CIS Managed Detection and Response (MDR) via Sophos Terms and Conditions

The following terms and conditions (“TCS”) apply to CIS Managed Detection and Response Services (MDR)™ services provided by Center for Internet Security, Inc. (CIS®) to Customer (“Entity”) as defined in this Agreement (CIS and Entity each a “Party”, and collectively referred to as the “Parties”).

I.     Purpose

This Agreement describes the CIS MDR™ service offerings and sets forth the mutual understanding of the Parties concerning CIS’s provision of CIS MDR to the U.S. State, Local, Tribal, or Territorial (SLTT) government Entity.

II.     Definitions

Capitalized terms used in this Agreement and not otherwise defined shall have the following meanings:

Add-on Services. Additional services that supplement CIS MDR, which CIS may offer from time to time. Entity may purchase one or more Add-on Services for an additional fee, either beginning on the Effective Date or later in the Term.

CIS Managed Detection and Response (MDR) or CIS MDR. CIS MDR is a managed and monitored service offered by CIS for strengthening an organization’s cybersecurity program. Unless otherwise specified, references to CIS MDR include any Add-on Services purchased by Entity under this Agreement.

Documentation. CIS’s technical specifications, online content, user manuals, or similar materials pertaining to the implementation, operation, access, and use of CIS MDR services, which CIS provides to the Entity and may be revised by CIS from time to time.

Entity Data. Data, content, or communications in any format that are provided or made accessible through CIS’s provision of CIS MDR to Entity, including data generated by Entity’s Managed Endpoints.

Error. A reproducible failure of CIS MDR to perform in substantial conformity with the Documentation.

Managed Endpoint. Any of Entity’s computers, servers, laptops, or desktop computers, as to which CIS has agreed to provide CIS MDR under this Agreement. 

Order. A document CIS issues to the Entity listing key elements of a transaction contemplated under this Agreement, including: the parties, the number of Managed Endpoints to be serviced, price, and corresponding dates of service.

Provider. Third party company Sophos Limited whose software, Sophos Intercept X, will be deployed to Entity’s Managed Endpoints as part of the CIS MDR services, under an agreement with CIS.

Security Operation Center or SOC. The 24 X 7 X 365 watch and warning center operated by CIS that provides cybersecurity infrastructure monitoring, dissemination of cyber threat warnings and vulnerability identification and mitigation recommendations.

III.    Scope of CIS MDR Services

A.    Description of CIS MDR

When deployed on the Entity’s Managed Endpoints, CIS MDR identifies, detects, responds to, and remediates security events. The service offers host-level protection and response services provided by the CIS SOC, and provides active defense against known (signature-based) and unknown (behavioral-based) malicious activity. CIS MDR includes the following core features and capabilities:

     1. Next Generation Antivirus (NGAV): A solution aimed at preventing cyber attacks that is deployed on Managed Endpoints and has the following capabilities:

• Detects malicious activity using signature-based and behavior-based threat detection methods with the capability to automate prevention (block attacks);
• Deny/allow indicators list management to include anomalous behavior-based indicators;
• Managed Endpoint and file quarantine functionality;
• Threat notification and alerts; and
• Web-based management interface with a cloud-based data administration component for enterprise deployment.

     2. Endpoint Detection & Response (EDR): Deployment and maintenance of an EDR software agent on Entity’s Managed Endpoints, which is intended to:

• Block malicious activity at a device level, if chosen by the Entity;
• Remotely isolate compromised systems after coordination with the Entity;
• Identify threats on premise, in the cloud, or on remote systems;
• Inspect network traffic in a decrypted state on the Managed Endpoint for the limited purpose of identifying malicious activity; and
• Identify and remediate malware infections.

     3. Advanced Capabilities:

• Application Allowlisting & Blocklisting: Provides both allowlisting and blocklisting by enabling Entity to define trusted applications while explicitly blocking known malicious or unwanted software.
• Advanced Ransomware Protection: Monitors file activity for unauthorized encryption to help detect both local and remote ransomware attacks; automatically halts malicious processes and restores affected files to their original state without relying on traditional signature-based methods.
• Data Loss Prevention: Helps prevent sensitive data from being leaked or exfiltrated by monitoring and controlling file transfers based on predefined content rules, blocking or alerting to unauthorized attempts to move confidential data via email, cloud apps, USB drives, and other channels.

