IT Services Agreement
IT SERVICES AGREEMENT
This IT Services Agreement ("Agreement") is entered into on [Agreement_date] between: **IT SERVICE PROVIDER:** [Provider_name], Registration No. [Provider_reg_no], of [Provider_address] ("Provider") and **CLIENT:** [Client_name], Registration No. [Client_reg_no], of [Client_address] ("Client") (collectively referred to as the "Parties").
1. SCOPE OF SERVICES
1.1 The Provider agrees to provide the following IT services to the Client: [Services_description] Service Category: [Service_type] 1.2 The key deliverables under this Agreement are: [Deliverables] 1.3 Services shall commence on [Project_start_date] and are expected to be completed or initially renewed by [Project_end_date]. 1.4 Any changes to the scope of services must be agreed in writing by both Parties through a change control process. This Agreement is governed by the Law of Contract Act Cap. 23 of Kenya.
2. SERVICE LEVELS
2.1 For managed or hosted systems, the Provider guarantees a minimum uptime of [Uptime_sla]. 2.2 Incident response times: (a) Critical incidents (system down): [Response_time_critical] (b) Normal incidents: [Response_time_normal] 2.3 Where the Provider consistently fails to meet service levels, the Client may be entitled to service credits or, after three consecutive months of SLA breach, may terminate this Agreement for cause without penalty.
3. INTELLECTUAL PROPERTY
3.1 Ownership of intellectual property developed under this Agreement: [Ip_ownership] 3.2 Each Party retains ownership of its background intellectual property (pre-existing IP). Nothing in this Agreement grants either Party rights to the other's background IP except as necessary to perform this Agreement. 3.3 Source code escrow arrangement required: [Source_code_escrow] 3.4 Where IP is assigned to the Client, the Provider assigns all copyright, patents, and related rights in deliverables to the Client with effect from full payment, pursuant to the Copyright Act Cap. 130 and the Industrial Property Act No. 3 of 2001.
4. PAYMENT TERMS
4.1 The total contract value is [Total_contract_value] (exclusive of VAT). 4.2 Payment structure: [Payment_structure] 4.3 Invoices are payable within [Payment_terms] of the invoice date. 4.4 Late payments shall attract interest at the Central Bank of Kenya base rate plus 2% per annum on the overdue amount. 4.5 All fees are subject to Value Added Tax at the applicable rate under the Value Added Tax Act No. 35 of 2013, and withholding tax deductions shall be made as required under the Income Tax Act Cap. 470.
5. DATA PROTECTION
5.1 Provider access to personal data: [Personal_data_involved] 5.2 Where the Provider processes personal data on behalf of the Client, the categories of data involved are: [Data_categories] 5.3 The Provider shall, as a data processor under the Data Protection Act No. 24 of 2019: (a) Process personal data only on documented instructions from the Client; (b) Implement appropriate technical and organisational security measures; (c) Ensure all personnel with data access are bound by confidentiality obligations; (d) Notify the Client within 24 hours of discovering a personal data breach; (e) Delete or return all personal data upon termination of this Agreement. 5.4 The Provider shall not sub-process personal data without prior written consent from the Client and the Office of the Data Protection Commissioner (ODPC) where required.
6. CONFIDENTIALITY
6.1 Each Party shall maintain in strict confidence all Confidential Information received from the other Party and shall not disclose such information to any third party without prior written consent. 6.2 Confidential Information includes business data, technical documentation, source code, pricing, client lists, and any information designated as confidential. 6.3 Confidentiality obligations shall survive termination of this Agreement for a period of five (5) years. 6.4 The Provider acknowledges that the Client's systems and data constitute confidential information and that all access shall be authorised pursuant to the Computer Misuse and Cybercrimes Act No. 5 of 2018.
