Terms and Conditions
PROFESSIONAL SERVICES AGREEMENT
Purpose of Service Agreement
This Professional Service Agreement (PSA) confirms that Pragma Pte Ltd (“Company”) or its Company Group (together “Pragma” or “we”) will provide the services set out in the relevant quote (“Quote”) to the engaging party (“Client” or “you”). The PSA, together with its Exhibits and the Quotes, constitutes the entire agreement (“Agreement”) between Client and Pragma relating to the performance of the services.
For the purposes of this Agreement, Company Group shall mean Company’s direct or indirect subsidiaries or affiliates.
The terms 'Party' and 'Parties' shall refer to the parties of this Agreement individually or collectively, as applicable.
Where the Parties enter an additional contract (“Addendum”) subsequent to this Agreement, the Addendum shall be read in conjunction with this Agreement. In the case of any conflict between the terms of this Agreement and any Addendum, the terms of the Addendum shall control.
If any clause of this Agreement, or part of any clause, is found by a court of competent jurisdiction or other competent authority to be invalid, unlawful, or unenforceable, then the clause or part will be severed from the remainder of this contract, which will continue to be valid and enforceable to the fullest extent permitted by law.
No party may assign or deal with its rights under this Agreement without the other's prior written consent.
Provided we do not disclose your confidential information and we comply with our ethical obligations, you agree that we may perform services for other parties whose interests may conflict or compete with yours.
Scope of Work
The Scope of Work is outlined in the issued Quote.
Unless otherwise agreed in writing, any further work we may agree to carry out in connection with the Scope of Work will be carried out as part of this Agreement and will be subject to its terms.
Each Quote will define the required deliverables for an individual engagement.
Our Scope of Work will not constitute an audit, examination, or a review with generally accepted auditing standards or attestation standards, the objective of which is the expression of an opinion on the financial statements, or specified elements, accounts, or items of a company, or preventing or discovering fraud. Pragma’s procedures under an engagement are not designed to and unlikely to reveal fraud or misrepresentation by management or staff. Accordingly, we will provide no audit opinion, attestation, and no assurance that the period covered by our review is free of fraud (whether by management, staff, or by external parties), other irregularities or misrepresentation by management or any other persons.
You acknowledge that you will not rely on draft deliverables or oral advice issued by us as they may be subject to further work and revisions.
The passage of ten (10) working days from the date when a deliverable is provided to Client, by Pragma, without receipt or notice of non-acceptance, or use by Client of a deliverable, will constitute acceptance of the deliverable.
Assumptions & Client Responsibilities
Client confirms that the definition and scope of the services detailed in the relevant Quote is sufficient to address its needs.
The provision of our services is based on the following key assumptions:
- Access to key stakeholders will be organised by Client’s management.
- All technical documentation, policy, and procedures requested will be promptly made available to Pragma.
- Access to third parties who store, process, or support data on behalf of the Client will be the responsibility of the Client’s management to arrange.
- We will not make any management decisions.
If any of these assumptions prove to be materially unreliable, we reserve the right to vary the Quote and will seek to reach agreement with you to such variation, as soon as possible after identification and discussion on the issues arising.
Pragma will recognise and act on the instructions of only those individuals whose names appear on the Quote, or any list of contact names submitted by the Client in writing, as the person(s) authorised to accept, modify, or terminate the services or the Quote. Only those individuals identified to Pragma by the Client and whose photo identification is on file with Pragma may access the Client’s equipment or data located in Pragma facilities.
For purposes of identification, billing and marketing, the Client will provide Pragma from time to time with accurate, complete, and updated information including Client's legal name, address, telephone number(s), e-mail addresses, and applicable payment data. The Client will notify Pragma within thirty (30) days of any such changes to this information.
Fees and Expenses
For the services provided by Pragma pursuant to this Agreement, Pragma shall be compensated in accordance with the “Fees and Expenses” specified in each Quote.
If the actual time spent on the services is substantially more than expected at the time of signing the Quote, we will mutually agree with you a revised fee.
Expenses will include reimbursement for all reasonable and necessary travel, living, and out-of-pocket expenses incurred by Pragma in providing the services, when travel is required to provide the services. Pragma will obtain Client’s approval for billable travel prior to incurring any expense for such travel. We will also charge you for expenses such as subsistence, communication, and document handling costs (photocopying, printing, fax, and courier, etc) (“Expenses”).
Unless otherwise stated in the relevant Quote, all fees are net of any Expenses and any taxes, including turnover taxes, goods and services tax (GST), value added tax (VAT), any withholding tax (WHT), and any other relevant taxes that are due.
Where Pragma carries out work that the Client intends to fund, in whole or in part, through an insurance claim, grant, or any other third-party subsidy, the Client remains responsible to verify, to its own satisfaction, whether or not Pragma’s fees will be covered under any such claim, grant or by the third-party. Should it be deemed that Pragma’s fees are not covered by any such claim, grant or by the third-party, the Client remains liable to Pragma for its fees in full.
Client’s payment terms will be as specified in the relevant Quote and paid in full within thirty (30) days after the invoice date. Where Client processes payment in a currency different to the currency specified in the Quote, Pragma reserves the right to convert the payment to the agreed currency, as defined in the Quote, at the prevailing market rate and Client accepts liability to settle all associated costs and charges Pragma incurs in doing so.
Where Parties enter a fixed Fees engagement, Pragma may invoice the Client each month an amount equal to (1) the total Compensation agreed pursuant to each Quote divided by the number of months in the Agreement's term, plus (2) the total Expenses accrued during the previous month. If the engagement is concluded before the end of the estimated timeline, Pragma will invoice in full for the remaining Fees due upon the engagement being concluded.
Where Parties enter a time and materials-based contract, Pragma will invoice the Client monthly for all Fees and Expenses accrued during the preceding month.
All invoices will be due for payment upon receipt by you. Unless otherwise agreed in writing, the amount billed will be payable regardless of whether your project or transaction is completed, or whether our advice is acted upon.
Notice of any disputes regarding an invoice must be made by the Client in writing and received by Pragma within thirty (30) days from the invoice date. No claim may be made by the Client in respect of an invoice after such period.
In addition to any other remedy available to Pragma for late payments, all invoices outstanding its due date shall incur interest at the compounded rate of one point five percent (1.5%) per month, or part thereof, or the maximum allowed by law, whichever is less, calculated from the date such payment was due until the date paid. Client will be responsible for any costs, including attorney’s fees, incurred by Pragma in collecting any past due amounts under this Agreement.
