Master Services Agreement

1. Introduction

This Master Services Agreement sets out the terms on which Superfast IT Limited ("Superfast IT") provides IT support, managed services, cyber security services and related technical services to the Client. It is intended to be a clear, modern agreement that protects both parties while reflecting the way Superfast IT actually delivers services, in line with guidance from the National Cyber Security Centre and the requirements of Cyber Essentials Plus and IASME Cyber Assurance.

By entering into an Order Form or Statement of Work, the Client agrees that this Agreement applies to all Services delivered by Superfast IT.

2. Definitions

Capitalised terms used in this Agreement have the meanings set out below.

Agreement means this Master Services Agreement together with any Order Form, SOW, Variation, the Client Assurance Pack and any Licence Agreements referenced herein.

Background IP means Superfast IT's tools, methodologies, templates, scripts, dashboards, documentation and other materials created outside the scope of, or independently of, the Services.

Bespoke IP means materials, code, scripts, automations, configurations and other works specifically created by Superfast IT for the Client under the Services.

Business Day means a day other than a Saturday, Sunday or public holiday in England.

Client means the organisation receiving the Services, as identified in the Order Form.

Client Assurance Pack means the documentation pack produced by Superfast IT that includes the Responsibility Matrix, Incident Response Plan and associated security documentation, as made available to the Client from time to time.

Confidential Information means all non-public information disclosed by one party to the other, whether labelled confidential or reasonably to be considered confidential because of its nature or the circumstances of disclosure.

Data Protection Legislation means the UK GDPR, the Data Protection Act 2018 and any other applicable data protection or privacy laws in force in the UK.

Deliverables means the specific outputs of Professional Services identified in an SOW.

Fees means the charges payable by the Client for the Services as set out in the relevant Order Form.

Force Majeure Event has the meaning given in clause 20.

Incident means any event that may compromise the confidentiality, integrity or availability of systems or data.

Initial Term means the period commencing on the start date stated in the Order Form and ending on the date specified, or, if no end date is specified, twelve (12) months from the start date.

Licence Agreements means the direct licence agreements between the Client and third party software vendors (including the Microsoft CSP customer agreement) required to deliver the Services.

Order Form (also a Statement of Work or SOW) means a document signed or otherwise accepted by the Client that sets out the commercial particulars of the Services to be delivered.

Renewal Term means a period equal to the Initial Term, commencing the day after the Initial Term or any previous Renewal Term ends.

Services means the IT support, managed services, cyber security services and other services described in the applicable Order Form.

Service Levels means the response and resolution targets set out in the relevant SOW.

Sub-processor means a third party engaged by Superfast IT to process personal data on behalf of the Client.

Support Hours means 8.00am to 5.00pm UK time on Business Days, unless otherwise specified in the SOW.

Variation means a written amendment to this Agreement, signed by an authorised representative of each party.

The terms controller, processor, personal data, personal data breach and processing have the meanings given in the Data Protection Legislation.

3. Order Form Scope and Order of Precedence

3.1 An Order Form records the commercial particulars of the Services and may set, vary or supplement only the following matters:

  • the identity of the Client and the locations where Services are provided;

  • the description and scope of the Services, Deliverables and any goods to be supplied;

  • the Fees, rates, payment intervals, payment method and any overtime rates;

  • the start date, the Initial Term and any Renewal Term;

  • the Service Levels and any service credits;

  • any acceptance criteria and acceptance period for Deliverables;

  • the categories of personal data, the scope, nature, duration and purpose of processing, and any approved Sub-processors;

  • any Licence Agreements applicable to the Services; and

  • any other matter expressly stated in this Agreement as capable of being set in the Order Form.

3.2 Any term in an Order Form that purports to vary, qualify, exclude or limit any other provision of this Agreement on a matter not listed in clause 3.1 has no effect unless it is also recorded in a Variation signed by an authorised representative of each party.

3.3 If there is any conflict between the documents that make up this Agreement, the following order of precedence applies (in decreasing order):

  1. any Variation;

  2. the Order Form, but only to the extent it deals with a matter listed in clause 3.1;

  3. the main body of this Agreement;

  4. the Client Assurance Pack;

  5. any Licence Agreements applicable to the Services.

4. Provision of Services

4.1 Superfast IT will deliver the Services described in each Order Form with reasonable skill and care and in accordance with good industry practice for managed service providers.