7. LIABILITY AND TERMINATION
7.1 The Provider's maximum aggregate liability for all claims under this Agreement shall not exceed [Liability_cap]. 7.2 Neither Party shall be liable for indirect, consequential, or punitive damages, loss of profits, or loss of data arising from a breach of this Agreement. 7.3 Either Party may terminate this Agreement for convenience by giving [Termination_notice] written notice to the other Party. 7.4 Either Party may terminate immediately for material breach if the breach is not remedied within 14 days of written notice. 7.5 Upon termination, the Provider shall deliver all client data, documentation, and work product to the Client and cooperate with the transition to a replacement provider for a period of up to 30 days. 7.6 This Agreement is governed by the [Governing_law]. Disputes shall first be subject to negotiation, then mediation, and if unresolved, arbitration before the Nairobi Centre for International Arbitration (NCIA) under the Nairobi Centre for International Arbitration Act No. 26 of 2013.
SIGNATURES
IN WITNESS WHEREOF, the Parties have signed this Agreement on the date first above written. **IT SERVICE PROVIDER** For and on behalf of: [Provider_name] Authorised Signatory: _______________________ Designation: _______________________ Date: _______________________ **CLIENT** For and on behalf of: [Client_name] Authorised Signatory: _______________________ Designation: _______________________ Date: _______________________
Authorised Signatory (Provider)
________________
Signature
Authorised Signatory (Client)
________________
Signature
What Is a IT Services Agreement?
An IT Services Agreement in Kenya is a legally binding contract between an information technology service provider and a client organisation that governs the delivery of technology-related services including software development, system integration, managed IT services, technical support, network administration, cybersecurity services, and IT consultancy. The agreement is primarily governed by the Law of Contract Act Cap. 23 of Kenya, which establishes the foundational principles of contract formation, performance, breach, and remedies applicable to all commercial contracts in Kenya.
The IT services sector in Kenya has grown rapidly, driven by the country's emergence as a regional technology hub anchored by the Nairobi Silicon Savannah ecosystem, the Konza Technopolis development, and a vibrant startup community. Kenya's Information and Communications Technology sector contributes significantly to GDP and employs hundreds of thousands of professionals. Formalising IT service relationships through thorough written agreements is essential in this environment to protect both service providers and clients.
Beyond the Law of Contract Act Cap. 23, IT Services Agreements in Kenya must comply with several sector-specific statutes. The Data Protection Act No. 24 of 2019 — administered by the Office of the Data Protection Commissioner (ODPC) — imposes obligations on IT service providers who access, process, or store client data, designating them as data processors subject to binding data processing requirements. The Computer Misuse and Cybercrimes Act No. 5 of 2018 establishes criminal liability for unauthorised access to computer systems, making it critical for the agreement to precisely define the scope of authorised system access granted to the IT service provider.
The Kenya Information and Communications Act Cap. 411A and the Communications Authority of Kenya (CA) regulate certain categories of IT services, particularly those involving telecommunications infrastructure, internet services, or electronic commerce platforms. The Kenya ICT Authority, established under the ICT Authority Act No. 24 of 2013, sets standards for government ICT procurement and may impose additional requirements on IT service providers contracting with public sector entities.
Intellectual property rights in software and systems developed under IT service agreements are governed by the Copyright Act Cap. 130, which provides that software created in the course of employment vests in the employer, while software created by an independent contractor vests in the contractor unless contractually assigned. The agreement must therefore explicitly address IP ownership, licensing, and source code escrow arrangements to avoid costly disputes after project completion.
Kenya's public procurement framework under the Public Procurement and Asset Disposal Act No. 33 of 2015 prescribes specific requirements for IT services contracts awarded by government entities and state corporations. The Kenya ICT Authority, operating under the ICT Authority Act No. 24 of 2013, publishes standard IT procurement frameworks and preferred vendor lists for government agencies. The Authority also maintains the Kenya National ICT Master Plan, which guides government IT investments and influences the scope and architecture of IT services agreements involving public sector clients. Failure to comply with Kenya ICT Authority procurement standards can result in rejection of bids, contract voidance, and debarment from future government IT tenders.
