Threat Detection and Response Service End User Terms and Conditions

1. Introduction

1.1. These Terms and Conditions (“Contract”) govern the provision of Services by e2e-assure Limited (“Supplier”, “we”, “us”) to the customer (“Customer”, “you”) and may be updated from time to time.

2. Contract Structure

2.1. These Security Operation Services Terms and Conditions govern all relevant Service components detailed on any applicable Threat Detection & Response Services Order Form and encompass the relevant addendum terms for the Service components.

2.2. This Contract outlines the responsibilities of both the Supplier and the Customer regarding the onboarding, operation, and management of the Service.

3. Definitions

3.1. “Client” refers to the entity that is receiving the Service.

3.2. “Cumulo” The software platform used by the e2e-assure Security Operations Centre staff to operate the Security Operations Service as defined in the Services Definition Framework document

3.3. “Microsoft Teams App” The proprietary application provided by e2e-assure to Client as an alternative software interface to receive and provide service updates to and from the e2e-assure Security Operations Centre staff.

3.4. “Service” refers to the Security Operations Service provided by e2e-assure, including but not limited to Alert Triage & Investigation, Threat Hunting, Onboarding & Tuning, and Service Validation & Improvement.

3.5. “Services Definition Framework” refers to the document which details how the services included as part of the e2e-assure Threat Detection & Response portfolio work, what they aim to achieve, what is included with the services procured and to what level of service the modules within the services will be measured against.

3.6. “Service Level Agreement” the contractual commitments to specific levels of service delivered as measured against and for which financial penalties may be incurred if targets are not met.

3.7. “Service Specific Schedule” refers the section of the Service Definition Framework document which contains the specific technical and operational parameters used to operate the Security Operations Service for the under contract.

3.8. “Threat Detection & Response Services Order Form” refers to the document used by the Client/Partner to specify contractual and quantification parameters of the services to be procured under and applicable annexes for the services selected.

4. Service Provision

4.1. e2e-assure will provide the Service to the Client in accordance with the agreed upon Service Level Agreements (SLAs) as detailed in the Services Definition Framework document.

4.2. Alert Triage & Investigation

4.3. e2e-assure will triage and investigate alerts generated by the Service and when deemed necessary will create a case for an incident. The response times for these activities will be in accordance with the defined SLAs.

4.4. Threat Hunting

4.5. e2e-assure will conduct regular threat hunting activities as part of the service at a frequency and to a level of detail that is applicable as stipulated in the Service Parameters for the applicable Service Specific Schedule.

4.6. Onboarding & Tuning

4.7. e2e-assure will assist the Client in the onboarding process and tuning of the Service to the Client’s environment in accordance with the details and timescales provided in the service specific schedule, or alternatively, as detailed in a project implementation plan where exceptions are required and/or multiple services are being delivered concurrently.

4.8. Service Validation & Improvement

4.9. e2e-assure will continuously validate and improve the Service to ensure its effectiveness and efficiency, this will be achieved through the review of service performance metrics and regular testing of technical threat detection effectiveness.

5. Client Responsibilities

5.1. The Client is responsible for adhering to the requirement described in the onboarding sections of the Services Definition Framework including but not limited to:

5.1.1. Providing contact details for escalations and reporting.

5.1.2. Providing the required permissions to applications and data sources as detailed in the technical specific requirements for each service for e2e-assure to be able to provide the Service.

5.1.3. Collaborating with e2e-assure operational teams to resolve security incidents and implement remediation measures within the client technical infrastructure when requested to do so for the purpose of containing an identified cyber threat.

5.2. The Client will adhere to security recommendations and guidance provided as part of the Service for the Service Level Agreements to remain valid.

6. e2e-assure Duties

6.1. Provide the services as described in the Service Definition Framework for the Service Components procured as selected and quantified in the Threat Detection & Response Services Order Form.