4.2 Superfast IT will perform the Services in line with applicable industry standards, including NCSC guidance, and will maintain its certifications under Cyber Essentials Plus and IASME Cyber Assurance throughout the term of this Agreement.

4.3 Services not expressly listed in an Order Form are out of scope. They may be provided only under a Change Order (clause 12) or a new Order Form, and may incur additional charges.

4.4 Superfast IT may modify the systems, tools or methods used to deliver the Services, provided this has no material adverse effect on the Services. If a change is likely to have such an effect, Superfast IT will notify the Client and follow the Change Order process.

5. Responsibilities

5.1 The Responsibility Matrix contained within the Client Assurance Pack forms part of this Agreement and sets out the allocation of responsibility between Superfast IT and the Client.

5.2 Superfast IT is responsible for the items allocated to it in the Responsibility Matrix and for delivering the Services using appropriate tools, processes and security controls.

5.3 The Client is responsible for the items allocated to it in the Responsibility Matrix, including:

  • maintaining accurate joiner, mover and leaver processes;

  • enforcing its internal staff and security policies;

  • securing all physical locations and equipment under its control;

  • reporting suspected security issues to Superfast IT immediately;

  • ensuring critical data is stored within systems covered by backups as set out in the relevant SOW; and

  • providing Superfast IT with the access, information, cooperation and resources reasonably required to deliver the Services.

5.4 Superfast IT is not responsible for failures or security incidents arising from unmanaged systems, unsupported devices, configurations outside its control, or non-compliant Client behaviour.

5.5 Unless expressly included in an SOW, Superfast IT has no responsibility for unsupported legacy systems, specialist applications or third party vendors.

5.6 The Client warrants that it has the authority to grant Superfast IT the rights and access required to deliver the Services and that doing so will not infringe the rights of any third party.

6. Security Standards and Controls

6.1 The controls in this clause apply to the internal systems, management platforms and administrative accounts operated by Superfast IT. Equivalent or related controls are applied to Client environments only where those services are included in the applicable SOW.

6.2 Superfast IT will maintain appropriate administrative, technical and organisational security measures to protect its own infrastructure and any systems used to deliver the Services. These measures include:

  • multi-factor authentication for all administrative accounts;

  • separation of administrative and standard user accounts;

  • patch and vulnerability management;

  • secure configuration baselines for systems within Superfast IT's administrative environment;

  • continuous monitoring and alerting;

  • logging of administrative activity;

  • protection against malware; and

  • backup and recovery testing for Superfast IT systems that support the Services.

6.3 Superfast IT may update its internal controls to reflect changes in technology, the threat landscape or regulatory expectations, provided that any change does not materially reduce the protection of Client data or systems.

6.4 The Client agrees not to disable or interfere with any security controls used by Superfast IT to access or manage the Client environment.

6.5 On reasonable written request, and no more than once in any twelve-month period, Superfast IT will provide the Client with evidence of its current Cyber Essentials Plus and IASME Cyber Assurance certifications and a summary of its security posture.

7. Access and Authentication

7.1 The Client must maintain accurate user information, including joiners, movers and leavers, and notify Superfast IT promptly of any changes.

7.2 Administrative access by Superfast IT will be granted only where required to deliver the Services and will be logged.

7.3 The Client must ensure that credentials are not shared and are stored securely.

7.4 The Client agrees to enforce multi-factor authentication on its systems where supported by the platform and required by Superfast IT.

7.5 Superfast IT is not responsible for breaches caused by weak passwords, shared credentials or unmanaged authentication systems.

8. Service Levels

8.1 Service Levels and response targets are defined in the relevant SOW.

8.2 Superfast IT will make reasonable efforts to meet or exceed Service Level targets but is not liable for delays caused by third party failures, lack of Client access, Client misconfiguration or events outside its reasonable control.

8.3 Critical issues that affect business operations or security will be given priority.

8.4 Service Levels apply only to systems defined within the scope of the applicable SOW.

8.5 Save for the express remedies in this Agreement and the relevant SOW, the Service Levels state the Client's full remedy in respect of the performance and availability of the Services.

9. Acceptance of Deliverables

9.1 Where an SOW specifies Deliverables that are subject to acceptance testing, the SOW will set out the acceptance criteria and the acceptance period.

9.2 Where an SOW does not specify acceptance criteria or an acceptance period, the Deliverable is deemed accepted five (5) Business Days after delivery unless the Client has notified Superfast IT in writing within that period of any material non-conformity with the Deliverable description in the SOW.

