IT Services Agreement (Pakistan)

An IT Services Agreement in Pakistan sets out the basis on which the supplier provides services to the client, defining deliverables, payment, intellectual property and liability.

The Prevention of Electronic Crimes Act 2016 (PECA 2016) is Pakistan's primary cybercrime legislation, enacted to combat offences relating to electronic crimes including unauthorised access to computer systems, data theft, cyberstalking, and electronic fraud. IT Services Agreements in Pakistan must contain provisions consistent with PECA 2016 obligations — including appropriate data security measures, incident reporting obligations, and restrictions on unauthorised access to the client's computer systems and data. Section 9 of PECA 2016 criminalises unauthorised access to computer systems, Section 10 criminalises unauthorised copying or transmission of data, and Section 14 criminalises malicious code distribution — all of which are relevant to the obligations of IT service providers handling client systems.

The Electronic Transactions Ordinance 2002 (ETO 2002) is the foundational legislation for electronic commerce and e-contracting in Pakistan. The ETO 2002 gives legal validity to electronic records, electronic signatures, and contracts formed electronically, making it directly relevant to IT services contracts which are often negotiated and executed electronically. Section 3 of the ETO 2002 provides that no document, record, information, communication, or transaction shall be denied legal recognition solely on the ground that it is in electronic form. Section 6 provides for the legal validity of electronic signatures. The Pakistan Telecommunication Authority (PTA) is the regulatory body overseeing aspects of the digital and telecommunications sector relevant to IT service delivery.

The Pakistan Software Export Board (PSEB), operating under the Ministry of Information Technology and Telecommunication (MoITT), is the government body that promotes Pakistan's IT industry exports. IT companies registered with PSEB benefit from tax exemptions on export earnings under the Income Tax Ordinance 2001 — specifically SRO 586(I)/1991 and subsequent notifications exempting IT export income from tax. IT Services Agreements for export-oriented projects must comply with State Bank of Pakistan (SBP) foreign exchange regulations under the Foreign Exchange Regulation Act 1947 for receipt of foreign remittances.

Intellectual property rights generated under IT services are governed by the Copyright Ordinance 1962 (as amended), which vests copyright in computer programs (software) in the author — or in the employer where the work is created in the course of employment, or in the commissioning party where there is a valid written assignment. The Intellectual Property Organization of Pakistan (IPO Pakistan), established under the Intellectual Property Organization of Pakistan Act 2012, administers copyright, patents, and trademarks. IT Services Agreements must contain express IP assignment or licensing clauses to establish who owns the code, databases, and documentation created under the contract.

Data protection in Pakistan is increasingly regulated by the Personal Data Protection Bill (PDPB), which was under legislative consideration as of 2024, and by sector-specific regulations including the State Bank of Pakistan's Cybersecurity Framework for Banks (2021) and the Securities and Exchange Commission of Pakistan's data governance requirements. IT service providers handling personal data of Pakistani citizens or regulated entities must implement appropriate technical and organisational safeguards consistent with these emerging standards and international norms such as ISO 27001 (Information Security Management).

An IT Services Agreement in Pakistan is required whenever a business, government body, or individual engages an information technology company or freelance IT professional to provide technology services of any significant scope or duration.

An IT Services Agreement is needed when a Pakistani company, multinational operating in Pakistan, or government ministry engages a software development firm to build a bespoke software application — a web platform, mobile application, ERP system, or enterprise software — for its operations, and the parties need to document scope, milestones, payment terms, and IP ownership.

An IT Services Agreement is required when a financial institution regulated by the State Bank of Pakistan (SBP) — a scheduled bank, microfinance bank, or payment service provider — outsources core banking system maintenance, cybersecurity monitoring, or data center management to a third-party IT vendor, triggering SBP's IT Outsourcing Regulations and Cybersecurity Framework compliance obligations.

An IT Services Agreement is needed when an IT company registered with the Pakistan Software Export Board (PSEB) provides software development, BPO (Business Process Outsourcing), or IT-enabled services to a foreign client, and the agreement must comply with State Bank of Pakistan foreign exchange regulations for repatriation of export earnings, as well as the Foreign Exchange Regulation Act 1947.

An IT Services Agreement is required when a freelance developer, IT consultant, or technology firm registered in Pakistan on the Federal Board of Revenue's (FBR) National Tax Number (NTN) system provides managed IT services, cloud hosting, or cybersecurity services to a domestic client on a recurring basis, and the parties need to define service levels, response times, escalation procedures, and liability caps.

An IT Services Agreement is needed when a startup incorporated with the Securities and Exchange Commission of Pakistan (SECP) under the Companies Act 2017 engages a technology partner for co-development of a technology product, and the parties must agree on intellectual property co-ownership, revenue sharing, confidentiality, and the circumstances in which either party may terminate the development relationship.