Client may not withhold payment of any invoice based on any dispute other than on the basis of clear error on the face of the invoice, such as a calculation error. Payment by Client will not preclude Client from questioning any charges that Client believes are improper or incorrect, within fourteen (14) days after the invoice date. If Client disputes any charge on a given invoice, Client will pay all non-disputed charges and document the disputed charges in writing to Pragma. Client will notify Pragma in writing, no later than fourteen (14) days after the invoice date, of any questions or issues relating to items billed on an invoice or all fees and charges will stand.
In circumstances in which we are requested by Client to suspend the performance of the services, Pragma is entitled to be paid all fees and reasonable expenses due in respect of the services provided up to the date of suspension together with reasonable costs and expenses incurred in connection with the suspension of the services.
In the event of an early contract termination, where the engagement requires Pragma to incur any expenses in advance on behalf of Client, Client will be liable to pay Pragma all moneys due with respect to the expenses incurred by Pragma in preparation for the services to be provided to Client.
Where Pragma and Client enter a multiyear engagement, should the Client fail to engage Pragma for services detailed in the relevant Quote during the Contract Term or elect to terminate the contract before the end of the Contract Term, Client will be liable to pay Pragma an administration fee of fifteen percent (15%) of the total annual cost per year.
In the event Pragma offers a discount exclusively for a multiyear engagement, you agree to relinquish your right to the discount in the event of an early contract termination.
Client will be responsible for paying Pragma's fees in relation to the services provided. For the avoidance of doubt, notwithstanding the payment arrangement, we do not owe any duty of care to the service provider but will exercise reasonable skill and care and our work is performed in accordance with instructions of Client and is performed exclusively for Client’s sole benefit and use.
Limit on Warranties and Liability
Our liability for loss or damages arising in relation to the services, as a result of breach of contract, tort (including negligence) or otherwise, is limited an amount equal to three times the fees payable or no greater than SGD 1 million by you for the portion of our services or work giving rise to the liability, except to the extent to which we are finally determined to have engaged in wilful misconduct or fraudulent behaviour
To the extent permitted by law we will not be liable for any loss, damages, or expenses, not directly caused by our wrongdoing (including loss of profits or revenue, business interruption, loss or corruption of data, loss of business opportunity, or failure to realise anticipated savings or benefits) arising in any way in relation to the services.
The amount of our liability (if any) shall be limited to that proportion of the total damage, after considering the responsibility of all who contribute to your loss.
Where we agree in writing to accept liability to more than one party, the limit on our liability in Clause 6.1 will be shared between all parties, and it is up to those parties to agree how to share it.
Except as specifically provided in the relevant Quote or this Agreement, Pragma makes no express or implied warranty or condition, whether of merchantability, fitness for a particular purpose, or otherwise, with respect to any service, product, or equipment provided to the Client by Pragma. Neither Pragma nor any of its underlying service providers, information providers, licensors, employees, or agents warrants that service will be uninterrupted or error free; nor does Pragma or any of its underlying service providers, information providers, licensors, employees, or agents make any warranty as to the results to be obtained from use of their services, products, or equipment. EXCEPT AS SPECIFICALLY PROVIDED IN THE QUOTE, ALL SERVICES, PRODUCTS AND EQUIPMENT ARE DISTRIBUTED PURSUANT TO THE QUOTE ON AN "AS IS", "AS AVAILABLE" BASIS WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, WHETHER PURSUANT TO STATUTE OR OTHERWISE. THIS CLAUSE MAY ONLY BE AMENDED, CHANGED OR REPLACED BASED ON AN ADDENDUM WHICH MUST SPECIFICALLY OUTLINE PRAGMA’S COMMITMENTS AND CLIENT COMPENSATION DUE TO PRAGMA’S FAILURE TO MEET ITS QUOTED COMMITMENTS.
We accept no liability to anyone, other than you, in connection with our services, unless otherwise agreed by us in writing. You agree to reimburse us, other associated firms, directors, employees, and subcontractors for any liability (including legal costs) that we incur in connection with any claim by anyone else in relation to the services. Your obligation to reimburse will not apply to the extent such claim or action is finally determined to have resulted from fraud or wilful misconduct by us, other associated firms, directors, employees, or subcontractors.
You agree that any legal proceedings arising from or in connection with the services must be commenced within two years from the date you become aware or ought reasonably to have become aware of the facts which give rise to our alleged liability and in any event no later than four years after any such cause of action accrued.
Pragma will not be liable for, and Client will be indemnify and hold harmless Pragma against, all claims, demands, losses or liabilities, including but not limited to, fees and expenses of counsel, arising out of any of the following: (a) claims for libel, slander, harassment, illegal, improper or unauthorised use of the services or related facilities by any person, infringement of copyright or unauthorised use of any trade-mark, trade name or service mark, arising from the material, data, information, or other transmissions of the Client or those authorised by the Client using Pragma’s facilities or services; (b) claims for infringement of intellectual property (including patents, trade-marks and copyright) arising from combining or connecting Pragma’s services, equipment or facilities with services, equipment, facilities and systems of the Client or the Client’s, employees or agents or those authorised by the Client; (c) claims by those to whom the Client provides services or from whom the Client may acquire services, equipment or facilities for use in conjunction with the services; (d) any and all business practices of the Client or those authorised by the Client; or (e) damage to business or property or injury to or death of any person, occasioned by or in connection with any act or omission of the Client or of any person utilising the Client’s codes, services, equipment or facilities with or without the consent or knowledge of the Client.
Without in any way impacting on the construction or interpretation of any other term of this Agreement, the existence of any claim, demand, loss, or liability described in Clause 6.8 will be deemed to be a material violation of this Agreement.
Clause 6 will apply in the event of a breach of the terms and conditions under this Agreement, by either Pragma or the Client. Clause 6 will survive termination of this Agreement.
Provisions of Service Lines
The Professional Services Agreement should be read in conjunction with the Provisions of Service Lines, detailed in the attached Exhibits, which together form the Agreement between us.
Where Client is engaging Pragma for Incident Response (Exhibit A), or Risk and Compliance (Exhibit B), or Managed IT Services (Exhibit C), or Vulnerability Assessment and Penetration Testing services (Exhibit D), refer to the relevant Exhibit for additional terms and conditions that will apply.