The tax treatment of IT services in Kenya affects agreement structuring. Under the Income Tax Act Cap. 470 and the Value Added Tax Act No. 35 of 2013, IT services supplied to Kenyan clients are subject to VAT at 16%, and management or professional fees paid to non-resident IT providers attract withholding tax at rates prescribed by the Income Tax Withholding Tax Rules. IT services agreements should clearly address the tax treatment of fees, responsibility for VAT compliance, and the procedure for handling withholding tax deductions. Where the provider is established in a country with which Kenya has a double taxation agreement such as Canada, Germany, France, or the United Kingdom, reduced withholding tax rates may apply subject to certification.
The Kenya National Computer Incident Response Team Coordination Centre (KE-CIRT/CC), operated by the Communications Authority of Kenya, coordinates national cybersecurity incident response and publishes cybersecurity guidelines that IT service providers operating in Kenya are expected to follow. IT services agreements increasingly incorporate KE-CIRT/CC reporting obligations for cybersecurity incidents affecting critical national information infrastructure. The Kenya Information and Communications Act Cap. 411A designates certain ICT systems as critical national information infrastructure, and IT service providers managing or accessing such systems must comply with additional security requirements prescribed by the CA and the National Intelligence Service. The Digital Economy Blueprint launched by the Kenyan Government in 2019 under the four pillars of digital infrastructure, digital services, digital literacy, and digital innovation has created new categories of IT services contracts particularly in e-government service delivery, digital identity systems, and public data analytics.
When Do You Need a IT Services Agreement?
An IT Services Agreement in Kenya is needed whenever a business, government agency, NGO, or individual engages an IT company or freelance technology professional to deliver technology services of any material scope. The Law of Contract Act Cap. 23 does not require service contracts to be in writing to be enforceable, but the complexity and value of IT engagements make a written agreement essential for protecting both parties.
Software development projects — including custom enterprise applications, mobile apps for Android and iOS, e-commerce platforms, and ERP system implementations — require detailed IT services agreements that specify the project scope, deliverables, milestones, testing and acceptance criteria, and intellectual property ownership. Without a written agreement, disputes over scope creep, delayed delivery, and IP ownership are extremely common and difficult to resolve.
Managed IT services arrangements — where an IT provider takes ongoing responsibility for a client's network infrastructure, server administration, cybersecurity monitoring, help desk support, and IT asset management — require agreements that define service levels, response times, escalation procedures, and performance metrics. The Kenya ICT Authority's IT Service Management framework recommends ITIL-aligned SLAs for government agencies procuring managed IT services.
Data centre and cloud hosting services provided by companies such as Safaricom Cloud, Liquid Intelligent Technologies, and local colocation facilities require agreements that address data sovereignty, backup procedures, disaster recovery capabilities, and compliance with the Data Protection Act No. 24 of 2019.
Cybersecurity services including penetration testing, vulnerability assessments, security operations centre (SOC) monitoring, and incident response require especially careful agreement drafting to authorise the security provider's testing activities within the scope of the Computer Misuse and Cybercrimes Act No. 5 of 2018, which criminalises unauthorised system access.
Government and public sector IT procurements in Kenya must additionally comply with the Public Procurement and Asset Disposal Act No. 33 of 2015 and the Public Procurement and Asset Disposal Regulations, 2020, which set mandatory terms for IT service contracts awarded through competitive tender processes.
Kenyan financial institutions including commercial banks regulated by the Central Bank of Kenya (CBK) under the Banking Act Cap. 488, insurance companies under the Insurance Act Cap. 487, and capital markets intermediaries under the Capital Markets Act Cap. 485A must confirm their IT services agreements comply with sector-specific regulations requiring Board approval for material outsourcing arrangements, data localisation requirements, and mandatory IT audit rights. The CBK Guidance on Outsourcing for Institutions Licensed under the Banking Act requires banks to maintain formal written agreements with all technology service providers and to notify the CBK of material IT outsourcing arrangements. Healthcare providers engaging IT companies for electronic health record systems must comply with the Kenya Health Information System Policy and data governance requirements under the Health Act No. 21 of 2017.
