Marketing Applications Service Level Addendum

MARKETING APPLICATIONS SERVICE LEVEL ADDENDUM
MARKETING APPLICATIONS SERVICE LEVEL ADDENDUM
1. SCOPE AND PURPOSE
This Service Level Addendum (SLA) describes the
levels of service that a customer using the software
applications of the Teradata Integrated Marketing
Cloud will receive from Teradata. This SLA will
provide a degree of certainty to customers as to
the qualitative aspects of the services they can
expect to receive. This SLA should be read
alongside the Agreement between the customer
and Teradata. It forms an important part of the
Agreement between the customer and Teradata
and aims to enable the two parties to work
together efficiently.
The following services are covered by this SLA:
•
General Service Standard (Page 1)
•
Support and Maintenance (Page 2)
•
Availability Cloud Software (Page 5)
•
Information Security (Page 6)
Teradata will provide the services in accordance
with the provisions of this SLA in such a manner that
the achieved service levels are equal or higher
than the service levels defined in this SLA.
2. DEFINITIONS
2.1 “Business Day” means a working day other than
Saturday, Sunday or public holiday at Teradata’s
registered address.
2.2 “Cloud Software” means both SaaS and Hosted
Software and excludes On-Premise Software.
2.3 “Demarcation Point” means the point at which the
public Internet connects to the Software’s border
router.
2.4 “Force Majeure” means acts of God or
government, civil commotion, military authority,
Marketing Applications Service Level Addendum (Version 1.0, English)
Page 1
war, riots, terrorism, strikes, fire, or other causes
beyond the parties’ reasonable control.
2.5 “Hosted Software” means a separate single-tenant
instance of the Software, hosted and operated by
Teradata and accessed by Customer remotely via
a standard web browser.
2.6 “On-Premise Software” means Software installed
and
operated
on
Customer’s
premises/in
Customer’s data center and not hosted and
operated by Teradata.
2.7 “SaaS” means “Software as a Service” and refers to
a centralized instance of the Software serving
multiple Customers, hosted and operated by
Teradata and accessed by Customer remotely via
a standard web browser.
2.8 “Software” in the context of this SLA means any
Teradata
standard
software,
excluding
Deliverables, modifications and customizations,
licensed to Customer under an Agreement that
references this SLA.
2.9 “Teradata” shall be the Teradata entity that
concluded the Agreement with the Customer.
3. GENERAL SERVICE STANDARD
Teradata will provide the Services with reasonable
skill and care and in accordance with the best
practice prevailing in the industry from time to time.
In the provision of the Services, Teradata uses
personnel who possess a degree of skill and
experience which is appropriate to the tasks to
which they are allotted and the performance and
Service Levels which they are required to achieve
and who shall perform those tasks in a workmanlike
and professional manner.
MARKETING APPLICATIONS SERVICE LEVEL ADDENDUM
4. SUPPORT AND MAINTENANCE
4.1 Support and Maintenance covers assistance and
consultation to assist Customer in resolving
problems with the use of the Software, including
the verification, diagnosis and correction of
material errors and defects in the Software and the
provision of bug fixes, corrections, modifications,
enhancements, upgrades and new releases to the
Software to ensure the functionality of the
Software.
4.2 Support and Maintenance and warranties do not
cover any problem with or damage to the
Software to the extent caused by (i) negligence,
abuse, misuse, improper handling, improper use,
improper storage or modifications by anyone other
than Teradata or its contractors; (ii) failure to
operate the Software in accordance with its
documentation
and/or
with
Teradata’s
specifications or limitations; (iii) modifications to the
Software that have not been approved or
provided by Teradata; (iv) acts of third parties; (v)
third party products not under a maintenance
agreement with Teradata and (vi) Force Majeure.
4.3 Teradata shall have no Maintenance and Support
obligations with respect to any hardware or
software product other than the Software
(“Nonqualified Products”). If Teradata provides
Maintenance and Support for a problem caused
by a Nonqualified Product, or if Teradata’s service
efforts are increased as a result of a Nonqualified
Product, Teradata may charge time and materials
for such extra services at its then current rates. If, in
Teradata’s reasonable opinion, performance of
Maintenance and Support is or will be made more
difficult or impaired because of Nonqualified
Products, Teradata shall so notify Customer, and
Customer
shall
immediately
remove
the
Nonqualified Product at its own risk and expense.
Customer shall remain solely responsible for the
compatibility and functioning of Nonqualified
Products with the Software.
4.4 When
Customer
requests
Support
and
Maintenance, it must assign a priority for each
incident/request based on the criteria set out
below and give Teradata immediate unrestricted
access to the affected Product. Teradata will
assign a priority if Customer fails to do so. A single
contact event for Support and Maintenance may
be made up of multiple incidents/requests.
A priority level will be assigned for each
incident/request reported.
4.5 Teradata shall provide Support and Maintenance
during the Hours of Operation and with the
Response Times as defined below. Response Times
are measured by the interval between Customer’s
initial contact with Teradata and the first contact
(via electronic message or phone call) with a
Teradata representative. Response Time intervals
are measured during Hours of Operation only.
Priority Rating
Hours of Operation
Response Time
PRIORITY 1 (CRITICAL)
A Priority 1 incident is a problem that prohibits use of the Software
or renders the Software inoperable, it is a catastrophic issue in the
Software which severely impacts the Customer’s production
systems, as they are inaccessible or there is a system wide
performance degradation making the Customer’s production
systems unusable.
