MFA):
   • Implement phish-resistant multifactor authentication or similar controls to secure access to all critical systems.
3. Application Control:
   • Implement our Application Control product or a similar product from another provider to manage and monitor application usage and prevent unauthorized applications from running.
4. Vulnerability Management:
   • Implement enhanced vulnerability management or an equivalent service offered by another provider to attempt to remediate known vulnerabilities within a 30 day period or better.
5. Cybersecurity Awareness Training:
   • Participate in Cybersecurity Awareness Training through our service or an equivalent program offered by another provider to educate employees about cybersecurity best practices and threat recognition.
6. Password Management:
   • Implement a password manager with Single Sign-On capabilities through our service or a similar product from another provider to enhance password security and simplify user authentication.
7. HR Collaboration:
   • Include the service provider in new hire onboarding and employee termination processes to ensure proper account management and access control.
8. Regular Staff and Device Audits:
   • Conduct regular reviews with the service provider to reconcile the list of staff and devices, identifying any discrepancies in reports.
9. Incident Response Planning:
   • Develop and maintain an incident response plan that specifically addresses how to manage and mitigate cyber incidents.
10. Data Backup: * Ensure all critical business data is backed up through our services or a similar backup solution provided by another vendor.
11. Collaboration with Software Providers: * Work with all software providers to implement and enforce multifactor authentication or similar controls.

Liability, Coverage Exclusion, and Remedy

1. Until the security baseline is fully implemented:

   1. To the extent permitted by law, we are not liable for any incident that could reasonably have been prevented by adherence to the requirements set out above.
   2. Work related to such incidents is not covered by our standard service entitlements and may incur additional charges.

2. If we detect you have not implemented (or have removed) a mandatory baseline security control,

   1. we will notify you in writing, specifying the non-compliance and outlining the steps required. We will offer reasonable assistance to help you comply (where the relevant control is included in your Service plan);
   2. You will have 30 days (“Remedy Period”) from notice to address the non-compliance or agree on a remediation plan with us. If, after this period, you remain non-compliant:
      1. We may suspend or restrict only the affected service(s) (e.g. Cyber Security), where technically possible, and you acknowledge that we have no liability for any incidents or losses arising from such service(s) during the period of non-compliance.
      2. If ongoing non-compliance creates a material risk to our systems or other clients, or if partial suspension is not technically or commercially feasible, we may terminate your agreement with a further 30 days’ written notice.
      3. We may extend the remedy period if you are actively working with us in good faith to resolve the issue.

3. You acknowledge that until all baseline security requirements are met, the effectiveness of our services may be reduced, and we are not responsible for loss or damage that could have been prevented by your compliance.

4. By engaging our services, you acknowledge and agree to these baseline security requirements, recognising your role in upholding the security and integrity of the shared IT environment.

Included Components

Managed Helpdesk Component

Description

Our Managed Helpdesk component is designed to provide comprehensive support for your business needs. The component includes:

1. Remote Support. We include unlimited remote support, by way of phone calls, emails and remote control software, subject to the acceptable use policy as per the Master Terms of Service.
2. Onsite Support. We include unlimited onsite support, within our service area, subject to the acceptable use policy as per the Master Terms of Service.
3. Out of Scope Support Rates. Out of scope work is charged at a reduced rate of $190/hour, charged in increments of 15 minutes. Out of scope work performed onsite has a minimum charge of 1 hour.
4. Dedicated Support Team. You will have a team of skilled IT technicians, led by at least one senior technician, assigned to your account for consistent and personalized service. At any time, you may request a different team in writing and if it is within reason, we will do our best to fulfil that request.
5. Direct Contact Number. You will receive a dedicated phone line for direct access to your support team to bypass any receptionist, dispatcher, or other administrative staff.
6. Enhanced Service Level Agreements (SLAs):
   1. Priority 1 (Critical): Response within 1 business hour.
   2. Priority 2 (High): Response within 4 business hours.
   3. Priority 3 (Medium): Response within 1 business day.
   4. Priority 4 (Low): Response within 2 business days.
   5. Priority 5 (Very Low): Best effort response.
      The priority level is determined based on the urgency and impact of the issue, at our discretion, acting in good faith.
      You may opt to escalate the priority level of any request, as per our Master Terms of Service.