Non-governmental organisations (NGOs) and international development organisations operating in Kenya under the Public Benefit Organisations Act No. 18 of 2013 increasingly rely on IT service agreements for donor reporting systems, beneficiary management platforms, and financial management software. These organisations must confirm their IT agreements comply with donor data governance requirements, international data protection standards including GDPR where EU data subjects are involved, and the Kenya Data Protection Act No. 24 of 2019. Educational technology companies providing e-learning platforms to Kenyan schools and universities under the digital learning initiative need IT services agreements that address content licensing, student data protection under the Children Act No. 29 of 2022, and compliance with Kenya Institute of Curriculum Development content standards.
What to Include in Your IT Services Agreement
A well-drafted IT Services Agreement in Kenya under the Law of Contract Act Cap. 23 must address the following critical provisions to be enforceable, commercially sound, and compliant with Kenya's technology regulations.
**Scope of Services.** The agreement must contain a precise, unambiguous description of the IT services to be delivered — either as a statement of work (SOW) attached as a schedule or incorporated directly into the body of the agreement. Vague scope descriptions are the leading cause of IT project disputes in Kenya and internationally. The scope should address deliverables, excluded services, and the change control process for scope modifications.
**Service Levels and Performance Standards.** For managed services and support arrangements, SLAs must specify availability targets (e.g., 99.9% system uptime), incident response times (categorised by severity), resolution time commitments, and performance measurement methodologies. The agreement should state the remedies available — such as service credits or termination rights — when SLAs are consistently missed.
**Intellectual Property Rights.** Under the Copyright Act Cap. 130, software created by an independent contractor vests in the contractor by default. The agreement must explicitly state whether intellectual property in custom-developed software, code, databases, and documentation transfers to the client upon payment (work-for-hire assignment) or remains with the provider under a licence. Source code escrow arrangements — where source code is held by a neutral escrow agent for release if the provider becomes insolvent — should be considered for mission-critical systems.
**Data Protection and Security.** Where the IT provider accesses or processes personal data, the agreement must include a compliant data processing addendum under the Data Protection Act No. 24 of 2019. This addendum must specify the categories of data processed, the processing purposes, security measures implemented, sub-processor approval requirements, data breach notification timelines (72 hours to the ODPC), and data deletion obligations upon contract termination.
**Authorised System Access.** Under the Computer Misuse and Cybercrimes Act No. 5 of 2018, all system access by the IT provider must be explicitly authorised in writing. The agreement should specify which systems, databases, and network segments the provider may access, under what conditions, and with what logging and audit trail requirements.
**Payment Terms and Milestones.** The agreement must specify fees, billing frequency, milestone payment schedules for project work, expense reimbursement policies, and late payment consequences. The Law of Contract Act Cap. 23 allows for liquidated damages clauses where project delays cause quantifiable client losses.
**Confidentiality.** IT service providers gain access to sensitive business information, trade secrets, and personal data. Strong confidentiality obligations — surviving termination for a defined period — are essential and should be supported by a separate Non-Disclosure Agreement or incorporated as a standalone clause with the Law of Contract Act Cap. 23 as the governing statute.
**Termination and Transition.** The agreement must define termination rights for cause and for convenience, notice periods, exit assistance obligations (data migration, knowledge transfer, documentation handover), and post-termination restrictions on use of client's proprietary information. Forms-legal.com provides this template as a starting framework; parties should supplement it with a detailed project-specific statement of work.
**Change Management and Version Control.** For software development engagements, the agreement should specify the change control process including how new requirements are documented, estimated, approved, and priced. A formal change request process prevents scope creep and protects both parties from disputes. Version control requirements, code repository access, and branching strategies should be documented for long-running development projects where multiple developers contribute to a shared codebase.