4. Data Management: Centralized management of MDR data to allow system administration, event analysis and reporting by the CIS SOC. Additionally, Entity will be able to interact with its own ESS data through the management system.

CIS will provide the following services in addition to and in connection with the above core features and capabilities. The following are not applicable to any Add-on Services:

• Analysis of logs from monitored security devices for attacks and malicious traffic;
• Analysis of security events;
• Correlation of security data/logs/events with information from other sources;
• Notification of security events according to the Escalation Procedures provided by Entity in the PIQ; and
• 24/7 telephone availability (at: 1-866-787-4722) for assistance with events detected through the CIS MDR services.

B. Limitations and Restrictions

Entity acknowledges and agrees that it is required, as a condition to CIS’s provision of the CIS MDR services, to fulfill the obligations listed in Appendix A, which is attached hereto and incorporated herein. CIS provides CIS MDR to the Entity subject to the following limitations and restrictions, in addition to those described in Appendix A:

     1. CIS MDR may only be used by the Entity, for purposes of its own internal information security.

     2. CIS shall be responsible for providing CIS MDR services only with respect to those Managed Endpoints identified in the relevant Order(s).

     3. CIS MDR is not designed or intended to support the following uses:

• in or in association with safety critical applications where the failure of CIS MDR to perform can reasonably be expected to result in a physical injury, loss of property, or loss of life; or
• for the storage of industry-specific regulated data such as health care records or payment card information.

     4. From time to time, CIS and/or the Provider may perform scheduled maintenance to update the servers, software, and other technology that are used to provide CIS MDR, and will use commercially reasonable efforts to provide prior notice of such scheduled maintenance whenever possible. Entity acknowledges that in certain situations emergency maintenance may be required, causing a disruption in the CIS MDR services without prior notice.

C. Add-on Services

CIS may offer Add-on Services to supplement the CIS MDR services described above. If Entity purchases any Add-on Service, that purchase and Entity’s use of the Add-on Service shall be governed by this Agreement. Regardless of whether an Add-on Service is purchased on the Effective Date or a later date, the service term will run concurrently with the Term of this Agreement.

D. Additional Endpoints

During the Term, Entity may request to purchase CIS MDR for additional endpoints by submitting a written request to CIS. If Entity’s request is accepted, the service start date for the additional Managed Endpoints will be the date of the approved Order. Notwithstanding the fact that all of Entity’s Managed Endpoints will not, in this case, share the same service start date, all CIS MDR services supplied under all Orders will terminate together, at the end of the Term.

If Entity installs the CIS MDR software agent on additional endpoints beyond the total number permitted under the applicable Orders, CIS shall invoice Entity with respect to the additional endpoints, as of the date of installation. In this case, Entity agrees to pay all associated additional charges. Once payment is received, CIS will provide CIS MDR services to those additional Managed Endpoints, subject to all other terms and conditions of this Agreement.

IV. Agreement Term and Payment

A. Term

This Agreement begins on the date it is signed by both Parties (the “Effective Date”), and continues for the period specified in the accompanying Order (the “Initial Term”). The Agreement may be extended beyond the Initial Term by written agreement of the Parties (each a “Renewal Term” and, together with the Initial Term, the “Term”).

B. Payment

Entity shall pay CIS the full amount listed in all Orders under this Agreement promptly when due, and no payment shall be reduced by any taxes or fees to be collected by a taxing jurisdiction, financial institution or payment processor incidental to payment.

     1. Initial Purchase. In consideration for receipt of CIS MDR services during the Initial Term, Entity agrees to pay CIS the amount stated in the applicable Order, within thirty (30) days after the Effective Date. Payment shall be made according to the instructions in the Order. If Add-On Services are selected after the Effective Date, payment shall be made according to the instructions in the relevant Order.

     2. Renewal Term Pricing. Approximately sixty (60) days before expiration of the Initial Term and each Renewal Term, CIS will issue an Order listing pricing for the next Renewal Term. Payment associated with any Renewal Term shall be due on the first day of the Renewal Term.