Client Obligations

For the Managed Helpdesk component, clients and their staff are required to:

1. Provide timely and accurate information necessary for us to perform our services.
2. Attend scheduled appointments for the time they are scheduled.
3. Perform identity verification for privileged requests to ensure security compliance.
4. Use the designated communication channels (our ticketing system, email, or the direct contact number) to log issues for SLA tracking.

Service Limitations

The Managed Helpdesk component has the following limits:

1. Response and Resolution Times: These are dependent on the timeliness of the information provided by the customer. SLA times are paused when waiting for third-party vendor responses, identity verification or additional information from the customer. SLA response times are only recorded when requests are logged through to our official support email address, our ticketing platform or over the phone.
2. Out of Scope Work:
   1. Any work performed to support a 3rd party’s product where we can provide a comparable service or product is considered out of scope as per our master terms of service.
   2. On-site work provided outside our service area is considered out of scope.
   3. Out of scope work is exempt from our SLAs (Service Level Agreements) and is performed at a “Best Effort” response time.
3. Project Work: Project work is considered out of scope.
   1. Project Work typically involves tasks requiring planning, scheduling, stakeholder coordination, or anticipated effort exceeding 3 business days. If in doubt, we will advise you in writing before classifying a request as project work.
   2. Examples of project work are, but not limited to;
      • Office relocations
      • New office fit outs
      • New system integrations
      • Cloud platform migrations
      • SharePoint intranet development
      • New server deployments
      • New network infrastructure deployments
      • Custom software development

Managed Cyber Security Component

Description

Our Managed Cyber Security component is designed to provide a layered cybersecurity approach to protect your organisation from cyber threats. This component includes:

1. Managed Antivirus. We manage your systems built-in antivirus, or the antivirus provided through other inclusive licensing like Microsoft Defender for Endpoint when you subscribe to a plan that provides this antivirus. In the absence of a suitable antivirus, we will supply an antivirus product.
2. Endpoint Detection and Response. We will provide Endpoint Detection and Response capabilities, backed by a 24x7 security operations centre. The Endpoint Detection and Response service will employ techniques such as ransomware canaries, open port detection, malicious process behaviour detection, and persistent foothold detection. Refer to the “Security Operations Centre Response” for how incidents are responded to.
3. Identity Threat Detection and Response. We will provide Identity Threat Detection and Response capabilities, backed by a 24x7 security operations centre. The Identity Threat Detection and Response service will employ techniques such as session hijacking protection, credential theft protection, location and VPN anomaly detection, rogue application detection, and other signal monitoring methods. Refer to the “Security Operations Centre Response” for how incidents are responded to.
4. Security Operations Centre Response. The security operations centre will respond to threats and alerts in a timely manner.
   1. Where the security operations centre can confirm a compromise with confidence the security operations team will remotely isolate the impacted device or user account.
   2. Where the security operations centre cannot confirm a compromise with confidence;
      1. an incident report will be supplied to our frontline helpdesk who will perform additional investigation, contact the impacted user or assigned user of the impacted device, and
      2. if we are unable to contact the user, out of an abundance of caution, isolate the impacted device or user account.
   3. when isolating a device or user account;
      1. isolating a device means to restrict its ability to communicate with any network, and
      2. isolating a user means to restrict its ability to log in and revoke any existing sessions.
5. DNS Security Filtering. We will provide at the device or network level, Domain Name Service (DNS) security and category filtering. We will use DNS Security filtering to block threats through blocking known malicious domain names, risky Top Level Domain (TLD) extensions, domains that do not satisfy minimum age requirements, and similar. You may optionally use the DNS filtering service to block categories of domains such as gambling, artificial intelligence, recruitment, social media, and similar.
6. Domain Registration and DNS Management. We will register your gTLD and auTLD domains (.com, .net, .org, .com.au, .net.au, .org.au) domains as part of the service. We will keep the domain registered, protect it from unauthorized transfers and modification, manage its DNS records, and provide valid SPF, DKIM, and DMARC configuration for your domains to prevent impersonation and spoofing attacks.
7. Backups for Servers. We will provide a backup service for your servers and retain those backups with an agreed upon retention period. We will provide 1 Terabyte of backup storage per server (pooled) held offsite from your organisations environment. If your backup requirements exceed the allocated storage, we will notify you and either lower your retention period to reduce your storage requirements or charge you for the additional storage. Backups will be taken once per day, or at an agreed upon cadence.
8. Backups for Microsoft 365. Where we are providing your Microsoft 365 licensing, we will include backups as a service, retain information for up to 7 years or until you cancel your service with us, performing a backup at least once per day. It will include features such as point in time restore, eDiscovery search, with unlimited storage. We will back up the following workloads inside of Microsoft 365;
   1. Exchange Online
      1. Outlook Mail​
      2. Folders​
      3. Contacts​
      4. Calendars​
      5. Tasks​
      6. Attachments​
      7. In-place Archives​
      8. Public Folders and Subfolders
      9. Shared Mailboxes​
   2. SharePoint
      1. Sites​
      2. Sub-Sites​
      3. Documents​
      4. Folders​
      5. Lists
      6. Site Assets​
      7. Site Pages​
      8. Style Library​​
      9. Permissions​
   3. OneDrive
      1. Drives
      2. Folders​
      3. Permissions​
   4. Groups & Teams
      1. Channels (Private & Public)​
      2. Conversations
      3. Permissions
      4. Tasks
      5. Mailbox​
      6. Drives
      7. Sites
      8. Calendar​
      9. Files​
      10. Notebooks
      11. Planner
      12. Private Chats
9. Regular Backup Testing. We will validate and test the backups we take on an automated basis once every business day. We will perform disaster recovery testing of the backups we take, once per year.

Client Obligations

For the Managed Cyber Security component, clients and their staff are required to:

1. Attend any cyber security incident response sessions we hold.
2. Participate any cyber security audits we may perform when requested.
3. Implement changes in your businesses processes that we recommend, where the recommendations would increase your cyber security. This may include changes such as regularly reviewing access to systems, implementing approval workflows, modifying your employment and termination procedures to correctly add and remove users from IT systems.
4. Notify us in a timely manner of all employee hires and terminations.
5. Notify us of any expected travel before the travel date.
6. Notify us of any suspected cyber security incident, such as accidentally clicking on a phishing link, running a file that had unexpected behaviour, or unusual behaviour within your systems.
7. Assign as us your Partner of Record in Microsoft 365, and grant what permissions and access that we ask for.
8. Provide us with access to your systems when required to install, reinstall, configure, repair, or diagnose issues with our software and services.
9. Purchase and maintain suitable onsite storage that meets our requirements as requested by us, to facilitate server backups.

Service Limitations

The Workstation Monitoring component has the following limits:

1. DNS Security Filtering Limitations: The categorization systems for domains may from time to time, incorrectly categorize a domain, allowing it through the filter, or blocking it as a false positive. If any domain is miscategorized, you may notify us, and we will submit it for reclassification.
2. Backup Licensing Limitations:
   1. Deactivated Mailboxes: We grant up to 20% (rounded down) free deactivated backups. For the avoidance of doubt, this means that if we are providing the service for ten users, we will keep up to two mailboxes under a ‘Deactivated’ status. This will retain the existing backup data but will not receive new backup information.
   2. Shared Mailboxes: We grant up to 50% (rounded down) free shared mailbox backups. For the avoidance of doubt, this means that if we are providing the service for ten users, we will include the backups for up to five shared mailboxes as part of the service.
   3. License Overages: All mailboxes must be backed up; we do not exclude any mailboxes from our backup service. If your backup requirements exceed our backup allowances, we will contact you and either remove mailboxes from your Microsoft 365 service or charge you for the overages at our current backup service rates.
3. Supported Operating Systems for EDR: The Endpoint Detection and Response service can only run on supported operating systems. The supported versions will change as new operating systems are released, and older operating systems reach end of life. You may request the list of currently supported operating system versions from us. The supported operating system types are as follows;
   • Microsoft Windows Editions
   • Microsoft Windows Server Editions
   • macOS
4. Supported Operating Systems for Managed Antivirus: The Antivirus Management features are only available on supported operating systems. The supported versions will change as new operating systems are released, and older operating systems reach end of life. You may request the list of currently supported operating system versions from us. The supported operating system types are as follows;
   • Microsoft Windows Editions
   • Microsoft Windows Server Editions
5. Supported Operating Systems for DNS Security Filtering: The DNS Security Filtering features are only available on supported operating systems. If your device is not supported, we will deploy network level filtering or DNS forwarding as an alternative. The supported versions will change as new operating systems are released, and older operating systems reach end of life. You may request the list of currently supported operating system versions from us. The supported operating system types are as follows;
   • Microsoft Windows Editions
   • Android and iOS
   • Chromebook (through chrome extensions)
   • macOS
6. Supported Operating Systems for Backups: We can only back up supported operating systems, that have not reached end-of-life support from their manufacturer. The supported versions will change as new operating systems are released, and older operating systems reach end of life. You may request the list of currently supported operating system versions from us. The supported operating system types are as follows;
   • Microsoft Windows Editions
   • Microsoft Windows Server Editions
   • Linux
   • macOS
7. Recovery Time Objectives: The time to recover from backups are subject to the amount of data stored and available bandwidth. Recovery is performed as fast as the technology allows. Once we complete our first annual disaster recovery test, we will report on the time it takes to restore from backups.

Quantity Ratios

1. Domain Registration and DNS Management: 1 Domain per 5 seats.
2. Managed Antivirus: 1.35 devices per seat.
3. Endpoint Detection and Response: 1.35 devices per seat.

Monitoring and Patching Component

Description

Our Monitoring and Patching component is designed to provide remote access for our IT support staff, asset tracking, software cataloguing, fault detection, patching, and remediation on an automated basis. This component includes:

1. Asset Inventory: We collect information on devices we monitor, such as serial numbers, operating systems, software installed, resource utilization history, patch status, health status, and more.
2. Monitoring and Alerting: We build and define monitoring and alerting policies to detect potential failures, incidents, and tasks requiring remediation.
3. Automated Patching: Automated patching of Windows, MacOS, and Linux Operating systems and automatic updating of over 200 3rd party applications.
4. Secure Remote Access: Audited, recorded, and secure remote access for our IT support staff to support their Remote Support work.
5. Automated Remediation: We build and deploy automated remediations for common Windows desktop and server issues.
6. Warranty Tracking: We record serial numbers of assets and where possible, retrieve warranty information.

Client Obligations

To ensure effective delivery of our Monitoring and Patching component, clients and their staff are required to:

1. Provide access to physical devices for us to install our monitoring agent on devices or install the monitoring agent following our instructions when requested.
2. Ensure devices are powered on at least once every 30 days to receive patches and updates.
3. Restart devices when prompted by us or our monitoring agent to facilitate patching and updates.