**Testing and Acceptance Criteria.** The agreement must define the testing methodology, acceptance test criteria, and the process for raising and resolving defects discovered during user acceptance testing (UAT). Clear acceptance criteria prevent disputes about whether deliverables meet requirements. The agreement should specify the number of UAT cycles permitted, the timeline for the client to raise defects, the severity classification of defects as critical, major, or minor, and the provider obligation to remedy defects within defined timeframes before the client may withhold payment or claim damages under the Law of Contract Act Cap. 23.
**Business Continuity and Disaster Recovery.** For managed services providers responsible for client IT infrastructure, the agreement must address business continuity and disaster recovery obligations including recovery time objectives (RTO), recovery point objectives (RPO), backup frequency, offsite backup storage locations, and annual disaster recovery testing requirements. The Kenya National Disaster Management Authority (NDMA) and the CBK both recommend formal BCDR planning for critical IT systems serving financial services, health, and government operations.
The agreement should address **subcontracting** clearly. IT service providers frequently engage subcontractors for specialised work such as cybersecurity testing, data migration, or hardware installation. The agreement must specify whether subcontracting is permitted, any client approval requirements before engaging subcontractors, the provider's liability for subcontractor acts and omissions, and the obligation to impose equivalent confidentiality and data protection obligations on subcontractors. Under the Data Protection Act No. 24 of 2019, the client must approve any sub-processing of personal data. The agreement must also address **knowledge transfer and documentation** obligations upon project completion, requiring the provider to deliver complete technical documentation, system architecture diagrams, user manuals, administrator guides, and source code comments sufficient to enable the client or a successor provider to maintain and extend the system without dependency on the original provider.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). IT Services Agreement (Kenya) [Legal document template]. Forms Legal. https://forms-legal.com/kenya/business/services/ke-it-services-agreement
"IT Services Agreement (Kenya)." Forms Legal, 2026, https://forms-legal.com/kenya/business/services/ke-it-services-agreement.
@misc{formslegal-ke-it-services-agreement,
author = {{Forms Legal}},
title = {IT Services Agreement (Kenya)},
year = {2026},
howpublished = {\url{https://forms-legal.com/kenya/business/services/ke-it-services-agreement}},
note = {Free legal document template}
}
Frequently Asked Questions
Under the Copyright Act Cap. 130 of Kenya, software created by an independent contractor (as opposed to an employee) vests in the contractor by default, unless the contract expressly provides otherwise. This means that if a Kenya business hires an IT company to develop custom software and the agreement is silent on IP ownership, the IT company retains copyright in the software and the client merely has a licence to use it. To transfer ownership of custom-developed software to the client, the IT Services Agreement must contain an explicit IP assignment clause stating that all intellectual property created under the agreement is assigned to the client upon full payment. Businesses commissioning software development in Kenya should ensure this clause is present and clearly worded before signing any IT services contract.
IT service providers in Kenya who access, process, or store personal data on behalf of clients are classified as data processors under the Data Protection Act No. 24 of 2019. As data processors, they must process personal data only on documented instructions from the client (data controller), implement appropriate technical and organisational security measures to protect data, ensure confidentiality obligations are imposed on all staff with access to personal data, notify the client immediately upon discovering a data breach, and delete or return all personal data upon termination of the services agreement. The agreement must include a data processing addendum that satisfies Section 34 of the Data Protection Act. Failure to comply exposes the IT provider to penalties administered by the Office of the Data Protection Commissioner (ODPC) including fines and suspension of data processing activities.
Project delays are addressed under the Law of Contract Act Cap. 23 through the remedies of damages, specific performance, and termination for material breach. An IT Services Agreement should include a project timeline with clearly defined milestones and delivery dates. If the provider fails to meet milestones, the client may be entitled to liquidated damages — a pre-agreed financial penalty per day of delay — provided the liquidated damages clause represents a genuine pre-estimate of loss and is not a penalty, as established in Kenyan case law following the House of Lords decision in Dunlop Pneumatic Tyre Co v New Garage and Motor Co. The agreement should also specify force majeure events that excuse delay, including infrastructure outages, government actions, and acts of God, with notice requirements and a maximum force majeure period before either party may terminate.