     3. Late Payments. If Entity fails to make any undisputed payment when due then, in addition to all other remedies that may be available, CIS may charge interest on the past due amount at the rate of 2% per month calculated daily and compounded monthly, or the highest rate permitted under applicable law, if lower. CIS shall have the right, but not the obligation, to disable Entity’s access to CIS MDR until Entity’s account with CIS is current.

V. Warranty

CIS offers Entity the following warranty (the “Warranty”), as limited by the conditions and exclusions below: (i) CIS MDR will operate without Error, and consistent with the Documentation in all material respects; and (ii) industry standard techniques have been used to prevent CIS MDR, at the time of installation, from injecting malicious software viruses into the Managed Endpoints. Entity’s sole and exclusive remedy, and CIS’s entire liability, for any breach of the Warranty is for CIS, at CIS’s option, to: (a) use commercially reasonable efforts to provide a work-around or correct the Error; or (b) terminate this Agreement and Entity’s access to and use of CIS MDR, and refund Entity a prorated portion of any prepaid fee.

A. Warranty Conditions, Disclaimers and Exclusions

     1. The Warranty is non-transferable and confers no rights to any affiliated entity, successor in interest, assignee or other beneficiary.

The Warranty does not apply if: (i) the software or other offerings provided in connection with CIS MDR have been modified, except by CIS; (ii) the software or other offerings provided in connection with CIS MDR have not been installed, used, or maintained in accordance with this Agreement; (iii) the Entity or any third party has turned off or disabled any functionality of CIS MDR; or (iv) the claim relates to a systemic failure or error impacting users on a significant, large-scale basis.

The Warranty does not apply with respect to any period during which: (i) CIS MDR services have been suspended; (ii) routine or emergency maintenance is being performed by CIS or Provider; (iii) the services cannot be provided due to unforeseen circumstances or causes beyond CIS’s reasonable control, including but not limited to war, strike, riot, crime, acts of God, or shortage of resources; (iv) the services cannot be provided because of a legal prohibition, including but not limited to, passing of a statute, decree, regulation, or legal order; or (v) Entity is in breach of the Agreement, including for non-payment.

B. Filing a Warranty Claim

To be valid, a claim under the Warranty (“Claim”) must be made consistent with Section IX, during the Term in which the Error occurred, and must be received by CIS within fifteen (15) business days of the event giving rise to the Claim. Claims must be approved in writing by CIS, and the Entity must cooperate with CIS in the investigation and resolution of the Claim.

VI. Limitations 

While CIS MDR implements commercially reasonable technologies and processes, Entity agrees and acknowledges that neither CIS nor Provider makes any guarantee that CIS MDR will detect, prevent, or mitigate all threats or events of compromise or unauthorized access to Entity’s systems. Entity shall not represent that CIS or Provider has provided such a guarantee or warranty.

EXCEPT FOR THE EXPRESS WARRANTY IN SECTION V, CIS GRANTS NO WARRANTY HEREUNDER, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF NON-INFRINGEMENT, FITNESS FOR A PARTICULAR PURPOSE, OR MERCHANTABILITY. IF ANY LIMIT GIVEN ABOVE IS OR BECOMES INVALID UNDER APPLICABLE LAW IN ANY TERRITORY WHERE CIS MDR IS PROVIDED, THE WARRANTY IN SECTION V SHALL BE NULL AND VOID.

VII. Confidentiality

CIS acknowledges that Entity may provide or make available information regarding the infrastructure and security of its information systems, assessments and plans that relate specifically and uniquely to the vulnerability of its information systems, sensitive or personal data, or specific vulnerabilities identified by CIS MDR (“Confidential Information”). Entity acknowledges that it may receive from CIS trade secrets and other sensitive or proprietary information (“Confidential Information”).

The Parties agree to hold each other’s Confidential Information in confidence, to the same extent and in the same manner as each Party protects its own confidential information, but in no event with less than reasonable care. No Party will release the other’s Confidential Information in any identifiable form without the written permission of the other Party, unless pursuant to a lawfully authorized subpoena or similar compulsive directive, or if required to be disclosed by law; provided that the disclosing Party shall make reasonable efforts to limit the scope and nature of any such required disclosure. CIS further agrees that any third party involved in the CIS MDR services shall be required to protect Entity’s Confidential Information as required under this Agreement. Notwithstanding the foregoing, CIS shall be permitted to disclose relevant aspects of Entity’s Confidential Information to its officers, employees, agents, the Provider, and to CIS’s cyber security partners, including any federal partners, provided that such partners have agreed to protect the Confidential Information to the same extent as required under this Agreement.  

