MARKETING APPLICATIONS SERVICE LEVEL ADDENDUM MARKETING APPLICATIONS SERVICE LEVEL ADDENDUM 1. SCOPE AND PURPOSE This Service Level Addendum (SLA) describes the levels of service that a customer using the software applications of the Teradata Integrated Marketing Cloud will receive from Teradata. This SLA will provide a degree of certainty to customers as to the qualitative aspects of the services they can expect to receive. This SLA should be read alongside the Agreement between the customer and Teradata. It forms an important part of the Agreement between the customer and Teradata and aims to enable the two parties to work together efficiently. The following services are covered by this SLA: • General Service Standard (Page 1) • Support and Maintenance (Page 2) • Availability Cloud Software (Page 5) • Information Security (Page 6) Teradata will provide the services in accordance with the provisions of this SLA in such a manner that the achieved service levels are equal or higher than the service levels defined in this SLA. 2. DEFINITIONS 2.1 “Business Day” means a working day other than Saturday, Sunday or public holiday at Teradata’s registered address. 2.2 “Cloud Software” means both SaaS and Hosted Software and excludes On-Premise Software. 2.3 “Demarcation Point” means the point at which the public Internet connects to the Software’s border router. 2.4 “Force Majeure” means acts of God or government, civil commotion, military authority, Marketing Applications Service Level Addendum (Version 1.0, English) Page 1 war, riots, terrorism, strikes, fire, or other causes beyond the parties’ reasonable control. 2.5 “Hosted Software” means a separate single-tenant instance of the Software, hosted and operated by Teradata and accessed by Customer remotely via a standard web browser. 2.6 “On-Premise Software” means Software installed and operated on Customer’s premises/in Customer’s data center and not hosted and operated by Teradata. 2.7 “SaaS” means “Software as a Service” and refers to a centralized instance of the Software serving multiple Customers, hosted and operated by Teradata and accessed by Customer remotely via a standard web browser. 2.8 “Software” in the context of this SLA means any Teradata standard software, excluding Deliverables, modifications and customizations, licensed to Customer under an Agreement that references this SLA. 2.9 “Teradata” shall be the Teradata entity that concluded the Agreement with the Customer. 3. GENERAL SERVICE STANDARD Teradata will provide the Services with reasonable skill and care and in accordance with the best practice prevailing in the industry from time to time. In the provision of the Services, Teradata uses personnel who possess a degree of skill and experience which is appropriate to the tasks to which they are allotted and the performance and Service Levels which they are required to achieve and who shall perform those tasks in a workmanlike and professional manner. MARKETING APPLICATIONS SERVICE LEVEL ADDENDUM 4. SUPPORT AND MAINTENANCE 4.1 Support and Maintenance covers assistance and consultation to assist Customer in resolving problems with the use of the Software, including the verification, diagnosis and correction of material errors and defects in the Software and the provision of bug fixes, corrections, modifications, enhancements, upgrades and new releases to the Software to ensure the functionality of the Software. 4.2 Support and Maintenance and warranties do not cover any problem with or damage to the Software to the extent caused by (i) negligence, abuse, misuse, improper handling, improper use, improper storage or modifications by anyone other than Teradata or its contractors; (ii) failure to operate the Software in accordance with its documentation and/or with Teradata’s specifications or limitations; (iii) modifications to the Software that have not been approved or provided by Teradata; (iv) acts of third parties; (v) third party products not under a maintenance agreement with Teradata and (vi) Force Majeure. 4.3 Teradata shall have no Maintenance and Support obligations with respect to any hardware or software product other than the Software (“Nonqualified Products”). If Teradata provides Maintenance and Support for a problem caused by a Nonqualified Product, or if Teradata’s service efforts are increased as a result of a Nonqualified Product, Teradata may charge time and materials for such extra services at its then current rates. If, in Teradata’s reasonable opinion, performance of Maintenance and Support is or will be made more difficult or impaired because of Nonqualified Products, Teradata shall so notify Customer, and Customer shall immediately remove the Nonqualified Product at its own risk and expense. Customer shall remain solely responsible for the compatibility and functioning of Nonqualified Products with the Software. 4.4 When Customer requests Support and Maintenance, it must assign a priority for each incident/request based on the criteria set out below and give Teradata immediate unrestricted access to the affected Product. Teradata will assign a priority if Customer fails to do so. A single contact event for Support and Maintenance may be made up of multiple incidents/requests. A priority level will be assigned for each incident/request reported. 