7. Data Governance and Privacy

7.1. The Parties acknowledge and agree that in respect of any processing of personal data in connection with the Engagement, Client is a Data Controller and e2e-assure is a Data Processor

7.2. The types of data that e2e-assure might process from any log data, log source or cloud service collected data, may include but not be limited to, any type of data such as usernames, IP addresses, email addresses and locations (“Customer Personal Data”).

7.3. e2e-assure shall process Customer Personal Data only to the extent necessary for the provision of Services and undertakes to duly observe all obligations under applicable Data Protection Legislation.

7.4. The provisions of this clause 5 shall apply whilst e2e-assure is providing Services and for such time as e2e-assure holds Customer Personal Data.

7.5. e2e-assure shall and shall procure that e2e-assure’s Staff comply with any notification requirements under the Applicable Data Protection Legislation and both Parties undertake to duly observe all their obligations under the Applicable Data Protection Legislation which arise in connection with this Contract.

7.6. To the extent that e2e-assure is Processing the Customer Personal Data e2e-assure shall:

7.6.1. ensure that it has in place appropriate technical and organisational measures to ensure the security of the Customer Personal Data and to guard against unauthorised or unlawful Processing of the Customer Personal Data and against accidental loss or destruction of, alteration or damage to, the Customer Personal Data;

7.6.2. provide the Customer with such information as the Customer may reasonably request to satisfy itself that e2e-assure is complying with its obligations under the Applicable Data Protection Legislation;

7.6.3. promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause (“Disclosure Incident”). The Parties shall cooperate to remedy such Disclosure Incident as well as to communicate to public and to competent public authorities as may be required; and

7.6.4. ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the Applicable Data Protection Legislation.

7.6.5. act as a data processor when processing Customer Personal Data and shall process Customer Personal Data only in accordance with written instructions from the Customer;

7.6.6. Process the Customer Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services or as is required by law or any regulatory body;

7.6.7. take reasonable steps to ensure the reliability of any e2e-assure Staff who have access to Customer Personal Data;

7.6.8. ensure that all e2e-assure staff, or any staff required to access Customer Personal Data are informed of the confidential nature of the service data and comply with the obligations set out in this Clause;

7.6.9. ensure that none of e2e-assure Staff transfer, publish, disclose or divulge Customer Personal Data to any third party unless necessary for the provision of the Services under this Contract and/or directed in writing to do so by the Customer; and

7.6.10. assist the data controller in actual or potential breaches of customer data or relevant impact assessments.

7.7. To the extent that e2e-assure Ltd is Processing the Customer Personal Data, e2e-assure shall:

7.7.1. respond to a complaint or request relating to the Customer’s obligations under the Applicable Data Protection Legislation;

7.7.2. provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Customer Personal Data, including any complaint or request relating to the Customer’s obligations under the Applicable Data Protection Legislation by:

7.7.3. comply with a data access request within the relevant timescales set out in the Applicable Data Protection Legislation and in accordance with the Customer’s instructions;

7.7.4. provide the Customer with any Customer Personal Data it holds in relation to a Data Subject request.

7.8. e2e-assure shall:

7.8.1. permit the Customer or the Customer’s representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit e2e-assure’s data Processing activities (and/or those of its sub-processors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties), and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that e2e-assure is in full compliance with its obligations under this Contract;

7.8.2. obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the Services and any Sub-Processor shall be subject to all of the Data Protection terms in this contract;

7.8.3. not cause or permit to be processed, stored, accessed or otherwise transferred outside the UK or the European Economic Area any Customer Personal Data supplied to it by the Customer without the prior written consent of the Customer.

7.9. The Customer shall implement and maintain appropriate security measures to protect data accessed or processed as part of the Service.

7.10. e2e-assure shall process the data for the term of this Contract and, unless requested otherwise by the Customer, upon termination of the Contract shall securely delete the data.

8. Term and Termination

8.1. This Contract shall commence on the Effective Date. Upon termination, the Customer must cease using the Service and any associated materials provided by the Supplier.

9. Licensing

9.1. Cumulo Portal

9.1.1. e2e-assure grants to the End User during the Term a non-exclusive, royalty free, licence to access and use the Cumulo Portal solely to the extent necessary to receive the Services.