VIII. Miscellaneous

A. Amendments

This Agreement may only be amended in a writing signed by both Parties.

B. No Third Party Rights

Nothing in this Agreement shall create or give to third parties any claim or right of action of any nature against the Provider or CIS.

C. Data Ownership

The Entity shall own all right, title and interest in the Entity Data. Entity hereby grants CIS a non-exclusive, royalty-free license to access and use Entity Data, and to share Entity Data to the extent reasonably necessary for CIS and Provider to provide the CIS MDR services and otherwise fulfill their obligations and exercise their rights with respect to the subject matter of this Agreement.

D. No Assignment

Neither Party may transfer or assign its rights or obligations under this Agreement without the other Party’s prior written consent.

IX. Notices

All notices permitted or required under this Agreement shall be in writing and shall be transmitted either by: (1) first class mail or expedited delivery service; or (2) email with acknowledgement of receipt. Such notices shall be addressed as follows, unless otherwise specifically provided:

CIS
Address: CIS Services
Center for Internet Security, Inc.
31 Tech Valley Drive
East Greenbush, NY 12061-4134
Telephone: (518) 880-0766
E-Mail: [email protected]
with cc to: [email protected]

The Parties may, from time to time, specify new or different contact information for the purpose of receiving notice under this Agreement by giving fifteen (15) days written notice to the other Party, sent in accordance herewith.

Contract version date : 06/15/25

Appendix A - Entity Responsibilities

CIS’s ability to provide the CIS MDRTM services described in the Agreement is dependent upon Entity completing certain tasks and fulfilling a number of continuing obligations. Entity acknowledges and agrees that CIS shall not be responsible for any failure to provide the CIS MDR services as described in this Agreement, or for any failure of the CIS MDR services to function as intended, if and to the extent that delivery of the services is compromised, or rendered impractical or impossible, due to Entity’s failure to timely and accurately fulfill its responsibilities described in the Agreement and/or below. At all times during the Term, Entity shall be solely responsible for the following:

1. Provide CIS with a completed PIQ, which is necessary to enable account setup and designation of authorized users. Complete any other actions required for onboarding.

2. Ensure the correct functioning and maintenance of the Managed Endpoints, and that each has access to a secure Internet channel for CIS MDR management and monitoring.

3. Promptly and correctly install the CIS MDR software agent on Managed Endpoints, using the instructions provided by CIS. Entity is responsible for choosing the installation mode that best suits its needs (either full or passive installation) and for enabling protection mode as appropriate, noting that this selection must be made as to each Managed Endpoint.

4. Employ the most currently supported version of its chosen operating system software for each Managed Endpoint.

5. Provide CIS the following up-to-date information: the name, email, phone numbers for all designated, authorized points of contact. Promptly correct or update this information as needed.

6. Provide written notification to the CIS Central Support team ([email protected]) at least thirty (30) days before: (i) replacing an existing Managed Endpoint with another device, and/or (ii) changes in operating systems for any Managed Endpoint that might affect CIS MDR services.

7. Provide written notification to the CIS Central Support team ([email protected]) at least twelve (12) hours in advance of any scheduled Internet outage affecting the Managed Endpoints.

8. Provide a completed Escalation Procedure Form in the PIQ including the name, email address and 24/7 contact information for all designated points of contact (POC). Revised information must be submitted to the CIS Central Support team ([email protected]) whenever there is a change in status for any POC.

9. Maintain current maintenance and technical support contracts with Entity’s software and hardware vendors for all Managed Endpoints.

10. Engage with CIS to resolve tickets requiring Entity input or action.

11. Use reasonable means to protect account information and credentials (including passwords and devices or information used for multi-factor authentication purposes) used by Entity to access and manage the CIS MDR service offerings.

12. Promptly notify CIS of unauthorized account use or other suspected security breaches, or unauthorized use, copying, or distribution of the CIS MDR service offerings.