Term & Termination
This Agreement will start on the earlier of (i) the date of the quote is executed; or (ii) the date we begin to perform the services.
The Agreement will stay in effect for a period as defined in the relevant Quote (“Contract Term”).
The services may be terminated or suspended by either Party by sixty (60) days of written notice subject to any statutory or regulatory provisions that apply to the services.
Pragma may at any time discontinue any or all services, cancel a request for services and terminate its obligations under the Quote without incurring liability upon: (a) for any material violation by the Client of any of the provisions of the terms and conditions of this Agreement; (b) if the Client becomes bankrupt, insolvent, takes any proceeding seeking relief from creditors, ceases or threatens to cease to carry on business, becomes subject to any execution, seizure or restraint in respect of equipment supplied by Pragma, fails to provide security to Pragma when reasonably requested, or otherwise does not meet Pragma’s credit requirements; (c) in the event of any intentional or de facto transfer or assignment of or use of services supplied by Pragma which Pragma, acting reasonably, determines to be an improper use; (d) where any applicable law prohibits Pragma from furnishing such services; or (e) where any leases, licences, easements, rights of way, permits or regulatory authorisations or approvals required by Pragma to provide the services in accordance with the Quote cannot be obtained or renewed without commercially unreasonable expense to Pragma, or are terminated or revoked for any reason. In connection with termination pursuant to (a), (b) and (c), the Client will be responsible for all costs incurred by Pragma in connection with removing the services and related equipment and for the termination charges that would have been payable had the Client terminated the services pursuant to the Quote.
A termination or suspension of the services detailed in the Quote for any reason will not affect or prejudice any rights or obligations that have accrued or arisen under the Quote prior to the time of termination which rights and obligations will survive the termination of the relevant quote and this Agreement. In particular, and without limitation of the above, the Client will remain liable to Pragma for the payment of all sums of money payable to Pragma under the relevant quote and this Agreement up to the date of termination or suspension and for the performance of all the obligations that require Pragma to do or perform certain matters after the termination or suspension of the relevant Quote and this Agreement.
If Pragma terminates its services as a result of a breach by the Client of any of the terms of the Quote or the terms and conditions of this Agreement, or if the Client requests termination of Pragma’s services pursuant to the terms of the Quote after it has breached the Quote or the terms and conditions under this Agreement, Pragma is entitled, in addition to its right to terminate services, any additional remedies available to it at law for the losses it has suffered as a result of the breach.
Pragma shall not incur any liability whatsoever for any damage, loss, or expenses of any kind suffered or incurred by the Client arising from or incident to any termination or expiration of any services or this Agreement in accordance with its terms, whether the Client is aware of any such damage, loss, or expenses.
The provisions of this Agreement survive its termination or expiry and will continue to bind the parties.
We and you agree to use the other’s confidential information only in relation to the services, and not to disclose it, except where required by law or regulation or where requested by a professional body of which we are a member, or relevant subcontractors as long as they are bound by confidentiality obligations and to the extent it is not prohibited by the applicable law.
If the relevant project, transaction, or engagement is no longer confidential, we may refer to you and the nature of the services we have performed for you when marketing our services, provided we do not disclose your confidential information.
Should there be any confidentiality agreement signed between both Parties, it will take precedence on issues of confidentiality if there is any conflict between the confidentiality agreement and this Clause 9. Where an issue of confidentiality is covered in only one of the confidentiality agreement or this Clause 9, those provisions that deal with such an issue shall continue to apply. For the avoidance of doubt, the aggregate liability of Pragma to the Client for an engagement is limited to the amount referred in the relevant Quote.
Intellectual Property Rights
Pragma retains all intellectual property rights in all intellectual property created before the commencement of the relevant engagement, including but not limited to the source materials from which the Deliverables are derived (“Background IP”).
Client is granted ownership of all materials created as Deliverables of this Agreement (“Foreground IP”), insofar as it does not restrict or conflict with Pragma’s rights over Background IP.
For the purpose of this Agreement, Deliverables shall mean all documents and materials developed, as listed in the relevant Quote, by Pragma for the purpose of fulfilling the agreed Scope of Work.
In connection with each engagement, each party provides personal data to the other in accordance with any applicable data protection laws and regulations. We shall use personal data (as defined by the Singapore Personal Data Protection Act (“Act”)) for the purposes of fulfilling our obligations under this Agreement.
You agree that we may process and transfer your personal data to other associated firms, and relevant subcontractors (who may be located in other territories) for the purpose of (i) providing services, (ii) maintaining our operations or client relationship management systems, (iii) quality and risk management reviews, or (iv) providing you with information about us and our range of services.
Subcontractors & Associated Firms
We may use associated firms (each of which is a separate and independent legal entity) or subcontractors to provide the services. We remain solely responsible for the services.
You agree not to bring any claim (including negligence) against another associated firm in connection with the services.
Clause 12.2 is for the benefit of other Pragma associated firms. You agree that each of the other associated firms may rely on Clause 12.2 as if they were a Party to this Agreement. Each other associated firm that assists in providing the services relies on the protection in Clause 12.2 and we accept its benefit on its behalf.
You agree not to bring any claim (including negligence) against any of our employees or employees of associated firms or our directors or partners of other associated firms (together "Pragma individuals") personally in connection with the services. This clause is for the benefit of Pragma individuals. Each Pragma individual involved in providing the services relies on the protection in this Clause 13, and we accept its benefit on their behalf.
The Client will indemnify and save Pragma harmless from and against all loss, liability or damages of any type and expense, including reasonable legal fees, arising from all claims by any third party, including users and service providers, in connection with the improper use of the services (and related equipment) by the Client or the Client’s failure to comply with its obligations under the Quote. This indemnity will survive termination of the Quote.
Nothing in this Agreement applies to the extent that it is prohibited by the rules of the US Securities and Exchange Commission.
In connection with the services the parties to this contract may, from time to time, communicate with each other electronically. However, the electronic transmission of information cannot be guaranteed to be secure or error free and such information could arrive late or incomplete, be intercepted, corrupted, lost, destroyed, or otherwise be adversely affected or unsafe to use. Accordingly, each party accepts the limitations of electronic communication, and will use reasonable procedures to check for the then most commonly known viruses before sending information electronically.