4.5 Teradata shall provide Support and Maintenance during the Hours of Operation and with the Response Times as defined below. Response Times are measured by the interval between Customer’s initial contact with Teradata and the first contact (via electronic message or phone call) with a Teradata representative. Response Time intervals are measured during Hours of Operation only. Priority Rating Hours of Operation Response Time PRIORITY 1 (CRITICAL) A Priority 1 incident is a problem that prohibits use of the Software or renders the Software inoperable, it is a catastrophic issue in the Software which severely impacts the Customer’s production systems, as they are inaccessible or there is a system wide performance degradation making the Customer’s production systems unusable. PRIORITY 2 (SIGNIFICANT) A Priority 2 incident is a problem that causes a significant impact to the business; however, operations can continue in a degraded fashion. It is a production issue in the Software where the Customer’s systems are functioning but in a severely reduced capacity due to defect or performance. The issue is causing significant impact to portions of the customer’s normal business operations and productivity. Either a workaround is not available or the one that is available is not a reasonable resolution. PRIORITY 3 (MINOR) A Priority 3 incident is an issue that negligibly impacts the customer’s ability to do business, it is an issue in the Software where the customer is experiencing functional or usability restrictions that are either not critical to the business or possess a reasonable workaround, the customer has an issue with documentation or a question associated with product usage or any other inquiry. 24h, 7 days a week 2 hours Marketing Applications Service Level Addendum (Version 1.0, English) Page 2 DMC: Mo. – Fr. 9am - 6pm (on Business Days) Mo. – Fr. 9am - 6pm (on Business Days) Next Business Day Mo. – Fr. 9am - 6pm (on Business Days) Next Business Day MARKETING APPLICATIONS SERVICE LEVEL ADDENDUM 4.6 The times indicated above correspond to EST for Americas Customers, to AEST for APJ customers, and to CET for EMEA customers. time (Monday to Friday 9am to 6pm). Scheduled Maintenance shall be limited to maximum 8 hours per calendar month. 4.7 In case the parties agree on geographical restrictions on data access and data processing, this impacts the Hours of Operation. Teradata cannot leverage its global pool of experts for geographically restricted customer systems and therefore will only be able to provide Support and Maintenance Monday to Friday 9am to 6pm instead of 24 hours, 7 days a week. 4.12 For On-Premise Software and Hosted Software, Teradata will provide Support and Maintenance for Major and Minor Releases of the Software for no less than thirty six (36) months from General Customer Availability; where “General Customer Availability” (“GCA”) shall mean the first date that a Software Release is available to all users, regardless of language or media; and a “Software Release” shall mean the combined Major and Minor Releases such that each of the following versions are separate Software Releases: “X.Y” (e.g. 3.0, 3.1; 8.5, 8.6…). Software Releases will be proactively provided for no less than twenty four (24) months from GCA of its associated Minor Release. 4.8 Teradata will always endeavor to resolve problems as swiftly as possible. However, it is not possible to provide guaranteed resolution times. This is because the nature and causes of problems can vary enormously. Teradata will make its best efforts to resolve problems as quickly as possible and frequent progress reports will be provided to the customer. 4.9 Customer must allow Teradata to access the Software remotely to enable Support and Maintenance and other remote services. In connection with providing the Support and Maintenance described herein, Customer agrees to perform any tests or procedures recommended by Teradata for the purpose of identifying and/or resolving any problems and at all times follow routine operator procedures as specified in the Documentation. 4.10 Customer shall establish internal support coordinator(s) to whom all users shall be instructed to direct all questions and problems regarding use, operation and maintenance of the Software. Customer agrees that its support coordinator(s) shall be fully familiar with and trained in the use of the Software and Customer agrees that only its support coordinator(s) shall be entitled to contact Teradata for Support and Maintenance. 4.11 For Cloud Software Teradata shall establish scheduled maintenance windows (“Scheduled Maintenance”) to conduct routine maintenance during which time the Software may not be available. Teradata shall notify Customer of any Scheduled Maintenance reasonably (minimum 24 hours) in advance by email and/or via the Teradata At Your Service portal. Teradata shall use commercially reasonable efforts to perform Scheduled Maintenance outside the core business Marketing Applications Service Level Addendum (Version 1.0) Page 3 - Teradata Confidential The term “Release” as used in the definitions below does not include (i) any new or supplemental software product, component, or content released by and licensed separately by Teradata (except when such new or supplemental software is a replacement to the Software) or (ii) any software, component, or content that is designed for use on operating systems other than the operating system for which the Software is intended. Teradata typically identifies Software Releases using the format “X.Y.Z.n” where (i) “X” equals a “Major Release” which shall be defined as the publication of new software