IT Services Agreement (Philippines)

An IT Services Agreement in the Philippines sets out the basis on which the supplier provides services to the client, defining deliverables, payment, intellectual property and liability.

The IT Services Agreement service agreements in the Philippines are governed by Civil Code Articles 1713 to 1729 on contracts for services, the Electronic Commerce Act (RA 8792, 2000) for services delivered digitally or via electronic means, and the Data Privacy Act (RA 10173, 2012) where the service provider processes personal data on behalf of the client. The National Privacy Commission (NPC) enforces the Data Privacy Act and requires a Data Processing Agreement (DPA) or equivalent provisions when a personal information processor handles personal data on behalf of a personal information controller.

The Department of Information and Communications Technology (DICT) and the Cybercrime Investigation and Coordinating Center (CICC) under the Cybercrime Prevention Act (RA 10175, 2012) have jurisdiction over information security incidents. IT service providers handling sensitive personal information under RA 10173 must register as Personal Information Controllers or Processors with the NPC and implement mandatory security measures under NPC Circular No. 16-01.

The IT-BPM (Business Process Management) sector, regulated by the Board of Investments (BOI) under the Omnibus Investments Code and the Philippine Economic Zone Authority (PEZA) for special economic zone locators, represents a significant portion of Philippine IT service providers. PEZA-registered IT service companies enjoy fiscal incentives under Republic Act No. 11534 (CREATE Act) for services rendered to foreign clients.

The legal framework governing the IT Services Agreement (Philippines) in Philippines draws on several key statutes and regulatory bodies. Under Philippine law, the Civil Code of the Philippines (Republic Act No. 386) governs contractual obligations. The Revised Corporation Code (Republic Act No. 11232) regulates corporate entities through the Securities and Exchange Commission (SEC). The Labor Code of the Philippines (Presidential Decree No. 442) and Department of Labor and Employment (DOLE) govern employment matters. The Data Privacy Act of 2012 (Republic Act No. 10173) and the National Privacy Commission (NPC) protect personal data. The Bureau of Internal Revenue (BIR) administers tax obligations under the National Internal Revenue Code. Parties executing a IT Services Agreement (Philippines) in Philippines should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Revised Corporation Code (RA 11232, 2019) sets the foundational requirements.

An IT Services Agreement in the Philippines is required whenever a business engages an external IT service provider to deliver ongoing technology support or managed services.

An IT Services Agreement is needed when a Philippine corporation, SME, or government agency engages an IT company to manage its network infrastructure, servers, and endpoints, because without a written agreement the scope of services, response times, and liability for system downtime are governed only by implied terms under Civil Code Article 1371, which rarely reflects the parties' actual intentions.

An IT Services Agreement is required when the service involves access to or processing of personal data — employee records, customer databases, financial data — because the Data Privacy Act (RA 10173, 2012) and NPC Circular No. 16-01 require a written contract between a personal information controller (the client) and a personal information processor (the IT provider) that mandates security measures, data retention limits, and breach notification procedures.

An IT Services Agreement is needed when engaging a cloud computing provider, because the agreement must address data residency (whether data is stored in Philippine-based servers), access controls, disaster recovery, and the provider's liability for data breaches under RA 10173 and the Cybercrime Prevention Act (RA 10175).

An IT Services Agreement is required for government agency IT engagements, because Republic Act No. 9184 (Government Procurement Reform Act) and its Implementing Rules and Regulations (IRR) require formal service contracts for IT procurement by national government agencies, local government units (LGUs), and government-owned or controlled corporations (GOCCs).

An IT Services Agreement is needed when service level agreements (SLAs) — defining uptime guarantees, response times, and penalty regimes — must be contractually enforceable, because verbal SLA commitments have no legal standing under Philippine contract law.

A complete IT Services Agreement in the Philippines must contain the following essential provisions.

Parties and Service Description: Full legal names, SEC or DTI registration numbers, and addresses. The service description must detail the specific IT services covered — helpdesk support, network monitoring, cybersecurity, cloud management, software maintenance — and expressly exclude services not within scope.

Service Level Agreement (SLA): Defined response times (e.g., critical issues: 1-hour response; major: 4 hours; minor: next business day), uptime guarantees for managed infrastructure (e.g., 99.9% monthly uptime), escalation procedures, and service credits or penalties for SLA failures. SLA provisions must be precise enough to be contractually enforceable under Civil Code Article 1159.

Fees and Payment Terms: Monthly service fees, rates for out-of-scope work, payment schedule, and late payment interest. BIR withholding tax obligations under Revenue Regulation No. 11-2018 at 2% for IT services must be acknowledged.

Data Privacy and Security: Compliance with the Data Privacy Act (RA 10173, 2012), including data processing limitations, security measures required by NPC Circular No. 16-01 (organizational, physical, and technical security measures), breach notification timeline (NPC requires notification within 72 hours of discovery of a personal data breach under NPC Circular No. 16-03), and data retention and deletion policies.

Confidentiality and NDA: The IT provider's obligation to maintain client data and system information in confidence, with specific reference to trade secrets protected under the Intellectual Property Code (RA 8293) and Civil Code provisions on breach of confidence.

Intellectual Property: Ownership of custom software, configurations, scripts, or tools developed during the engagement. Under Intellectual Property Code (RA 8293) Section 178.3, works created by an employee in the course of employment belong to the employer; custom work created by the IT provider for the client should be expressly assigned.

Liability Cap: A limitation of liability clause capping the IT provider's liability to the total fees paid in a defined preceding period. Philippine courts may scrutinize limitation clauses under Civil Code Article 1306 but generally uphold reasonable caps in commercial contracts.

Term, Renewal, and Termination: Initial term, automatic renewal provisions, notice period for termination without cause, and provisions addressing transition assistance to a successor provider upon termination.

Additional compliance elements for a IT Services Agreement (Philippines) used in Philippines include: Under Philippine law, the Civil Code of the Philippines (Republic Act No. 386) governs contractual obligations. The Revised Corporation Code (Republic Act No. 11232) regulates corporate entities through the Securities and Exchange Commission (SEC). The Labor Code of the Philippines (Presidential Decree No. 442) and Department of Labor and Employment (DOLE) govern employment matters. The Data Privacy Act of 2012 (Republic Act No. 10173) and the National Privacy Commission (NPC) protect personal data. The Bureau of Internal Revenue (BIR) administers tax obligations under the National Internal Revenue Code. Forms-legal.com provides this template as a starting point for Philippines-compliant documentation.