Service Limitations

The following limitations apply to our Workstation Monitoring component:

1. Patching Limitations: Patching through our monitoring agent is only possible when no other patching solution is in place. In some configurations, we may opt to use alternate services like Microsoft Intune to manage patches of the operating system if we determine it would provide a better patching and updating experience.
2. Auditing Limitations: We retain audit logs for a minimum of 90 days. Though we may be able to retrieve audit logging beyond the initial 90 days, it is not guaranteed. Remote support session recordings are stored for 30 days on a best effort basis. Availability of remote support session recordings are not guaranteed.
3. Warranty Tracking: Warranty information is dependant upon the information obtainable through the APIs of the manufacturer of the device. If warranty information is inaccurate or unavailable from the manufacturer through their APIs or their API is unavailable, warranty information will not be recorded.
4. Supported Operating Systems for Monitoring and Patching: Our monitoring and patching services are available only for supported operating systems, that have not reached end-of-life support from their manufacturer. The supported versions will change as new operating systems are released, and older operating systems reach end of life. You may request the list of currently supported operating system versions from us. The supported operating system types are as follows;
   • Microsoft Windows Editions
   • Microsoft Windows Server Editions
   • macOS
   • Linux

Security & Tech Review Component

Description

Our Security & Tech Review component is designed to solve the administrative requirements of IT. It is designed to be a regular set of meetings to review your IT security controls and incidents, review the performance of our Managed Helpdesk service, and review your license and service consumption to ensure compliance and combat overspending. The component includes:

1. Regular Meetings:
   1. The team lead of your dedicated Helpdesk team will meet with you no less than once per year and no more frequently than once per quarter.
   2. The frequency of these meetings is at our sole discretion.
   3. You may opt for a meeting cadence other than what we have determined, for an additional fee.
   4. The meeting will be performed online over Microsoft Teams, unless we agree to meet in person.
   5. We will only agree to meet in person if the meeting location is within our service area.
2. Security Review:
   1. We will report on any security incidents logged, prevented, or remediated since the most recent review.
   2. If you are using Microsoft 365 Business or Enterprise licenses, we will review your Microsoft 365 Secure Score and provide a roadmap of recommendations to improve your score.
3. License and Service Review:
   1. We will report on your license consumption of any licenses we provide, and upon request report which users in your organisation are using these licenses.
   2. We will report on your service consumption for services we are providing, or would be capable of providing, with an aim to optimise your costs, reduce administration overhead, and unlock additional revenue.
4. Managed Helpdesk Review:
   1. We will report on and discuss any service incidents, service requests, and change requests that have been flagged by you or our support team for discussion during the next Security & Tech Review.
   2. We will discuss ticket logging rates, ticket category metrics, user metrics, and other metrics to give you insight into how your staff are utilizing our Helpdesk.
   3. We will discuss any service incidents, service requests, and change requests that have stalled or were abandoned (we stopped receiving a response from you) to determine if it still needs to be addressed, and re-open and progress these tickets where needed.
5. Asset Reporting:
   1. We will report on your Asset Lifecycle and recommend replacements where we determine it would increase productivity, mitigate risk, or lower costs.

Client Obligations

For the Security & Tech Review component, clients and their staff are required to:

1. Respond in a timely manner to scheduling requests and/or schedule with us a regular meeting schedule such as “the First Monday of Every Quarter at 10am”.
2. Set aside no less than 90 minutes per meeting and dedicate that time to the meeting.
3. Join or Attend meetings at the time they are scheduled.
4. Provide no less than 1 full business days’ notice for rescheduling a meeting or as soon as reasonable able where rescheduling is due to an illness or personal emergency.
5. Reschedule a meeting for no later than 30 days after it was originally scheduled.
6. Consider and where reasonable, implement our recommendations given during the Security & Tech Review meetings.

Service Limitations

The Workstation Monitoring component has the following limits:

1. Scheduling Limitations: Your dedicated Managed Helpdesk team has only one team lead. Where the team lead may be unavailable due to;
   1. planned annual leave, we will notify you at least 1 business day in advance, or
   2. illness, personal emergency, or an incident requires their attention that is logged as Priority 1 critical, we will notify you as soon as we are reasonable able, and
   3. we may opt to assign another team lead or senior manager to attend the meeting in their stead. You may choose to accept the new assignment or opt to reschedule.
2. Reporting Limitations: Reports are gathered from a variety of first party and third-party sources. Where these sources are not accessible, reporting may be unavailable or delayed.