product or a new release for general customer distribution of an existing software product that contains substantial new features, major enhancements, possible operational changes and applicable corrections from previous maintenance release; (ii) “Y” equals a “Minor Release” which shall be defined as a change to then-currently-distributed Major Release that contains minor feature improvements or enhancements and may contain applicable corrections from previous release; (iii) “Z” equals a “Maintenance Release” which shall be defined as a change to the then-currently-distributed Major and Minor Releases that contains applicable corrections for reported software problems; and (iv) “n” equals a critical patch level release that contains expedited corrections for reported software problems. MARKETING APPLICATIONS SERVICE LEVEL ADDENDUM CONTACT INFORMATION AND LANGUAGES FOR INCIDENT REPORTS Teradata At Your Service Customer Portal: http://tays.teradata.com Teradata Customer Services global email: ApplicationsTechnicalSupport@teradata.com AMERICAS Languages: English 24x7 (for priority 1 incidents) Primary Telephone Number: 877-MyT-Data (698-3282) Local Telephone Numbers: Mexico 001-888-239-0699, Argentina 0800-333-0275, Venezuela 0800-100-8816, Nicaragua 888-249-6264, Colombia 01800-912-0548, Chile 800-646-546, El Salvador 800-6200, Peru 0800-53795, Nicaragua 1800-220-2131, Ecuador Andinatel, Pacifictel, Pacifictel Spanish: 8772483150 + Country 593 City Guayaquil 4, Loja 7, Quito 2 ASIA, PACIFIC, JAPAN (APJ) Languages: English 24x7 (for priority 1 incidents) Mandarin 9x5 Primary Telephone Number: 1800-448-226 Local Telephone Numbers: Australia 1800-448226, New Zealand 0800-445300, Japan 01209-84480, China 400881-1275, Taiwan 0800-666727, Malaysia 377-237177, South Korea 080-457-0880, Philippines 1-800-441-3391, Indonesia 001-803-442424, Thailand 1-800-441-3391, India 000-800-440-205, Hong Kong 307-13718 EUROPE, MIDDLE EAST AND AFRICA (EMEA) Languages: English 24x7 (for priority 1 incidents) French, German 9x5 Primary Telephone Number: 0800-013-5689 Local Telephone Numbers: UK 0800-013-5689, Norway 800-10761, Denmark 384-87678, Sweden 0851-761-603, Finland 0972-519-224, Estonia 800-0044-358, Czech Republic 239-014184, Hungary 777-4708, 061-777-4739 outside Budapest, Poland 00-800-442-1123, Russia 81-08002299-1044, Bulgaria 800-118-4483, Spain 912-757-137, Egypt 0800-000-0043, Pakistan 800-9004-4167, Turkey 800-4488-26575, Austria 0800-297281, France 805540655, Germany 0800-5893105, Switzerland 0800-561703, Netherlands 08004000009, Italy 800-917955, Belgium 800-81193, Ireland 1800-806281, Ukraine 888249-6264 (2 stage dialing call AT&T Direct® Code 0^00-11 country code 380 city code Lvov 32, Kiev 44, Kharkiv 57) Marketing Applications Service Level Addendum (Version 1.0, English) Page 4 MARKETING APPLICATIONS SERVICE LEVEL ADDENDUM 5. AVAILABILITY CLOUD SOFTWARE 5.1 Teradata will use commercially reasonable efforts to make Cloud Software available 24 hours a day, 7 days a week. Teradata shall provide at least the following Minimum Uptime Availability for its Cloud Software during any calendar month: 99 % Minimum Uptime Availability Uptime Availability means that the connection between the servers on which the Cloud Software is hosted and Teradata's side of the Demarcation Point is uninterrupted and Customer is able to log in and access the cloud Software. The Minimum Uptime Availability does not refer to test and development servers. 5.2 Teradata measures the Uptime Availability of an availability test page within the Cloud Software at frequent intervals. The Uptime Availability percentage of the respective calendar month is calculated by dividing the number of successful availability measurements (test page available) by the total number of availability measurements of the respective calendar month, excluding Exclusion Times (as defined below). Uptime Availability measurement shall be carried out by Teradata and Teradata’s measurement shall be relied upon by the parties and Teradata shall keep and shall send to the Customer, upon request, full records of its Uptime Availability measurement activities. Exclusion Times are times during which the Cloud Software is unavailable due to (i) Scheduled Maintenance; (ii) Customer-caused or third partycaused outages or disruptions (except to the extent that such outages or disruptions are caused by third parties sub-contracted by Teradata to perform Marketing Applications Service Level Addendum (Version 1.0, English) Page 5 Teradata’s contractual services) and/or (iii) outages or disruptions attributable in whole or in part to Force Majeure. 5.3 If the actual Uptime Availability percentage falls below the Minimum Uptime Availability in a given calendar month (Service Delivery Failure), Customer is entitled to a Service Credit. The Service Credit amounts to 1 % of the software license fees for the Cloud Software owed by the Customer for the affected calendar month for each 0,1 % by which the Uptime Availability percentage falls below the Minimum Uptime availability. The Service Credit shall be limited to 25 % of the applicable fees of the affected calendar month. Service Credits shall be set off against subsequent invoices only, shall not be refunded to the Customer and shall lapse upon termination of the Agreement. A Service Credit shall not be credited unless the Customer requests it within two months of the end of the affected calendar month. 