Matters Beyond Reasonable Control
No Party will be liable to another if it fails to meet its obligations due to matters beyond their reasonable control.
Neither Party will be liable or responsible for any loss, damages, interruption, failure, delay or error in performing an obligation that is due to any of the following causes, to the extent beyond its reasonable control: acts of God, accident, riots, war, terrorist act, epidemic, pandemic, quarantine, civil commotion, breakdown of communication facilities, breakdown of web host, breakdown of internet service provider, natural catastrophes, governmental acts or omissions, changes in laws or regulations, national strikes, fire, explosion, or generalized lack of availability of raw materials or energy.
For the avoidance of doubt, Force Majeure shall not include (a) financial distress nor the inability of either Party to make a profit or avoid a financial loss, (b) changes in market prices or conditions, or (c) a Party’s financial inability to perform its obligations hereunder.
If a condition of Force Majeure prevents a Party from carrying out the material provisions of the Quote and the condition continues for a period longer than sixty (60) days, the other Party may terminate the services agreed in the Quote by written notice specifying the default and giving a termination date that is no less than thirty (30) days after the date of notice.
Third Party Rights
Except as provided in Clauses 12.3and 13 where the applicable Jurisdiction is Singapore, the Contracts (Rights of Third Parties) Act, Chapter 53B of Singapore (the "Contracts Act") and where the applicable Jurisdiction is England and Wales, the Contracts (Rights of Third Parties) Act 1999, (the “Contracts Act”), shall not under any circumstances apply to this Agreement and any person who is not a party to this Agreement shall have no right under the Act to enforce the Agreement or any of its terms. Any rights conferred on third parties by this Agreement are subject to the right of you and us, by agreement, to rescind or vary any terms of this Agreement without the consent of any third party.
You hereby grant Pragma and its relevant affiliated companies the right to document projects and use marketing materials which include but are not limited to client name, client experience and client logos for Pragma’s marketing collateral and website, in accordance with the terms of the agreement. You reserve the right to withdraw consent at your convenience.
This Agreement shall be governed and construed, where entered into with a Client incorporated in the European Union or United Kingdom, in accordance with the laws of England and Wales and, where the company is registered in any other region except the aforementioned regions, in accordance with the laws of Singapore (“Jurisdiction”).
If a dispute arises, the Parties will attempt to resolve it by discussion, negotiation, and mediation before commencing legal proceedings.
The courts of the applicable Jurisdiction will have exclusive jurisdiction over any dispute, whether contractual or non-contractual.
Changes to Terms and Conditions
We may make changes to the Terms and Conditions (“Terms”) listed in this Agreement at our discretion. Please check these Terms periodically for changes. Any changes to the Terms will apply on the date that they are made, and your continued access to engage our services after the Terms have been updated will constitute your binding acceptance of the updates. If you do not agree to any revised Terms, you may terminate your engagement with Pragma.
Both Parties agree that during the period of Agreement, and for the one (1) year period immediately following the termination of contract for any reason, neither Party shall solicit or contact any established employee, contractor, sub-contractor, or other personnel of the other Party with a view to inducing or encouraging such established person to discontinue or curtail any business relationship with the other Party. Both Parties further agree that neither Party will request or advise any established clients, customers, or suppliers of the other Party to withdraw, curtail, or cancel its business with the other Party.
PROVISIONS OF SERVICE LINES
EXHIBIT A: Incident Response
The additional provisions under this Exhibit A shall only be applicable if Pragma is contracted to carry out Incident Response services for the Client and shall apply only to the provided Incident Response services.
Pragma follows a standard process for Incident Response to maintain quality of service, obtain and preserve accurate evidence, and ensure the best possible outcome for its clients. The process splits into six stages, and the actions we are likely to take in each stage are detailed in Clause A.4 of this Exhibit.
Each incident is different, and some of these stages or actions apply only in certain cases. Pragma will apply the process stages and actions that are relevant to your case. Decisions about the relevance of stages and actions will be taken by Pragma solely based on the opinion of our staff based on the facts available to them at the time and will be discussed with Client only on Client’s request.
Pragma may utilise various tools in the examination and analysis of data. The utilised tools shall be procured from reputable suppliers and will be regularly updated to ensure that software is free from malicious code. Should the use of free software be required to progress an investigation, strict procedures will be followed to ensure that the software is free of malicious content.
Incident Response Service Fees
Pragma’s fees for Incident Response services will be charged on a time and materials basis according to the prevailing rate card, available upon request.
Pragma’s fees for Additional Services, detailed under Clause A.5 of this Exhibit A, will be charged according to rates provided to you in writing at the time of instruction.
For Incident Response services, the Fees listed in the Quote should be considered an estimate provided by Pragma based on the information available to us at this time. This estimate is provided as guidance only, and the actual fees charged may vary significantly from this estimate. Pragma will make reasonable efforts to update you if actual fees exceed this estimate, without detriment to Clause A.2.1 of this Exhibit A.
Limitation of Liability
Necessary actions in certain stages are likely to vary significantly depending on the nature of client systems and architecture, and on incident attack patterns. Actions cannot always be planned in advance, though Pragma will make reasonable efforts to discuss actions with Client where practical.
Such actions may be performed at speed or on short notice, and with limited ability to plan, test, and execute. They may be performed by Pragma directly, in collaboration with a Third-Party IT Service Provider nominated by the Client (“ITSP”), or by an ITSP under Pragma’s direction or advice.
Pragma accepts no liability for any unintended consequences stemming from actions taken in good faith. Pragma accepts no liability for actions taken by ITSP.
For the avoidance of doubt, Client acknowledges and accepts there is no contractual relationship between Pragma and any ITSP that Client requests Pragma work in collaboration with. All requests and or recommendations from Pragma directed to any ITSP should be construed as a request and or recommendation for and on behalf of the Client.
Client hereby retains Pragma to provide the following services: Preparation, Identification, Containment, Eradication, Recovery, and Reporting services in response to a recent cybersecurity incident (“Incident”).
Stage I: Preparation
- Conduct an interview for a preliminary incident assessment with all relevant parties.
Conduct high-level information gathering to establish:
- Environment overview (e.g., affected locations/systems, logging in place, anti-virus in place, available backups, networks overview)
- Current communications efforts
- Key contacts (team member, escalation, appointed project contact, public representation relations)
Stage II: Identification
- Provide remote or onsite collection assistance to collect the necessary logs and systems involved in the incident.