9.3 If the Client notifies Superfast IT of a material non-conformity within the acceptance period and the non-conformity is attributable to Superfast IT (and is not the result of a Change Order or the Client's acts, omissions or inadequate testing), Superfast IT will carry out reasonable remedial work without additional charge.

9.4 Once accepted (whether expressly or by deemed acceptance) and on payment in accordance with clause 16, the Deliverable becomes the property of the Client, subject to clause 11.

10. Incident Response and Notification

10.1 Superfast IT will follow the Incident Response Plan contained within the Client Assurance Pack.

10.2 Superfast IT will notify the Client without undue delay if an Incident affecting the Client's systems or data is detected or reasonably suspected, and in any event within the timescales required by the Data Protection Legislation where personal data is involved.

10.3 The Client must report all suspected Incidents to Superfast IT immediately.

10.4 Superfast IT may apply emergency changes or temporarily disable systems to contain a threat. Where reasonably practicable, Superfast IT will notify the Client before doing so.

10.5 After an Incident, Superfast IT will provide a written incident report outlining actions taken, impact and recommended improvements.

10.6 The Client remains responsible for regulatory notifications (including notifications to the Information Commissioner and to affected data subjects) unless otherwise agreed in writing.

11. Intellectual Property

11.1 On creation by Superfast IT and on receipt by Superfast IT of payment in full of the Fees relating to that work, all intellectual property rights in Bespoke IP vest in the Client. Superfast IT assigns to the Client its present and future rights, title and interest in such Bespoke IP.

11.2 Superfast IT and its licensors retain all rights in Background IP. Superfast IT grants the Client a non-exclusive, royalty-free, worldwide, non-transferable licence to use the Background IP only to the extent required for the Client to receive the benefit of the Services.

11.3 If a third party claims that any Deliverable infringes its intellectual property rights, Superfast IT may at its expense modify the Deliverable to avoid the alleged infringement or procure a licence enabling the Client to continue using the Deliverable, in each case so as to preserve the substantive functionality.

11.4 Superfast IT has no liability for any infringement claim arising from:

  • the Client's use of a Deliverable in combination with anything not supplied or recommended by Superfast IT, where the combination gives rise to the claim; or

  • modifications to a Deliverable not authorised in writing by Superfast IT.

12. Change Orders

12.1 Either party may request a change to the Services by sending a written Change Order request to the other party setting out the change in sufficient detail.

12.2 Superfast IT will respond with a written estimate of the time required, any change to the Fees, and any other impact on the Services and this Agreement.

12.3 The Client must notify Superfast IT within five (5) Business Days of receiving the estimate whether it accepts or rejects the Change Order. Until accepted, both parties continue to perform under the existing Order Form.

12.4 Once both parties accept a Change Order in writing, it is incorporated into the relevant Order Form and this Agreement.

12.5 Superfast IT is entitled to charge for investigating and reporting on a Change Order requested by the Client at its then-current standard rates, unless otherwise agreed.

13. Data Protection

13.1 When processing personal data on behalf of the Client, Superfast IT acts as a processor and the Client acts as the controller.

13.2 Both parties will comply with the Data Protection Legislation. This clause is in addition to, and does not replace, the parties' obligations under that legislation.

13.3 The Client warrants that it has all necessary consents and notices in place to allow lawful transfer of personal data to Superfast IT for the purposes of this Agreement.

13.4 The Order Form will record, in respect of any personal data processed by Superfast IT, the subject matter, duration, nature and purpose of processing, the types of personal data and categories of data subject. Where the Order Form is silent on any of these particulars, Schedule 1 (Standard Processing Particulars) applies.

13.5 Superfast IT will:

  • process Client personal data only on the documented instructions of the Client, except where required to do otherwise by law;

  • implement appropriate technical and organisational measures to protect personal data, taking into account the state of the art, the costs of implementation, the nature of the processing and the risk to data subjects;

  • ensure personnel authorised to process personal data are bound by appropriate confidentiality obligations;

  • assist the Client, at the Client's cost, in responding to data subject requests and in meeting its obligations in relation to security, breach notifications, impact assessments and consultations with supervisory authorities;

  • notify the Client without undue delay on becoming aware of a personal data breach involving Client personal data;

  • on termination of the Services, delete or return Client personal data at the Client's written direction, except where required by law to retain it; and

  • maintain records sufficient to demonstrate compliance with this clause and allow audits by the Client or its designated auditor, on reasonable written notice and no more than once in any twelve-month period (except where required by a supervisory authority).