An IT Services Agreement is required when a government entity procuring IT services under the Public Procurement Regulatory Authority (PPRA) Rules 2004 awards a technology contract and must comply with PPRA transparency, competitive bidding, and contract documentation requirements.

A valid IT Services Agreement in Pakistan under the Prevention of Electronic Crimes Act 2016, the Electronic Transactions Ordinance 2002, and the Contract Act 1872 must contain the following essential elements to be legally effective and to protect both parties' interests.

Party Identification and Registration Details: The agreement must identify the service provider and the client by full legal name, SECP company registration number (for companies incorporated under the Companies Act 2017), NADRA CNIC number (for individuals), National Tax Number (NTN) registered with the Federal Board of Revenue, PSEB registration number (if the service provider is a registered IT company), and registered address. These identifiers establish the legal capacity of each party under the Contract Act 1872.

Scope of Services: The scope of IT services must be defined with precision — whether software development, cloud services, managed IT support, cybersecurity, network management, data centre services, or IT consulting. A Statement of Work (SOW) or Schedule A must detail deliverables, technical specifications, technologies to be used (programming languages, platforms, frameworks), and the project methodology (Agile, Waterfall, or hybrid). The scope must be specific enough to prevent disputes over what is included.

Service Level Agreement (SLA): The SLA must define the minimum performance standards — system uptime (typically 99.5% or 99.9% for critical systems), response times for incidents (Priority 1: critical within 1 hour; Priority 2: high within 4 hours; Priority 3: medium within 24 hours), resolution times, and the remedy for SLA breaches (service credits, termination rights). The SLA must be consistent with SBP's Cybersecurity Framework for financial sector clients.

Intellectual Property Ownership: The agreement must expressly allocate ownership of all intellectual property created under the contract. Two primary positions are possible: client-owns (full assignment of all code, documentation, and deliverables to the client upon payment under the Copyright Ordinance 1962); or provider-owns-with-licence (the provider retains IP and grants the client a licence to use the deliverables). Pre-existing IP (background IP) belonging to each party must be identified and excluded from the assignment. All IP provisions must comply with the Copyright Ordinance 1962 and be noted with IPO Pakistan if registration is desired.

Data Protection and Cybersecurity Obligations: The service provider must covenant to implement appropriate technical safeguards — encryption, access controls, audit logs, penetration testing — consistent with PECA 2016 obligations, the SBP Cybersecurity Framework (for financial sector clients), and international standards such as ISO 27001. Data processing obligations under the Personal Data Protection Bill framework must be addressed, including lawful basis for processing, data minimisation, retention limits, and breach notification procedures. The service provider must not access client data beyond what is necessary for service delivery (PECA 2016, Section 9).

Payment Terms: The fees, invoicing schedule, payment currency (Pakistani Rupees or foreign currency with SBP approval), and late payment consequences must be stated. For export contracts, payment must be received through approved banking channels under SBP's foreign exchange regulations. The Federal Board of Revenue's withholding tax obligations under the Income Tax Ordinance 2001 must be addressed — clients typically deduct withholding tax on IT service payments and issue a tax deduction certificate.

Confidentiality and Non-Disclosure: The agreement must include bilateral confidentiality obligations — both parties may receive the other's confidential information. The definition of confidential information, permitted disclosures, duration of the obligation, and exceptions (information in the public domain, required by law) must be specified. Where PECA 2016 data obligations apply, confidentiality provisions must be consistent with PECA's criminal liability for unauthorised data disclosure.

Liability and Indemnification: The agreement must specify liability caps — typically limited to the fees paid in the preceding 12 months for direct losses; consequential, indirect, and special damages are typically excluded by mutual agreement. Indemnification obligations for third-party IP infringement claims and data breach liability must be addressed. PECA 2016 criminal liability cannot be excluded by contract.

Termination Provisions: The agreement must specify grounds for termination — breach (with cure period), insolvency, change of control, convenience (with notice period), and SECP or SBP regulatory direction. Post-termination obligations — return or destruction of data, transition assistance, survival of confidentiality and IP clauses — must be clearly stated.

Dispute Resolution and Governing Law: Disputes should be referred first to senior management negotiation, then to arbitration under the Arbitration Act 1940 (as supplemented by the Arbitration (Protocol and Convention) Act 1937 for international disputes) or to the civil courts of the relevant district. The governing law must be the law of Pakistan. For cybercrime-related disputes, the Federal Investigation Agency (FIA) Cybercrime Wing has concurrent jurisdiction under PECA 2016.

Forms-legal.com provides this IT Services Agreement (Pakistan) template as a starting point for technology service relationships. Parties entering into significant or long-term IT contracts should obtain legal advice from an Advocate enrolled at a provincial Bar Council who specialises in technology and commercial law, and should confirm compliance with PSEB, SBP, SECP, and FBR requirements applicable to their specific transaction.