- Provide Client with access to secure online storage – including host information, credentials, and instructions for uploading requested data.
Network Data Analysis
- Review available event logs, firewall logs, and other identified perimeter logs preserved per device/appliance around the timeline of the incident.
Review the available logs to identify:
- the incident/attacking source
- the duration and extent of the attack
- evidence of exfiltration of confidential data
- if other malicious threats exist in the environment
Phishing Email Analysis
- Analyse the original phishing emails already identified for evidence of malicious capabilities and origination.
Analysis of Source Systems
Analyse the identified system or systems identified as a potential point of entry or source of the incident to establish the extent of the compromise and the malicious actions performed to date. This analysis may include:
- Imagine of affected systems
- Taking static or dynamic copies of log files
- Search for suspicious account activity
- Analysis of Internet history
- Identification of potentially confidential data such as Personally Identifiable Information “PII” and analysis for signs of access or exfiltration.
- Examination of application or operating system logs for the relevant activity.
Analyse a sample of identified malicious software (“Malware”) to determine relevant functionality such as:
- ability to cross-infect other systems
- ability to encrypt/destroy/modify data
- ability to exfiltrate data
- Analyse a sample of any identified ransomware to identify functionality, and to identify options for data recovery through recovery, decryption, or ransom. Pragma will provide its conclusions to the Client to assist Client to decide on an appropriate course of action.
Stage III: Containment
- The execution of containment actions identified in previous phases is to limit the damage caused by the attack or to prevent any further compromise.
- The execution of containment actions identified in previous phases is to limit the damage caused by the attack or to prevent any further compromise.
External Penetration Test/Vulnerability Assessment
Perform a penetration test and/or vulnerability scan on relevant servers to confirm that the attack has been contained. Before this is carried out, we will:
- Determine the exact scope of the penetration testing on identified public-facing servers
- Define scope, the timeline for pen-testing
- Identify devices for External Pen-Testing /Vulnerability Assessment
Stage IV: Eradication
- Execution of eradication actions identified in previous phases to remove from the system any threats identified.
- Please see Clause A.3 of this Exhibit for limitations of liability.
Stage V: Recovery
- Execution of recovery and restore actions identified in previous phases to bring affected systems back into operation.
- Liaison with relevant software vendors and third parties to obtain software specific recovery support.
- Please see Clause A.3 of this Exhibit for limitations of liability.
Where Client has suffered a ransomware attack and decided to pay a ransom:
- Negotiation with Threat Actor (“TA”) to obtain a decryption key, making reasonable efforts to avoid revealing the identity of Client
- Immediate payment of the bitcoin ransom (up to USD 50,000), with greater amounts payable within 24-48 hours.
- Due diligence on the attackers, to confirm there is no clear evidence of links to proscribed or sanctioned organisations or countries.
- To the extent possible, a review of the decryption tool for any additional malware designed to create either a secondary (delayed) attack, or to escalate the current attack.
- Technical confirmation of the validity of the decryption keys or tool, based on decryption of sample data in our lab
- Provision of written decryption guidance based on specific malware variant
- Preservation of all evidence regarding the attackers (e.g., email addresses, correspondence, IP addresses, bitcoin wallet identifiers), which can be produced to law enforcement with Client approval.
- If requested by Client or law firm, Pragma can provide a report confirming its due diligence on the attacker (“Sanctions Report”).
If requested by Client or Law Firm, Pragma can provide a report confirming its due diligence on the attacker (“Sanctions Report”).
The decryption of Ransomed Data
Where Client has suffered a ransomware attack, and Pragma has advised that decryption is possible, either through third-party tools, cryptanalysis, or use of a decryption key provided pursuant to payment of a ransom:
- Provide remote assistance to ITSP to aid with the process of decryption.
- Assist with troubleshooting and resolving of decryption issues.
- Assist with the remediation of the ransomware infection.
- Onsite technical assistance where required.
- Pragma makes no guarantees as to the completeness, accuracy, or timeliness of data recovered through its decryption services.
Stage VI: Reporting
- Provide regular updates during the course of the incident response
- Provide a verbal summary of findings, including immediate security recommendations
Provide a written report of findings, including some or all of:
- Identification and explanation of the attack
- Identification of root cause vulnerability and/or point of entry
- A timeline of the attack
- Opinion regarding access or exfiltration of confidential data
- Recommendations for security improvements or remediation to prevent recurrence and/or future attacks
This section describes Additional Services that may be required by the Client during incident response. By default, Pragma will not provide these services unless specifically requested to do so by Client.
Additional Services may incur additional charges, and where reasonably practical these will be notified to you before proceeding.
Additional Services may include some or all the actions described below. Pragma will undertake these actions only with the prior approval of the Client.
- Execution of improvement actions identified in previous phases to remediate Client security vulnerabilities or improve Client’s security controls.
- Purchase of security software, tools, or other controls to improve Client security.
- Installation, configuration and/or maintenance of security tools and controls
Ongoing Security Monitoring
- Ongoing monitoring of security alerts, log files, or other forms of incident response systems to detect new or ongoing attacks on Client’s systems.
- Analysis of security alerts to identify likely true positive alerts.
- Alerting of Client or ITSP personnel of true positive alerts.
- Provision of a high-security online cloud environment to host Client systems known to be under continued attack or at risk of repeated attack.
- Implementation of all cloud security measures required to prevent or mitigate known or expected attacks.
Rapid Recovery to Cloud
- Recovery of client systems to a cloud environment to minimise business disruption and speed up recovery time.
- The operation, maintenance, and service management of recovered systems.
- Provision of access to the cloud environment to qualified ITSP personnel to operate, maintain, and manage recovered systems.
Extended/Forensic Preservation of Evidence
- Identify all evidence necessary for extended preservation
- Agree with Client with forensic retention procedures are required
- Acquisition, imaging, and verification of all relevant storage media
- Taking custody and storage of physical devices
- Completion and maintenance of Chain of Evidence
- Extended storage
- Provision of evidence for future proceedings or regulatory inquiry
EXHIBIT B: Risk and Compliance Management Services
The additional provisions under this Exhibit B shall only be applicable if Pragma is contracted to carry out Risk and Compliance Management services for the Client and shall apply only to the provided Risk and Compliance Management services.