9.1.2. Ownership of all Intellectual Property Rights in the Cumulo Portal remains with e2e-assure and nothing in this Contract will operate to transfer to the End User or to grant to the End User any other licence or right to use the Cumulo Portal.

9.1.3. e2e-assure may at its absolute discretion suspend the End User’s access to the Cumulo Portal at any time if the End User uses the Cumulo Portal in breach of the Contract.

9.1.4. The End User shall ensure that its access credentials for the Cumulo Portal are stored securely and only used by authorised employees and are not shared with any other person. The End User shall take all reasonable steps to prevent any unauthorised

access to the Cumulo Portal and will immediately notify e2e-assure if it becomes aware of any such access.

9.2. e2e-assure Microsoft Teams App

9.2.1. e2e-assure grants to the End User during the Term a non-exclusive, royalty free, licence to access and use the e2e-assure Microsoft Teams App solely to the extent necessary to receive the Services.

9.2.2. Ownership of all Intellectual Property Rights for the e2e-assure Microsoft Teams App remains with e2e-assure and nothing in the contract will operate to transfer to the End User or to grant to the End User any other licence or right to use the e2e-assure Microsoft Teams App.

9.2.3. e2e-assure may at its absolute discretion suspend data updates into the e2e-assure Microsoft Teams App at any time if the End User uses it in a manner which is in breach of this Contract.

10. Limitations of use

10.1. End User shall not, and shall not permit to be done, any of the following:

10.2. Copying any elements of the service (design or software) to develop, sell, manufacture, or design other services or software;

10.3. Using the services to facilitate malicious or illegal activity, such as hacking;

10.4. Reverse engineering

11. Acceptable Use Policy

11.1. The Acceptable Use Policy in this Clause sets out a non-exhaustive list of prohibited access to and/or use of the Services. By accessing and/or using the Service, the Customer agrees to comply with the terms of this Acceptable Use Policy.

11.2. The Customer is responsible for breaches of this Acceptable Use Policy by it and any third party who accesses and/or uses the Services (where such third party is acting on behalf of the Customer or where such third party access and/or use is as a result of a Customer omission or default).

11.3. The Customer, and third Parties acting on behalf of the Customer, shall not:

11.3.1. access and/or use or encourage, promote, facilitate or instruct others to access and/or use the Services for any illegal, harmful or offensive use, or to transmit, store, display, distribute or otherwise make available Content (including any links to any Content) that is illegal or harmful or in each case which the Supplier in its reasonable opinion believes is so.

11.3.2. access and/or use, or encourage, promote, facilitate or instruct others to access and/or use the Services in a manner that would compromise or harm the security or integrity of any information technology service or system (including any network, computer, Device, communication system or software application):

11.3.3. make network connections or encourage, promote, facilitate or instruct others to make network connections to any users, hosts or networks without the prior written permission of such user, host or network:

11.3.4. access and/or use the Cloud Elements, the Customer Account or the Customer Content for purposes of monitoring their availability, performance or functionality, or for any other benchmarking or competitive purposes, nor shall the Customer or any End User provide information to third parties that could assist in such monitoring or benchmarking.

11.3.5. use any shared system provided by the Supplier or any Supplier Staff in a way that unnecessarily interferes with the normal operation of the shared system, or that consumes a disproportionate share of the resources of the shared system as may be set out in the relevant Services Description or an Order Form. Where this is not set out in the relevant Services Description or the Order Form, what constitutes an interference with the normal operation of a shared system or what constitutes consumption of a disproportionate share of the resources of the shared system shall be determined in accordance with market practice.

11.4. The Customer agrees that the Supplier may quarantine or delete any Customer Content (or any part thereof) stored on a shared system if the content (or any part thereof) is infected with a virus, or is otherwise corrupted, and has the potential to infect or corrupt the shared system or other Content that is stored on the shared system. In the case of

deletion, the Supplier agrees that it must obtain the prior written consent of the Customer before deleting any Customer Content.

