An IT Support Agreement — also called a Managed IT Services Agreement or a Managed Service Provider (MSP) Agreement — is a written contract between an IT support company or technology consultant and a business client that sets out the ongoing terms under which IT support and managed services will be provided. In Australia, IT support agreements are increasingly important as businesses of all sizes rely on complex cloud infrastructure, endpoint devices, and third-party software platforms that require ongoing management, monitoring, and rapid response to technical issues.

The legal framework governing IT support agreements in Australia is multifaceted. The Australian Consumer Law (ACL), which forms Schedule 2 of the Competition and Consumer Act 2010 (Cth), implies mandatory consumer guarantees into all contracts for services — including IT services — provided to consumers and small businesses. These guarantees require that services be rendered with due care and skill, be fit for any particular purpose made known to the provider, and be supplied within a reasonable time. The unfair contract terms provisions of the ACL, which have applied to small business contracts since November 2023, also require that IT support agreements not contain terms that create a significant imbalance in rights and obligations without reasonable justification.

Data protection is a central issue for IT support agreements. The Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs) govern how personal information must be handled by organisations covered by the Act. IT providers typically have extensive access to client systems and data, and the IT support agreement must clearly document the provider's data security obligations, the restrictions on use and disclosure of personal information, and the process for managing and reporting data breaches under the Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act.

The Australian Signals Directorate (ASD) publishes the Essential Eight cybersecurity controls — a set of baseline mitigation strategies recommended for all Australian organisations. IT support providers and their clients should consider referencing or incorporating the Essential Eight (application control, patch applications, patch operating systems, restrict Microsoft Office macros, user application hardening, restrict administrative privileges, multi-factor authentication, and regular backups) as a security framework within the IT support agreement.

An IT Support Agreement is needed by any Australian business that outsources its IT function — in whole or in part — to an external IT service provider. This covers the most common models of IT outsourcing: fully managed IT services (where the IT provider is responsible for all hardware, software, security, and helpdesk); co-managed IT services (where the IT provider supplements an in-house IT team); and break-fix support (where the IT provider responds to incidents on an ad hoc basis without a monthly retainer).

A written agreement is particularly important for: small and medium-sized businesses that have no in-house IT expertise and rely entirely on their MSP for IT continuity; businesses that hold personal information (including health records, financial data, and customer databases) and need to document their IT provider's Privacy Act compliance obligations; professional services firms — including law firms, accounting practices, medical practices, and financial planning businesses — where data confidentiality and system uptime are critical; businesses operating in regulated industries that are subject to specific cybersecurity or data governance standards; and businesses entering multi-year managed services contracts where early termination fees and transition obligations need to be clearly defined.

A written IT support agreement protects both parties: the client gets clear SLA commitments, defined scope, and documented data security obligations; the IT provider gets clear payment terms, defined scope boundaries that prevent scope creep, early termination protections, and a limitation of liability clause that reduces exposure to disproportionate claims.

The agreement is also important for cyber insurance purposes: many Australian cyber insurers require evidence of documented IT security practices, backup procedures, and incident response obligations as a condition of coverage or when calculating premiums.

A comprehensive Australian IT Support Agreement should address the following key provisions.

Scope of services — Define with precision every service included in the monthly managed services fee. Common inclusions are: remote helpdesk support, on-site support visits, network monitoring, patch management, endpoint security management, cloud platform administration (Microsoft 365, Google Workspace, Azure, AWS), email management, backup administration, and IT procurement assistance. Equally important is an explicit exclusions list and a change order process for Out-of-Scope Work.

Service level agreement (SLA) — Specify tiered priority levels (Critical, High, Standard) with clear definitions for each tier and binding target response times. Many SMB managed services contracts target 1 hour for critical issues, 4 business hours for high priority, and 1 business day for standard issues. Include an escalation process and a service reporting obligation so the client can monitor SLA performance.

Support hours and after-hours access — State the standard support hours and the process for obtaining emergency support outside those hours. Specify whether after-hours support is included in the monthly fee or charged at a premium rate.

Fees and payment — Set out the monthly managed services retainer, the GST treatment, and the payment terms. Specify the hourly rate for ad hoc and Out-of-Scope Work, travel charges, and the procurement margin for third-party hardware and software. Include an annual fee review mechanism.

Data security — Document the specific security measures the IT provider will implement and maintain, including endpoint protection, multi-factor authentication, encryption, access controls, and security incident detection. Reference the ASD Essential Eight or equivalent framework if appropriate.

Privacy and data handling — Address the IT provider's obligations under the Privacy Act 1988 (Cth) and APPs, including restrictions on use and disclosure of personal information, the obligation to report data breaches, and the process for complying with the Notifiable Data Breaches scheme.

Backup and disaster recovery — Specify the backup frequency, retention period, storage location (geographically separate from primary data), and testing schedule. Include a realistic acknowledgement that no backup system guarantees 100% recovery.

Term and early termination — Define the initial term, the notice period after the initial term, and the early termination fee if the client exits before the end of the initial term. Include the IT provider's obligations on termination, including data return or destruction, revocation of access, and transition assistance.

Limitation of liability — Include a cap on the IT provider's aggregate liability (typically the fees paid in the preceding 3 months) and an exclusion of indirect and consequential loss, compliant with the Australian Consumer Law.