5.4 The Customer acknowledges and agrees that the terms of this SLA relating to Service Credits in case of a Service Delivery Failure constitute a genuine pre-estimate of the loss or damage that the Customer would suffer as a result of the Service Delivery Failure, shall be Customer’s exclusive remedy with respect to the Service Delivery Failure and are not intended to operate as a penalty for the Service Delivery Failure. MARKETING APPLICATIONS SERVICE LEVEL ADDENDUM are defined. 6. INFORMATION SECURITY The following technical and organization measures shall be applied to Teradata’s Cloud Software. f) The building or property is monitored outside of business hours. The monitored are is defined Motion detectors are implemented. Ingress and egress points are subject to video or camera surveillance. Alarm systems connected to response authorities are implemented. 6.1 Physical Access Control a) Security perimeter Security perimeters are defined and used to protect areas that contain sensitive or critical information. b) Physical entry controls g) All possible entry points have been secured against unauthorized entry. Binding access authorization procedures have been implemented. A physical access control system was set up. c) Determination of persons with physical access authorization Roles or group concept exists. Role or group assignments are documented. Responsibilities for role and group concepts are assigned. d) Management of physical access authorizations Rules on authorizations for accessing business zone are defined. The issuing of credentials is documented. e) the Procedures for the loss credentials are defined. Management of visitors and external personnel Policies are implemented. Visitors are monitored. Rules for cleaning and maintenance personnel Marketing Applications Service Level Addendum (Version 1.0, English) Page 6 Monitoring rooms after business hours Logging For electronic access control equipment in use, physical access logs are stored in a tamperproof manner for 12 months. Regular sampling is carried out to detect improper use. 6.2 Access Control a) Authentication Access to all data processing systems is protected by user authentication. Password conventions are defined including requirements for password length (at least 8 characters) and complexity (upper-/lower-case letters, number/character mix, etc). Trivial passwords not allowed. The password must be changed at the end of a certain period. Where strong identity assurance is required for maximum level of protection, two-factor authentication is implemented. The authentication credentials are always encrypted when transmitted over the network. MARKETING APPLICATIONS SERVICE LEVEL ADDENDUM b) De-activation and re-setting of blocked access b) Access is blocked on failed attempts. A secure method exists for resetting the blocked access (e.g. by assigning a new user ID).User access is blocked after long periods of inactivity. c) Each authorized person can access only the data that he specifically needs to process the current transaction according to the order and which is configured in his individual profile. To the extent that data of multiple customers is stored in the same database or is processed with the same data processing system, logical access restrictions must be provided which are aimed exclusively at processing the data for the customer concerned (multi-tenancy). Unique features are incorporated into the data processing systems which enable the accessing person to determine that the data processing system is authentic. The scope of the authorizations must be limited to the minimum need to perform the authorized person’s duties and functions. Banning storage of passwords Access passwords and/or form input are not stored on the client itself or in its vicinity. Users have been instructed on these requirements. d) Authorization and access management A role concept is in place. Access rights are assigned on an individual basis. The number of authorized persons was kept to the minimum needed for operation. Privileges are checked regularly for necessity. There are no reusable access accounts. A process for requesting, approving, issuing, and accepting the return of credentials and access authorizations has been be set up and described and is being used. Responsibilities for assigning access authorizations have been assigned. A deputy arrangement is in place. e) c) Logging User workstation If the workstation or terminal is inactive, a password-protected screensaver must be activated automatically using mechanisms specific to the operating system. Workstations and terminals are protected against unauthorized use when users temporarily leave the workplace. Users are trained to apply this measure. Data access management A process for requesting, approving, assigning and revoking and checking data access privileges is implemented. Data access privileges are linked to a personal user ID and an account. If the basis for an authorization no longer exists (e.g. job change), this access privileges will be immediately revoked. Data access management processes are documented and the documentation will be retained for 12 months. Suitable steps have been taken to prevent different roles or access rights from being concentrated in one person and thereby, in combination, giving that person an excessively powerful overall role. All successful and failed access attempts are logged and securely retained for at least 6 months. To detect improper use, regular access log reviews are carried