13.6 The Client gives general authorisation for Superfast IT to engage Sub-processors. The Sub-processors approved at the date of this Agreement are set out in the Order Form or notified in writing. Superfast IT will:

  • impose data protection obligations on each Sub-processor no less protective than those in this clause;

  • remain responsible for the acts and omissions of its Sub-processors as if they were its own; and

  • notify the Client of any intended addition or replacement of a Sub-processor with reasonable notice and a fair opportunity to object on data protection grounds.

13.7 If personal data is transferred outside the UK, Superfast IT will ensure such transfers are made in accordance with the Data Protection Legislation and that appropriate safeguards are in place.

14. Backups and Business Continuity

14.1 Backup services are provided only where included in the applicable SOW.

14.2 Where contracted, Superfast IT will monitor backup status and perform restore testing in line with the SOW.

14.3 The Client must ensure that important data is stored in locations included within the agreed backup scope.

14.4 Superfast IT will maintain a documented business continuity and disaster recovery plan for its own systems used to deliver the Services and will review it at least annually.

14.5 Superfast IT is not liable for data loss arising from data stored outside the agreed backup locations or for systems not included in the SOW.

15. Third Party Suppliers and Licences

15.1 Superfast IT may rely on third party software, cloud platforms or vendors to deliver the Services. Superfast IT is not responsible for the performance, availability or security of third party products outside its control.

15.2 The Client is responsible for licence costs unless the SOW states otherwise. The Client will enter into any direct Licence Agreements required by the relevant vendor.

15.3 Superfast IT may pass through to the Client, on thirty (30) days' written notice, any price increase imposed by a third party for licences or services consumed in delivering the Services to the Client.

15.4 Superfast IT will notify the Client if it becomes aware that a supplier presents a material operational or security risk.

16. Charges and Payment

16.1 The Client will pay the Fees set out in the Order Form.

16.2 Unless the Order Form states otherwise, Superfast IT will invoice recurring Fees monthly in advance and other Fees in arrears. Invoices are payable in full and in cleared funds, without set-off, within thirty (30) days of the invoice date.

16.3 The Client will reimburse Superfast IT for reasonable expenses set out in the Order Form. Any single expense item exceeding £500 requires the Client's prior written approval.

16.4 All Fees are exclusive of VAT, which the Client will pay at the prevailing rate on receipt of a valid VAT invoice.

16.5 Superfast IT may charge interest on overdue undisputed Fees at 4% per annum above the Bank of England base rate, accruing daily from the due date until payment. This is in addition to, and does not displace, the Client's rights under the Late Payment of Commercial Debts (Interest) Act 1998.

16.6 If undisputed Fees remain unpaid more than thirty (30) days after the due date, Superfast IT may suspend Services without prejudice to its other rights.

16.7 Superfast IT may increase the Fees once in any twelve-month period, with at least thirty (30) days' written notice, by:

  • the percentage change in the Retail Prices Index over the preceding twelve months; or

  • such other percentage as Superfast IT reasonably determines to reflect its costs, provided that if the proposed increase exceeds the Retail Prices Index plus 3%, the Client may terminate the affected Services on thirty (30) days' written notice before the increase takes effect.

16.8 The Client may not dispute any invoice paid more than three (3) months earlier.

17. Warranties

17.1 Each party warrants that it has the capacity and authority to enter into this Agreement.

17.2 Superfast IT warrants that it will perform the Services with reasonable skill and care, in accordance with good industry practice for managed service providers, and that the Services will not knowingly infringe the intellectual property rights of any third party.

17.3 The Client warrants that any materials, software or hardware it provides to Superfast IT will not infringe the rights of any third party.

17.4 Except as expressly set out in this Agreement, all warranties, conditions and other terms implied by statute or common law are excluded to the fullest extent permitted by law.

18. Insurance

18.1 Superfast IT will maintain the following insurance cover at all times during this Agreement:

  • professional indemnity insurance of at least £1,000,000 in the aggregate;

  • public and products liability insurance of at least £2,000,000 each and every claim;

  • cyber and data insurance of at least £1,000,000 in the aggregate; and

  • employers' liability insurance of at least £10,000,000 each and every claim.

18.2 Superfast IT will provide evidence of cover on the Client's reasonable written request.

19. Liability

19.1 Nothing in this Agreement limits or excludes either party's liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation, breach of clause 24 (Anti-Bribery), or any liability which cannot lawfully be limited or excluded.