11.5. The Supplier reserves the right (but is not obliged), to investigate any breach of this Acceptable Use Policy or any inappropriate access and/or use of the Services, and as a consequence of which the Supplier may:

11.5.1. block or disable the Customer’s or any End User’s access and/or use of the Services; or

11.5.2. modify any content used by the Customer that is in breach of this Acceptable Use Policy or this Contract;

11.5.3. investigate and/or report any illegal, harmful or offensive Content, activity, access and/or use to the appropriate authorities or third parties; or

11.5.4. operate with the appropriate authorities and/or third parties in relation to any investigation and provide them with such information as they may require for the purposes of their investigations without notifying the Customer or any End User.

11.6. If the Customer becomes aware of any actual or likely breach of this Acceptable Use Policy the Customer shall notify the Supplier immediately and provide the Supplier with all information relating to any such actual or likely breach and assist the Supplier, as reasonably requested, to stop or remedy such breach. To report any breach of this Acceptable Use Policy, please contact: support@e2e-assure.com

11.7. The Supplier is under no duty, and does not by this Acceptable Use Policy undertake a duty, to monitor or police the Customers activities or content. The Supplier has no obligation to any third party who has not entered into an agreement with the Supplier for the Services other than as required by law.

12. Limitation of Liability

12.1. The Supplier’s liability under this Contract shall be limited to the amount paid by the Customer for the Service. In no event shall the Supplier be liable for any indirect, special, or consequential damages arising out of or in connection with the use of the Service.

13. General

13.1. If e2e-assure’s performance of any of its obligations in relation to its Services is prevented or delayed by any act or omission by the End User for any reason other than that caused by e2e-assure, (“Default”) without limiting or affecting any other right or remedy available to it, e2e-assure shall have the right to suspend delivery of the Services or End User access to Services until the Default is remedied by End User. e2e-assure shall not be liable for any costs or losses sustained or incurred by End User arising directly or indirectly from any Default.

13.2. This Contract constitutes the entire agreement between the parties regarding its subject matter. Any amendments to this Contract must be in writing and signed by both parties.

14. Jurisdiction

14.1. This Contract and/or any non-contractual obligations or matters arising out of or in connection with it, shall be governed by and construed in accordance with the laws of England and Wales and each Party agrees to submit to the exclusive jurisdiction of the courts of England and Wales.

Addendum Terms & Conditions for Modern Workplace Protection

1. Introduction

1.1. The Service is designed to detect and contain suspicious activity within the Customer’s cloud accounts, specifically focusing on Microsoft M365 accounts, AWS IAM accounts, and Google Workspace accounts.

2. Service Overview

2.1. The Service includes, but is not limited to, the following key features:

2.1.1. Threat detection and containment of suspicious activity on specified cloud accounts.

2.1.2. Triage and response to critical and high-priority incidents.

2.1.3. Attack disruption and active response actions for high and critical alerts.

2.1.4. Security posture improvement recommendations.

3. Supplier Responsibilities

3.1. The Supplier agrees to:

3.1.1. Obtain necessary permissions to access the Customer’s Azure Active Directory and Graph API for Microsoft M365 accounts, and equivalent permissions for AWS IAM and Google Workspace accounts.

3.1.2. Onboard the specified number of user accounts into the Service as outlined in the Customer’s order form and Statement of Work (SOW).

3.1.3. Meet the service level targets for Mean Time To Detect (MTTD) and Mean Time To Respond (MTTR) as published in the Services Definition Framework document.

3.1.4. Provide security posture improvement recommendations via posture dashboards or service reports.

4. Customer Responsibilities

4.1. The Customer agrees to:

4.1.1. Grant the Supplier appropriate permissions to access required data and systems for service provision.

4.1.2. Download, install, and manage the SOC Channel for Microsoft Teams app within their internal M365 environment, as made available by the Supplier.

4.1.3. Act on the security posture improvement recommendations provided by the Supplier. Failure to act on these recommendations may result in invalidating the service level targets.