out. f) Implementing access restrictions d) Logging All read, input, modification and deletion transactions are logged and securely retained for at least 6 months. To detect improper use, regular access log reviews are carried out. 6.4 Data Transmission Control 6.3 Data Access Control a) Authorization concept Rules and procedures exist for creating, changing and deleting authorization profiles and user roles. Responsibilities are regulated. Marketing Applications Service Level Addendum (Version 1.0, English) Page 7 a) Legal requirements To ensure the legality of data transmission to other countries, written approval of the customer will be obtained (if applicable). MARKETING APPLICATIONS SERVICE LEVEL ADDENDUM b) Transport over networks Data is transmitted between clients and servers in encrypted form. Connections to back end systems are protected. The connections between the back end systems are protected. Data requiring a high level of protection is encrypted. Data that leaves the protected zone (such as the one in a computer center) is encrypted. Data having a high level of protection is generally encrypted when being transmitted to external systems. c) Logical system access Networks are segmented. DMZ design is applied. A network plan is in place. Network / hardware firewalls are implemented. Endpoint firewalls are implemented. Firewalls are always active and cannot be deactivated by users. All systems and applications apply latest patch versions. Unnecessary hardware interfaces and services are deactivated. Default service accounts are deactivated. Up-to-date anti-malware systems are applied. Information security incident response procedures are implemented. d) a) Information disposal Data media and documents are destroyed in compliance with data protection rules. Marketing Applications Service Level Addendum (Version 1.0, English) Page 8 Input logging Input in the data processing system is logged. The logs are retained for a period of 12 months. 6.6 Order Control a) Rules and limitations Service specifications specify the allowed work. Controls on the part of the customer have been agreed on. The customer will establish a process for checking the electronic and paper-based orders. The incidents that must be reported have been specified. b) Documentation A documentation method is in place which ensures that the individual steps required in executing the order can be fully tracked. 6.7 Availability Control a) Storage and retention Data is backed up in encrypted form. Temporary storage areas are configured so that their contents are automatically deleted immediately after exiting or when the application or operating system starts up at the latest. Procedures for the use of data media are implemented. The creation of copies is documented. This documentation is retained for 12 months. f) 6.5 Input Control System interfaces All system interfaces are documented. Machine-to-machine interfaces implement mutual authentication and ensure that each machine has individual credentials. e) Data media are erased in compliance with data protection rules before being used by other users. Hardware components or documents are destroyed in such a way that they cannot be recovered or only with extreme difficulty. The complete and permanent erasure of data and data media containing personal data in compliance with data protection rules is logged. The logs must be retained securely for at least 24 months. Backup concept A backup concept is defined. Regular backups are carried out. Backup responsibilities have been assigned. Regular backup recovery checks are performed. b) Disaster recovery A disaster recovery plan is in place with procedures for notifying relevant stakeholders including the customer in case of an incident. Backups are retained at offsite secure facilities. Uninterruptible power supply units and surge protection devices are inspected regularly and monitored continuously. MARKETING APPLICATIONS SERVICE LEVEL ADDENDUM Employees are obliged to maintain the confidentiality of business and trade secrets. Other special confidentiality obligations are applied if necessary. Employees are required to handle data and data media properly and carefully. Trainings are repeated regularly. Trainings and participations are documented. Rules for providing access to data processing systems to external personnel are defined including applicable obligations to data secrecy and the requirement to receive training prior to be allowed to use the data processing systems. 6.8 Intended Use Control a) Data minimization Only the minimum amount of data that is needed to directly serve the actual purpose and perform the contract work or carry out the process is collected, stored or processed. b) Data separation Technical and organizational measures exist to ensure that data and/or data media used for different contractual purposes are processed and/or stored separately. 6.9 Organizational Control a) Policies and standards Appropriate policies, standards and operating procedures are defined and documented. Implementation and compliance with policies and standards are monitored. b) Training and obligations Employees are trained on the principles of data protection. Marketing Applications Service Level Addendum (Version 1.0, English) Page 9 c) Separation of duties Operating and administrative functions are separated. d) Deputy arrangements Deputy arrangements are in place for all functions that are necessary for operation.
© Copyright 2024