19.2 Neither party is liable to the other for:

  • loss of profits;

  • loss of business or business opportunity;

  • loss of anticipated savings;

  • loss of goodwill or reputation;

  • loss or corruption of data, other than where Superfast IT has expressly agreed to provide backup or recovery services for the data in question; or

  • indirect or consequential loss of any kind.

19.3 Superfast IT's total aggregate liability under or in connection with this Agreement in any twelve-month period is limited to 125% of the Fees paid or payable for the Services in the twelve months immediately before the event giving rise to the claim.

19.4 Superfast IT's aggregate liability for breach of clause 13 (Data Protection) or the Data Protection Legislation is limited to £500,000, which counts towards the cap in clause 19.3.

19.5 Superfast IT is not liable for any failure to provide the Services to the extent caused by:

  • the Client's breach of this Agreement;

  • the Client's act or omission, or that of its agents or contractors;

  • failures in systems, software or equipment for which Superfast IT is not responsible;

  • the Client's failure to provide information, cooperation or instructions reasonably required; or

  • a Force Majeure Event.

20. Force Majeure

20.1 Neither party is liable for any failure or delay in performing its obligations to the extent caused by a Force Majeure Event, being any event beyond a party's reasonable control including acts of God, war, riot, civil commotion, pandemic, computer viruses or malware, fire, flood, storm, strikes or industrial disputes (excluding those involving the affected party's own workforce), or compliance with any law or government order.

20.2 The affected party must notify the other promptly of the event and its expected duration and use reasonable endeavours to mitigate its effects.

20.3 If a Force Majeure Event continues for more than four (4) consecutive weeks, the unaffected party may terminate this Agreement or the affected Order Form on fourteen (14) days' written notice.

21. Term and Termination

21.1 This Agreement starts on the date it is signed or the date of the first Order Form, whichever is earlier, and continues until terminated.

21.2 Each Order Form has its own Initial Term as set out in the Order Form. On expiry of the Initial Term, each Order Form automatically renews for successive Renewal Terms unless either party gives at least thirty (30) days' written notice of non-renewal before the end of the then-current term.

21.3 Either party may terminate this Agreement or any Order Form by written notice with immediate effect if the other party:

  • commits a material breach which (if capable of remedy) is not remedied within thirty (30) days of written notice;

  • fails to pay any undisputed sum within fourteen (14) days of written notice requiring payment;

  • becomes insolvent, suspends payment of its debts, or is the subject of a winding-up petition, administration, receivership or similar process; or

  • breaches clause 13 (Data Protection), clause 22 (Confidentiality) or clause 24 (Anti-Bribery).

21.4 Termination of an Order Form does not terminate this Agreement or any other Order Form unless expressly stated.

21.5 On termination:

  • Superfast IT will cease providing the affected Services;

  • the Client will pay all sums due up to the termination date and, where the Client terminates for convenience or where Superfast IT terminates for the Client's breach or insolvency, all remaining Fees up to the end of the then-current term of the affected Order Form together with any unavoidable third party charges Superfast IT incurs as a result of early termination;

  • Superfast IT will provide reasonable transition assistance at its standard time-and-materials rates for up to ninety (90) days; and

  • each party will return or destroy the other party's Confidential Information, except where required by law to retain it.

21.6 The following clauses survive termination: 11 (Intellectual Property), 13 (Data Protection), 19 (Liability), 21.5 (Effects of Termination), 22 (Confidentiality), 25 (Notices), 26 (Dispute Resolution) and 28 (Governing Law).

22. Confidentiality

22.1 Each party will keep the Confidential Information of the other in confidence, use it only for the purposes of this Agreement, and not disclose it to any third party without consent except as required by law or to its own staff, contractors and professional advisers who need to know and are bound by equivalent confidentiality obligations.

22.2 This clause does not apply to information that is in the public domain other than as a result of breach of this Agreement, was already known to the receiving party before disclosure, was lawfully obtained from a third party without restriction, or was independently developed without use of the Confidential Information.

22.3 The obligations in this clause survive termination of this Agreement for a period of five (5) years, except in respect of trade secrets, where the obligations are perpetual.

23. Non-Solicitation

23.1 Neither party will, during this Agreement and for nine (9) months after termination, solicit for employment or engagement any individual who has been materially involved in delivering or receiving the Services, without the other party's prior written consent.