Yes, IT services agreements in Kenya may include non-solicitation clauses that prevent the client from directly employing or engaging the IT provider's staff during and for a defined period after the agreement. Such clauses are enforceable under the Law of Contract Act Cap. 23 if they are reasonable in scope, duration (typically 12-24 months), and geographic area. The Employment Act No. 11 of 2007 protects employees' rights to seek new employment, so non-solicitation clauses must target the client's conduct in actively recruiting the provider's staff rather than restricting the employees themselves. IT companies in Kenya's competitive talent market frequently include these provisions to protect investments in staff training and to maintain team stability on long-running client engagements.
Liability limitation clauses are standard in Kenya IT services agreements and are generally enforceable under the Law of Contract Act Cap. 23, provided they are not unconscionable or contrary to public policy. IT service providers typically cap their total aggregate liability at the fees paid under the agreement in the 12 months preceding the claim, or at a fixed amount. Certain liabilities are commonly excluded from caps, including liability for death or personal injury caused by negligence, fraud or wilful misconduct, breach of confidentiality obligations, and infringement of third-party intellectual property rights. Data protection liabilities under the Data Protection Act No. 24 of 2019 are difficult to cap contractually as ODPC penalties are imposed by the regulator independently of contract terms. Clients contracting for critical systems should negotiate higher liability caps or specific indemnities for data breach scenarios.
The Computer Misuse and Cybercrimes Act No. 5 of 2018 criminalises unauthorised access to computer systems, making explicit written authorisation for cybersecurity testing activities legally essential. An IT services agreement covering penetration testing, vulnerability assessments, or ethical hacking must specifically enumerate the systems in scope for testing, the testing methodologies permitted, the time windows during which testing may be conducted, the requirement to halt testing immediately upon client instruction, and the confidentiality obligations covering discovered vulnerabilities. The agreement should also address the procedure for reporting critical vulnerabilities discovered during testing, storage and destruction of test data, and liability if testing inadvertently causes system disruption. Without this written authorisation, even well-intentioned security testing may constitute a criminal offence under Section 22 of the Computer Misuse and Cybercrimes Act.
Disputes under IT services agreements in Kenya are typically resolved through a tiered mechanism beginning with direct negotiation between senior representatives of both parties. If negotiation fails within a defined period (usually 30 days), the parties may proceed to mediation, which is cost-effective and preserves business relationships. The Nairobi Centre for International Arbitration (NCIA), established under the Nairobi Centre for International Arbitration Act No. 26 of 2013, provides institutional arbitration services for commercial disputes and is commonly specified in technology contracts involving significant sums. For smaller disputes, the Business Recovery and Insolvency Practitioners Association of Kenya (BRIP) and the Chartered Institute of Arbitrators Kenya Branch offer mediation and arbitration services. Litigation before the Commercial Division of the High Court of Kenya remains an option but is typically slower and more costly than alternative dispute resolution for technology contracts.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Cloud Services Agreement (Kenya)
A Kenya Cloud Services Agreement governing cloud computing services, compliant with the Data Protection Act No. 24 of 2019, the Computer Misuse and Cybercrimes Act No. 5 of 2018, and ODPC data processing requirements.
Data Processing Agreement (Kenya)
A Kenya Data Processing Agreement between a data controller and data processor, compliant with the Data Protection Act No. 24 of 2019 s.45 and the Data Protection (General) Regulations 2021.
Confidentiality Agreement (Kenya)
A Kenya Confidentiality Agreement (mutual or one-way) protecting trade secrets, business information, and personal data, compliant with the Law of Contract Act Cap. 23 and the Data Protection Act No. 24 of 2019.