4.1.4. Explicitly request in writing if attack disruption and active response actions for high and critical alerts are to be excluded from the Service.

5. Service Level Agreement (SLA)

5.1. The Supplier commits to adhering to the service level targets for MTTD and MTTR as detailed in the Services Definition Framework document. The Supplier shall not be held responsible for failure to meet these targets due to the Customer’s failure to comply with their responsibilities under this Contract

Addendum Terms & Conditions for Endpoint Detection & Response

1. Introduction

1.1. This Service is designed to detect and contain suspicious activity on the Customer’s end-user computing devices.

2. Service Overview

2.1. The Service encompasses:

2.1.1. Threat detection and containment of suspicious activity on the Customer’s end-user computing devices.

2.1.2. Support for various vendors including Microsoft Defender XDR, SentinelOne Singularity, Palo Alto Cortex XDR, and others as agreed in the Statement Of Work (SOW).

2.1.3. Triage and response to critical and high-priority incidents.

2.1.4. Attack disruption and active response actions.

2.1.5. Security posture improvement recommendations.

3. Supplier Responsibilities

3.1. The Supplier agrees to:

3.1.1. Onboard the specified number of user computing devices into the Service as outlined in the order form and SOW.

3.1.2. Notify the Customer of any onboarded endpoint agents that become inactive.

3.1.3. Meet the service level targets for Mean Time To Detect (MTTD) and Mean Time To Respond (MTTR) as published in the Services Definition Framework document.

3.1.4. Provide security posture improvement recommendations via posture dashboards or service reports.

4. Customer Responsibilities

4.1. The Customer agrees to:

4.1.1. Ensure they have procured the appropriate quantity and feature level of licensing for supported vendors to enable Attack Disruption and Threat Hunting activities.

4.1.2. Grant the Supplier appropriate permissions to the endpoint/XDR management platform for bi-directional information flow.

4.1.3. Be responsible for the deployment and management of the endpoint agent software on their end-user computing devices.

4.1.4. Download, install, and manage the Microsoft Teams SOC app within their internal M365 environment, as made available by the Supplier.

4.1.5. Act on the security posture improvement recommendations provided by the Supplier. Failure to do so may invalidate the service level targets.

5. Service Level Agreement (SLA)

5.1. The Supplier commits to adhering to the service level targets for MTTD and MTTR as detailed in the Services Definition Framework document. The Supplier shall not be held responsible for failure to meet these targets due to the Customer’s failure to comply with their responsibilities under this Contract.

Addendum Terms & Conditions for Cloud Threat Detection

1. Introduction

1.1. This Service aims to detect and contain suspicious activity on the Customer’s critical cloud assets as defined in the Services Definition Framework document.

2. Service Overview

2.1. The Service includes:

2.1.1. Detection and containment of suspicious activity on the Customer’s critical cloud assets.

2.1.2. Cloud Workload Protection (CWP).

2.1.3. Cloud Security Posture Management (CSPM).

3. Supplier Responsibilities

3.1. The Supplier agrees to:

3.1.1. Provide detection and containment services for suspicious activities identified within the Customer’s critical cloud assets.

3.1.2. Offer recommendations and guidance for Cloud Security Posture Management (CSPM) to assist the Customer in maintaining their security posture.

4. Customer Responsibilities

4.1. The Customer agrees to:

4.1.1. Grant the Supplier access to the APIs and log data of the cloud platforms necessary for the provision of the Service.

4.1.2. Where Microsoft Defender for Cloud is deployed for agent-based monitoring, procure and deploy appropriate licenses to activate the full service features.

4.1.3. Follow the recommendations and guidance provided for Cloud Security Posture Management (CSPM) to maintain security at the required level. Failure to follow these recommendations may invalidate the service level targets of the offering.

5. Service Level Agreement (SLA)

5.1. The Supplier commits to adhering to the service level targets as detailed in the Services Definition Framework document. The Supplier shall not be held responsible for failure to meet these targets due to the Customer’s failure to comply with their responsibilities under this Contract.