Risk and Compliance Management services include but are not limited to Risk Identification, Risk Assessment, Risk Treatment and Risk Monitoring and Reporting.
Responsibility for the implementation of actions identified during the assignment rests with Client, its management, and employees.
For the avoidance of doubt, Client acknowledges and accepts Pragma acts in our sole capacity as an advisor to the Client. Client will be solely responsible for managing its risks, making risk-related decisions and ultimately for any financial, operations and or reputation damages consequent from those decisions or actions.
During this phase, Pragma will assist Client to set up its risk management process (from risk identification to reporting and monitoring) by:
- Establishing a Risk Management Framework and setup a Risk Register Template.
- Conducting workshops and interviews with key senior management and stakeholders to identify an initial set of risks.
- Performing risk assessment and recommend risk treatment plans to manage risks.
- Assisting Client’s management in establishing a risk governance committee who will ultimately be responsible for managing risks and making risk-related decisions.
- Developing key risk indicators and dashboards for periodic management reporting.
The Operate Model will proceed after the Build Model, where Pragma will provide ongoing risk management services for Client by:
- Identifying and assessing new risks as they arise
- Conducting periodic review of risks based on the defined cycle
- Maintaining the risk register (update for new risks, the progress of mitigation plans, and changes to assessments based on risk review)
- Facilitating quarterly risk management meeting
- Reviewing and updating technology risk management framework (On an annual basis provided the period of services extend beyond six months as provided in this paragraph 2)
The Operate Model service will proceed for a minimum period of six (6) months. If after this period, the Client wishes to end Pragma's services, they will provide notice in writing at least two (2) weeks in advance to Pragma. If no notice is served to Pragma, Pragma will continue its services.
The following services are considered as optional additional services which Pragma can perform for Client as part of the Outsourced Risk and Compliance Management Service.
- Responding to inquiries from the client and prospects on security, controls, and data protection.
- Coordinating activities for audits and external assessments.
- Liaising with relevant regulators on compliance matters.
- Assessing the risks of new projects, products, or vendors.
- Reviewing compliance with new regulations and standards.
For the additional services defined under Clause B.4.1, Client will be charged on a time and materials basis according to the prevailing rate card, available upon request from Pragma.
Deliverables include Risk Management Framework, Risk Register, and Management Reporting Dashboards.
EXHIBIT C: Managed IT Services
The additional provisions under this Exhibit C shall only be applicable if Pragma is contracted to carry out Managed IT Services for the Client and shall apply only to the provided Managed IT Services.
Services, as defined under the relevant Quote, are provided solely based on, and are subject to, service, facility, and equipment availability. Pragma is not required to provide universal service and will not provide a service to any person or company who, in the opinion of Pragma, would compromise the technical, financial, or operational integrity of Pragma or its facilities or network.
Pragma is authorised to act as the Client’s agent in ordering access connection facilities or other services as required in connection with the provision of the services ordered by the Client.
Installation and Service
Installation - the Client make all necessary preparations required, as set out in the Quote, to permit installation, maintenance and operation of the services and will provide Pragma, and its suppliers of communication services and equipment, reasonable access to the Client’s equipment, to perform any work required to provide the services. The Client will have available, at least five (5) days prior to the scheduled installation date, all equipment which the Client is required, as set out in the Quote, to provide. Impairment of the services due to any equipment or software on the Client’s equipment not provided by Pragma will not relieve the Client of its obligation to pay for the services.
Installation Delay or Cancellation - if the Client cancels or delays a request for a service after installation work has started, but before the service is fully installed, the Client will be liable for any and all installation charges, removal costs, site restoration costs and any applicable termination fee. Payment of these charges, costs, and fees will be due on receipt of invoice.
The services will be available in line with the Service Level Agreement (SLA), available upon request by Client, with the respective Cloud service provider (AWS, Azure, etc).
For the purposes of determining “availability” stated in Clause C.3.1 of this Exhibit C, the following rules apply.
- Web site hosting is considered unavailable if the Pragma hosted web site cannot be accessed or viewed from the Internet due to problems on Pragma’s network or servers.
- E-mail is unavailable if the Client is not able to send or receive e-mail due to problems on Pragma’s network or servers.
- Internet access service is available as long as the Client site (i.e., workstation or server) can access the Internet.
- A service is not considered unavailable if that service is merely degraded or slow unless service performance falls below the minimum committed rate as set out in the SLA.
- Data services interruption means the inability to complete network connections point-to-point.
It may be necessary to temporarily suspend service for technical reasons or to maintain the network, equipment or facilities, the notice of which will be provided to the Client at least one day in advance. Such suspension of service will be considered an interruption of service if it falls outside of the regularly scheduled network maintenance window as defined in Clause C.3.4 of this Exhibit C. In such cases, prior notification to the Client is not required to be considered a service outage.
Pragma and the Client will agree on a regular scheduled network maintenance window. Pragma reserves the right to perform any such maintenance without notice during that period. Pragma will use such window to apply patches to the system and perform other necessary maintenance and upgrading work to keep the services as secure as possible.
Support - Pragma will provide the Client support with respect to monitoring for new vulnerabilities on weekdays from 8am Singapore time (UTC +8) to 5pm United Kingdom time (UTC +0), unless otherwise agreed in the Quote.
Right to Vary Services
Service Migration - Pragma reserves the right to update, upgrade or otherwise migrate the Client’s existing services, products or technologies to services, products or technologies which are of equivalent or better quality at no cost or additional charge to the Client, including the migration of services from third-party service providers to Pragma or alternative third-party service suppliers. The Client will be responsible for any costs necessary to upgrade the Client provided hardware, software, and other technologies to access the updated, upgraded or migrated service. The sole recourse for the Client if it is not willing to accept any such update, upgrade or migration is the right to terminate the Quote on thirty (30) days’ prior written notice received by Pragma within fifteen (15) calendar days of the Client’s receipt of written notice of Pragma’s intent to update, upgrade or migrate service. Pragma will waive the right to all term cancellation penalties for any termination invoked under the terms of Clause C.7 of this Exhibit C.
Investigations - Pragma has no obligation to monitor content on the services. Pragma has the right to monitor content and service levels electronically from time to time and to disclose any information necessary to:
- satisfy any law, regulation, or other governmental request or to assist Pragma in the pursuit of any claim against the Client; or
- operate the services properly; or protect Pragma and its Clients and service providers.