Microsoft 365 Component

Description

Our Microsoft 365 component is designed to manage your Microsoft 365 environment, increase adoption of the Microsoft 365 range of features, and secure your Microsoft 365 environment. This component includes:

1. Microsoft 365 Environment Management. We will manage your Microsoft 365 Environment including;
   1. License Management
   2. Configuration and Management of Security Policies
   3. Configuration and Enablement of the features included in your Microsoft 365 licenses
2. Microsoft 365 Intune Management. We will configure and manage Microsoft 365 Intune with an aim to provide a consistent and secure experience among your owned devices, deploy applications, patches, policies, and controls.
3. Microsoft 365 Secure Score Monitoring. We will monitor, manage, and implement Microsoft 365 Secure Score recommendations to improve your security posture.
4. Microsoft 365 Best Practices. We will configure and manage the implementation of our Microsoft 365 best practices, with an aim to reduce complexity, increase security, and standardise your environment with our recommendations.

Client Obligations

For the Microsoft 365 component, clients and their staff are expected to:

1. Adhere to Microsoft 365’s licensing terms and other terms of service.
2. Participate in discovery and onboarding sessions we may run from time to time, to configure the Microsoft 365 environment to be suitable for your organisation.
3. Implement policies and processes to support our security recommendations.
4. Use company owned, or devices enrolled in Microsoft 365 Intune, for work purposes only and not for personal use.
5. Use personal devices for personal use only, not for work purposes.
6. Obtain Microsoft 365 Business Premium licenses for each user, or a set of licenses that provides a similar feature set with our approval.

Service Limitations

The Microsoft 365 component service has the following limits:

1. Service Enablement Cadence: You may request at any time, that we assist with any new feature implementation or improvement to an existing feature within your Microsoft 365 platform. The order, rate, and cadence with which we provide assistance, configuration, and improvements to Microsoft 365 features is at our discretion, acting in good faith.
2. License Requirements: Certain features of Microsoft 365 require specific licenses to utilize these features. If you do not have a license that includes a feature inside of the Microsoft 365 environment for a user, we will not be able to enable that feature, for that user which will reduce your cybersecurity effectiveness.

Password Manager Component

Description

Our Password Manager component is designed to provide a secure, zero-knowledge, end-to-end encrypted password storage and management for your organisation. This component includes:

1. Password Management. We will provide and implement a password manager service, for you to securely store, use, and share passwords and other secrets or sensitive information.
2. Single Sign-On. We will configure and enable Single Sign-On with your Microsoft 365 Environment, to facilitate a secure login process with your password manager.
3. Password Manager Applications. We will provide apps for compatible devices for you to access your passwords and secrets and enable password autofill functionality, including multi-factor authentication autofill.
4. Platform Management. We will manage the policies that apply to your password manager service, including password strength requirements, dark web monitoring, auditing, and alerts.
5. Vault Transfer. To mitigate the risk of data loss due to loss of access, we may enable a feature called “Vault Transfer” that allows us to transfer all records from one user within the Password Manager, to another user within the same organisation. When this feature is enabled, staff will be notified that this feature is enabled when they log in for the first time.

Client Obligations

For the Password Manager component, clients and their staff are expected to:

1. Participate in necessary onboarding sessions and training.
2. Change passwords for services and websites that our reports indicate are compromised, weak, reused, or otherwise determined to be a risk.
3. To facilitate regular audits, detection of risky passwords, and aid in employee offboarding, store all your passwords ONLY within the provided password manager.

Service Limitations

While our Password Manager service has the following limits:

1. Zero-Knowledge Password Storage: Passwords and secrets belong to the user of staff member who created the record, even if the record is shared. Due to the nature of a Zero-Knowledge platform, if a user loses access to their account, the records they own within the platform cannot be recovered unless vault transfer is enabled.
2. Limitations of Backups: As the platform is end-to-end encrypted with zero knowledge, no recovery is possible by us if access or data is lost by the Client and backups of your data stored inside the password manager service is the client’s responsibility.