Addendum Terms & Conditions for Security Log Analytics

1. Introduction

1.1. This Service involves the configuration of log sources within the Customer’s infrastructure and their ingestion into the Supplier’s SOC platform or Microsoft Sentinel.

2. Service Overview

2.1. The Service includes:

2.1.1. Configuration and ingestion of log sources from the Customer’s infrastructure.

2.1.2. Option to deploy log collectors, provided by the Supplier, within the Customer’s infrastructure.

2.1.3. Optional Microsoft Sentinel management operations, requiring specific access permissions.

3. Supplier Responsibilities

3.1. The Supplier agrees to:

3.1.1. Provide the necessary tools and support for the configuration of log sources for ingestion into the SOC platform or Microsoft Sentinel.

3.1.2. Offer log collectors in the form of virtual machines or physical appliances, as agreed in the Statement Of Work (SOW).

3.1.3. Manage Microsoft Sentinel operations, if selected as an option by the Customer, including the deployment of bespoke threat content developed by the Supplier.

4. Customer Responsibilities

4.1. The Customer agrees to:

4.1.1. Install and configure log collectors provided by the Supplier in the appropriate infrastructure location and ensure communication back to the SOC platform is maintained.

4.1.2. Grant the Supplier appropriate access permissions for managing Microsoft Sentinel operations, if this option is selected.

4.1.3. Acknowledge the Supplier’s intellectual property rights in bespoke threat content provided as part of the Service.

4.1.4. Ensure that the installation and operation of log collectors and any configurations done for log ingestion do not infringe upon any third-party rights or violate any applicable laws.

5. Service Level Agreement (SLA)

5.1. The Supplier commits to adhering to the service level targets as may be agreed upon in the SOW or Services Definition Framework document. The Supplier’s ability to meet these targets is contingent upon the Customer fulfilling their responsibilities under this Contract.

6. Intellectual Property

6.1. The intellectual property rights in any bespoke threat content developed by the Supplier for use in the Service, including within Microsoft Sentinel operations, remain the property of the Supplier. The Customer is granted a non-exclusive, non-transferable license to use such content solely as part of the Service.

Addendum Terms & Conditions for Network Detection & Response

1. Introduction

1.1. This Service involves the deployment of a physical appliance within the Customer’s network infrastructure to detect and respond to network threats

2. Service Overview

2.1. The Service includes:

2.1.1. Deployment of a pre-configured physical appliance into the Customer’s network infrastructure.

2.1.2. Integration with the Customer’s Microsoft Sentinel tenant for the direct sending of security alerts.

2.1.3. Use of a Supplier-developed data connector for Network Detection & Response (NDR).

3. Supplier Responsibilities

3.1. The Supplier agrees to:

3.1.1. Ship the pre-configured physical appliance to the Customer for installation in their network infrastructure as specified in the Statement Of Work (SOW).

3.1.2. Provide guidance and supporting documentation for the installation and configuration of the Supplier-developed data connector for NDR.

3.1.3. Assist with testing of the physical appliance and data connector installation within the agreed time period in the service onboarding plan.

4. Customer Responsibilities

4.1. The Customer agrees to:

4.1.1. Install the physical appliance in their network infrastructure at the location specified in the SOW.

4.1.2. Assist with the testing of the physical appliance within the agreed time period in the service onboarding plan.

4.1.3. Install and configure the Supplier-developed data connector for NDR in their Microsoft Sentinel tenant and log analytics workspace, following the guidance and documentation provided by the Supplier.

5. Service Level Agreement (SLA)

5.1. The Supplier commits to adhering to the service level targets as may be detailed in the SOW or Services Definition Framework document. The Supplier’s ability to meet these targets is contingent upon the Customer fulfilling their responsibilities under this Contract.

6. Intellectual Property

6.1. Any software, firmware, or other intellectual property provided as part of the Service remains the property of the Supplier. The Customer is granted a non-exclusive, non-transferable license to use such intellectual property solely in connection with the Service.