23.2 If a party breaches clause 23.1, it will pay the other party liquidated damages equal to fifty percent (50%) of the individual's gross annual salary or fee income at the date of breach, which the parties agree is a reasonable pre-estimate of loss.

23.3 This clause does not restrict either party from running general public recruitment campaigns or from engaging individuals who respond to such campaigns without targeted approach.

24. Anti-Bribery

24.1 Each party will comply with all applicable anti-bribery and anti-corruption laws, including the Bribery Act 2010.

24.2 Each party will promptly notify the other of any request or demand for any undue financial or other advantage made in connection with this Agreement.

24.3 Each party is responsible for the conduct of its staff and contractors in relation to this clause.

25. Notices

25.1 Any notice under this Agreement must be in writing and sent to the recipient's registered office (if a company) or principal place of business, by hand, by pre-paid first-class post, or by email to an address designated by the recipient for the receipt of notices.

25.2 The designated email addresses are those set out in the Order Form or, in the absence of designation, the email addresses of the principal contacts named in the Order Form.

25.3 A notice is deemed received:

  • if delivered by hand, on signature of a delivery receipt;

  • if sent by post, at 9.00am on the second Business Day after posting; or

  • if sent by email, at the time of transmission, provided no bounce or non-delivery message is received within two (2) Business Days.

25.4 This clause does not apply to the service of court proceedings.

26. Dispute Resolution

26.1 If a dispute arises under this Agreement, the parties will first attempt to resolve it through their designated representatives within thirty (30) days of written notice of the dispute.

26.2 If unresolved, the parties will escalate the dispute to senior representatives with authority to settle, who will meet (in person or remotely) within a further fifteen (15) Business Days.

26.3 If the dispute remains unresolved thirty (30) days after escalation, either party may commence court proceedings or, if both parties agree in writing, refer the dispute to mediation under the CEDR Model Mediation Procedure.

26.4 Nothing in this clause prevents either party from seeking urgent interim relief from the courts at any time.

27. General

27.1 Assignment. Neither party may assign or transfer any of its rights or obligations under this Agreement without the other party's prior written consent (not to be unreasonably withheld or delayed), except that either party may assign to a successor in connection with a sale of all or substantially all of its business or assets, provided the assignee assumes the assigning party's obligations in writing.

27.2 Subcontracting. Superfast IT may subcontract the performance of any of its obligations but remains responsible for the performance of its subcontractors as if it were performing the obligations itself.

27.3 Variations. No variation of this Agreement is effective unless in writing and signed by an authorised representative of each party. The Order Form may set only the matters listed in clause 3.1.

27.4 Entire agreement. This Agreement, together with any Order Form, SOW, Variation and the Client Assurance Pack, constitutes the entire agreement between the parties and supersedes all previous discussions and representations. Each party acknowledges that it has not relied on any representation not set out in this Agreement.

27.5 Severance. If any provision of this Agreement is held to be invalid, illegal or unenforceable, the remaining provisions continue in full force, and the parties will negotiate in good faith to replace the invalid provision with one that reflects the original commercial intent.

27.6 Waiver. A failure or delay in exercising any right under this Agreement is not a waiver of that or any other right.

27.7 No partnership. Nothing in this Agreement creates a partnership, joint venture or agency between the parties.

27.8 Third party rights. Save where expressly stated, a person who is not a party to this Agreement has no rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any of its terms.

27.9 Marketing. With the prior written consent of the other party (not to be unreasonably withheld or delayed), each party may refer to the other as a customer or supplier in marketing materials, case studies and on its website.

28. Governing Law and Jurisdiction

This Agreement and any dispute or claim arising out of or in connection with it (including non-contractual disputes or claims) is governed by and construed in accordance with the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction.

Schedule 1 — Standard Processing Particulars

This Schedule applies where the Order Form is silent on the Article 28(3) particulars referred to in clause 13.4.

Subject matter of processing: the provision of IT support, managed services and cyber security services to the Client.

Duration of processing: the term of the applicable Order Form, plus any agreed transition period and any retention period required by law.

Nature and purpose of processing: receipt, storage, transmission, access, modification and deletion of personal data as required to provide the Services, including diagnostic and support activities, account administration and security monitoring.

Types of personal data: name, work contact details, job title, employee identifier, log-in credentials, IT usage and audit logs, support ticket content, and any personal data otherwise contained in or processed through the systems being supported.

Categories of data subject: the Client's employees, contractors, agents and (where applicable) customers and end users whose data is held within the supported systems.