Pragma reserves the right to either refuse to post or transmit, or to remove any information or materials, in whole or in part, that Pragma determines are unacceptable, undesirable or in violation of the terms and conditions under this Agreement.
Limitation of System Security
Due to the evolving nature of security threats and the complexity of securing distributed systems, Pragma does not warrant any service it provides is entirely secure at any given point in time. As a result, Pragma is not liable for any security breaches that occur because of any factors other than our own negligence.
Secure Hosting Client Responsibilities
Software Licence Agreement - The Client will comply with all limitations, responsibilities, and terms of the Software Licence Agreement attached to the Quote (if any) and any software licence accompanying software provided by Pragma. In the event another software licence accompanies specific software provided by Pragma, that licence shall apply to the specific software it accompanies.
No Proprietary Right - The Client obtains no proprietary right or interest in, or any right to use of, any specific type of facility, service, equipment, address, number, process, or code associated with any service except as expressly noted in the Quote. Title to all equipment and software provided by Pragma is reserved to Pragma and does not pass to the Client. The Client’s only right is to use the equipment and software on the terms provided in the Quote and/or the Software Licences.
Content on Web Sites - The Client is solely responsible for all content available on or through the Client's web site(s) and will protect Pragma against any losses it suffers (including legal fees) as a result of the content of the Client’s site(s) or those belonging to its clients.
Internet Protocol Address - The Client acknowledges that the respective Cloud Service Provider is the owner of the Internet Protocol (IP) static address(s) assigned to a domain name(s) and website(s) hosted in Pragma’s CloudControl service. Pragma reserves the right to change the addresses at any time upon thirty (30) days’ notice to the Client. Upon termination, all IP addresses assigned by Pragma to the Client will revert to the respective Cloud Service Provider and the Client will have no further right to use such addresses.
Compliance with Law - The Client will use the services only as permitted by applicable laws, regulations, rules, decisions, and orders of applicable governmental and regulatory authorities. The Client will comply with the rules and regulations applicable to any network that is accessed through the services. The Client will not use the services to carry out any activity or solicit performance of any activity that is prohibited by law or regulation or facilitates or immediately threatens the violation of any law (including intellectual property law or regulation) or violates the terms and conditions of this Agreement or Pragma's Acceptable Use Policy (“Policy”), which Policy is incorporated herein and is subject to change from time to time, as posted on the Pragma website. Without limiting the foregoing, the Client will not:
- knowingly interfere with the lawful use by others of any service;
- modify, reverse engineer or, decompile, disassemble, or create derivative works based on software provided by Pragma or any Pragma service provider or supplier unless expressly permitted under the terms of the Software Licence Agreement or other applicable software licence;
- use the services to deliberately release computer viruses or other unauthorized or unwanted computer programs or data onto the Internet;
- use the Pragma name, logo or trademark in any promotional materials, Quotes, bills, or similar names or documents, or in association with the Client’s products or services without the express written authorisation of Pragma;
- n the case of internet service, violate generally accepted internet use guidelines, commonly known as “Netiquette”, to the extent the principles do not conflict with the provisions of the Quote or this Agreement;
- use the services to invade the privacy of third parties, impersonate Pragma personnel or other Pragma Clients or tend to damage the name or reputation of Pragma, its affiliates or agents;
- engage in any activity in connection with the services that is abusive, profane, libellous, slanderous, threatening or otherwise harassing, including posting material in any newsgroup that is off-topic according to any public statement of the newsgroup;
- solicit Pragma Clients to patronise competing services;
- use the services to violate or tamper with the security of any computer, equipment or program belonging to Pragma or any other service provider participating with or connected to Pragma’s services;
- engage in internet service bulk mailing of advertising or information, "spamming", or any other e-mail abuse;
- use the services to engage in the practice of hacking or any other unauthorized attempt to access or otherwise gain entry to the filter systems or network of Secure Hosting, its Clients, service providers or any other third party;
- use any process, program, or tool via the services for the purposes of guessing, deriving or in any other way attempting to obtain the passwords of Pragma, its service providers or Clients of Pragma or any other service provider; or
- cause or intentionally damage Pragma systems or other networks through Pragma systems.
Liability for improper use and violation of the terms of Clause C.6.5 of this Exhibit C by the Client may result in any of the following: (i) immediate termination or suspension of services by Pragma without prior notice to the Client; (ii) Client may face civil or criminal liability; (iii) monetary penalties as payable by Client; (iv) Client will be responsible for additional costs incurred by Pragma to enforce the Client’s compliance with this Agreement; (v) clean-up costs to be charged to the Client by Pragma on a time and materials basis according to the prevailing rate card, available upon request from Pragma.
System Requirements - The Client will be responsible for maintaining all its hardware, software, and other Client-supplied property in proper working order and at a level sufficient to meet the Pragma system requirements as notified to the Client by Pragma from time to time. The Client acknowledges that the Pragma system requirements will change over time and such changes may require the Client to purchase additional equipment, software or other property or services.
Equipment - Pragma is acting only as a reseller or licensor of any hardware, software, and equipment (collectively, the "Equipment") offered in the Quote that was provided by a third party. Pragma shall not be responsible for any changes in services(s) that cause Equipment to become obsolete, require modification or alteration, or otherwise affect the performance of the services. Any malfunction or manufacturer's defects of Equipment either sold, licensed, or provided by Pragma to the Client or purchased directly by the Client used in connection with the service(s) will not be deemed a breach of Pragma's obligations under this Agreement. Any rights or remedies the Client may have regarding the ownership, licensing, performance, or compliance of Equipment are limited to those rights extended to the Client by the manufacturer of such Equipment. The Client is entitled to use any Equipment supplied by Pragma only in connection with the permitted use of the services. The Client shall use best efforts to protect and keep confidential all intellectual property provided by Pragma to the Client through any Equipment and shall make no attempt to copy, alter, reverse engineer, or tamper with such intellectual property or to use it other than in connection with the services. The Client shall not resell, transfer, export, or re-export any Equipment, or any technical data derived there from, in violation of any applicable laws of the Republic of Singapore or any foreign law.
Secure Hosting Service Fees
Rates and Charges - The rates and charges for the services will be as set out in the Quote provided to the Client. Pragma is not required to refund or credit charges for unused services except as noted on the Quote.
Increase in Rates and Charges - Pragma may choose to increase the rates and charges because of an increase in costs incurred by Pragma in providing services. The increase will take effect sixty (60) days from the date of written notice of the increase is given to the Client. If the increase is accepted by the Client, then the rates and charges is deemed to be varied. If the Client is not agreeable to the increase in the rates and charges, Pragma may terminate this Agreement by providing ninety (90) days' notice.
Changing Plans - The Client may request, subject to any restrictions set out in the Quote or this Agreement, with respect to a Quote for a specified term (“Term Quote”), a change to a different Pragma pricing plan by submitting a written change request to Pragma. Any such pricing plan changes take effect at the start of the next billing cycle following Pragma’s confirmed receipt and acceptance of the change request.
Responsibility for Charges Incurred - The Client will pay all fees and other charges incurred in respect of the Client’s account, including charges for any purchases made through the services and any surcharges incurred while using any supplemental services or features of the services for which a surcharge is applicable. Unless otherwise expressly noted, all taxes are extra. The Client will pay all applicable taxes, and any access charges relating to the use of the services, whether such charges are billed by the service provider to Pragma or directly to the Client.
Suspension or Cancellation for Non-Payment - Pragma may suspend or cancel Client’s services if the Client has any invoice outstanding for thirty (30) days or more. Any Client having any account that is unpaid for three consecutive billing cycles (as described below) may, at Pragma’s option, have its files archived or purged and its services are cancelled or suspended. While suspended, the Client’s account will continue to accrue monthly or periodic charges for services under this Agreement. Upon payment of all accrued charges a service reconnection charge equal to the then current set-up fee will be assessed to remove an account from suspension.
Billing Cycle - The Pragma billing cycle begins on the first day of each month unless noted otherwise in the Quote. Charges for a new account are pro-rated based on the number of days remaining after the commencement of services in the initial month of service at a daily rate equal to the monthly charge divided by thirty (30) days. Charges in a month in which an account is terminated are not pro-rated and will not be refunded except as noted in the Quote. All bandwidth services will be billed in arrears at the end of the monthly billing cycle.
Other Charges - All installation and equipment charges will be billed at the time that service is committed for. Installation, equipment charges, registration, and set-up fees are non-refundable.
Account Information - The Client is entitled upon request to receive copies of its historical account or billing information for the previous twelve (12) billing cycles subject to payment of an administration fee.
Period of Service - With respect to services to be billed on a periodic basis, the initial term of the Quote and this Agreement will commence on the date the first of those services commences and will automatically renew for successive periods equal in length to the initial term set out in the Quote until terminated as set forth under Clause 8 ‘Term & Termination’ of the Agreement. The Client may terminate the Quote and the use of all or any of the services at the end of the then current term by providing at least thirty (30) days’ notice prior to the end of that term. The following cancellation charges, where applicable, will be due and payable immediately: (a) for month-to-month service, the monthly charge for the month in which that service will terminate; (b) for service under a Term Quote, charges for the remainder of the term or in the case of a renewal period until Quote termination.
EXHIBIT D: Vulnerability Assessment and Penetration Testing
The additional provisions under this Exhibit C shall only be applicable if Pragma is contracted to carry out Vulnerability Assessment and Penetration Testing services for the Client and shall apply only to the provided Vulnerability Assessment and Penetration Testing services.
Our approach will be performed in five phases, Phase 1 - Plan, Phase 2 - Assess, Phase 3 - Analyse, Phase 4 - Report, and Phase 5 - Re-test.
Phase 1: Plan
- Organise introductory sessions
- Agree on scope, timing, and report expectations and structure
- Identify stakeholders and agree on communication protocol
- Communicate resource requests and meetings schedule
Phase 2: Assess
Goal Setting and Scoping
- Which systems or networks to test
- How long the test will last
- Technical information provided by organisation
- Site mapping and discovery
- Manual detection
- Use of commercial, non-commercial, and internal scripts to enumerate flaws
- Exploitation would be performed to verify that an actual vulnerability exists by using it
- Process to be repeated to identify additional gaps provided by the exploit
The additional access may enable us to :
- attack other systems using the exploit
- change function level access and be able to use privileged control
- extract sensitive data from systems
- The process is iterative and hence will require both manual as well as automated tools.
Phase 3: Analyse
- Analyse impact and severity of risk
- Identify significant applications and critical infrastructure
- Assess risk
- Make pragmatic recommendations against risks
Phase 4: Report
- Prepare draft report
- Provide a list of exploits, security issues and vulnerabilities identified, which includes our recommended action plan to fix the issues
- Agree on findings and control improvement recommendations
- Finalise observations, risk rating and recommendations
- Provide final report
Phase 5: Re-test
- At the discretion of the Client, Pragma can conduct complimentary, optional, and suitable security tests to verify whether the security vulnerabilities identified during the agreed scope have been correctly addressed.
- The re-test shall only be conducted (i) on the agreed scope as stated in the relevant Quote, and (ii) if requested and scheduled within six (6) weeks of the final report being delivered to the Client, and (iii) if the invoice for the scope has been paid by the Client.
- Pragma will provide a secondary report following the completion of the re-test.
Limitation of Vulnerability Assessments and Penetration Tests
Vulnerability assessments and penetration tests are conducted over a limited period and are performed on the system at a single point of time. As such, the scope will be limited to current known vulnerabilities and current system configuration during the work period. The vulnerability assessments and penetration tests may not yield any vulnerability, which does not indicate that the system has no vulnerability exposure. New vulnerabilities may be discovered over time and therefore continuous and timely measures should be taken to address new vulnerabilities.
Caution of Vulnerability Assessments and Penetration Tests
Pragma has performed many assignments for various clients of this nature. Our experience has been that such tests do not normally cause any problems to any networks or systems. However, we wish to caution you that in work of this nature, there is a risk that the systems targeted for scanning or testing may be affected by the scanning software, causing system disruption or failures. We accept this assignment on the understanding that should this happen, Pragma, its partners and staff shall not be held responsible or liable for any claims, damages, and costs (including those asserted by third parties) resulting directly or indirectly from the performance of the vulnerability assessments, penetration tests and related work. For all the above tests, we advise Client to take appropriate risk management measures, such as backup and back-out procedures, and make appropriate contingency plans.
The final report will be issued after the security testing has been completed. The report will detail our work performed, findings and/or observations and associated risks.
An additional report will be delivered after the complimentary retest.