PRIORITY 2 (SIGNIFICANT)
A Priority 2 incident is a problem that causes a significant impact to
the business; however, operations can continue in a degraded
fashion. It is a production issue in the Software where the
Customer’s systems are functioning but in a severely reduced
capacity due to defect or performance. The issue is causing
significant impact to portions of the customer’s normal business
operations and productivity. Either a workaround is not available or
the one that is available is not a reasonable resolution.
PRIORITY 3 (MINOR)
A Priority 3 incident is an issue that negligibly impacts the
customer’s ability to do business, it is an issue in the Software where
the customer is experiencing functional or usability restrictions that
are either not critical to the business or possess a reasonable
workaround, the customer has an issue with documentation or a
question associated with product usage or any other inquiry.
24h, 7 days a week
2 hours
Marketing Applications Service Level Addendum (Version 1.0, English)
Page 2
DMC:
Mo. – Fr. 9am - 6pm
(on Business Days)
Mo. – Fr. 9am - 6pm
(on Business Days)
Next Business Day
Mo. – Fr. 9am - 6pm
(on Business Days)
Next Business Day
MARKETING APPLICATIONS SERVICE LEVEL ADDENDUM
4.6 The times indicated above correspond to EST for
Americas Customers, to AEST for APJ customers,
and to CET for EMEA customers.
time (Monday to Friday 9am to 6pm). Scheduled
Maintenance shall be limited to maximum 8 hours
per calendar month.
4.7 In case the parties agree on geographical
restrictions on data access and data processing,
this impacts the Hours of Operation. Teradata
cannot leverage its global pool of experts for
geographically restricted customer systems and
therefore will only be able to provide Support and
Maintenance Monday to Friday 9am to 6pm
instead of 24 hours, 7 days a week.
4.12 For On-Premise Software and Hosted Software,
Teradata will provide Support and Maintenance for
Major and Minor Releases of the Software for no
less than thirty six (36) months from General
Customer Availability; where “General Customer
Availability” (“GCA”) shall mean the first date that
a Software Release is available to all users,
regardless of language or media; and a “Software
Release” shall mean the combined Major and
Minor Releases such that each of the following
versions are separate Software Releases: “X.Y” (e.g.
3.0, 3.1; 8.5, 8.6…). Software Releases will be
proactively provided for no less than twenty four
(24) months from GCA of its associated Minor
Release.
4.8 Teradata will always endeavor to resolve problems
as swiftly as possible. However, it is not possible to
provide guaranteed resolution times. This is
because the nature and causes of problems can
vary enormously. Teradata will make its best efforts
to resolve problems as quickly as possible and
frequent progress reports will be provided to the
customer.
4.9 Customer must allow Teradata to access the
Software remotely to enable Support and
Maintenance and other remote services. In
connection with providing the Support and
Maintenance described herein, Customer agrees to
perform any tests or procedures recommended by
Teradata for the purpose of identifying and/or
resolving any problems and at all times follow
routine operator procedures as specified in the
Documentation.
4.10 Customer
shall
establish
internal
support
coordinator(s) to whom all users shall be instructed
to direct all questions and problems regarding use,
operation and maintenance of the Software.
Customer agrees that its support coordinator(s)
shall be fully familiar with and trained in the use of
the Software and Customer agrees that only its
support coordinator(s) shall be entitled to contact
Teradata for Support and Maintenance.
4.11 For Cloud Software Teradata shall establish
scheduled maintenance windows (“Scheduled
Maintenance”) to conduct routine maintenance
during which time the Software may not be
available. Teradata shall notify Customer of any
Scheduled Maintenance reasonably (minimum 24
hours) in advance by email and/or via the
Teradata At Your Service portal. Teradata shall use
commercially reasonable efforts to perform
Scheduled Maintenance outside the core business
Marketing Applications Service Level Addendum (Version 1.0)
Page 3 - Teradata Confidential
The term “Release” as used in the definitions below
does not include (i) any new or supplemental
software product, component, or content released
by and licensed separately by Teradata (except
when such new or supplemental software is a
replacement to the Software) or (ii) any software,
component, or content that is designed for use on
operating systems other than the operating system
for which the Software is intended.
Teradata typically identifies Software Releases
using the format “X.Y.Z.n” where (i) “X” equals a
“Major Release” which shall be defined as the
publication of new software product or a new
release for general customer distribution of an
existing software product that contains substantial
new features, major enhancements, possible
operational changes and applicable corrections
from previous maintenance release; (ii) “Y” equals
a “Minor Release” which shall be defined as a
change to then-currently-distributed Major Release
that contains minor feature improvements or
enhancements and may contain applicable
corrections from previous release; (iii) “Z” equals a
“Maintenance Release” which shall be defined as
a change to the then-currently-distributed Major
and Minor Releases that contains applicable
corrections for reported software problems; and (iv)
“n” equals a critical patch level release that
contains expedited corrections for reported
software problems.
MARKETING APPLICATIONS SERVICE LEVEL ADDENDUM
CONTACT INFORMATION AND LANGUAGES FOR INCIDENT REPORTS
Teradata At Your Service Customer Portal:
http://tays.teradata.com
Teradata Customer Services global email:
ApplicationsTechnicalSupport@teradata.com
AMERICAS
Languages:
English 24x7 (for priority 1 incidents)
Primary Telephone Number:
877-MyT-Data (698-3282)
Local Telephone Numbers:
Mexico 001-888-239-0699, Argentina 0800-333-0275, Venezuela 0800-100-8816,
Nicaragua 888-249-6264, Colombia 01800-912-0548, Chile 800-646-546, El Salvador
800-6200, Peru 0800-53795, Nicaragua 1800-220-2131, Ecuador Andinatel,
Pacifictel, Pacifictel Spanish: 8772483150 + Country 593 City Guayaquil 4, Loja 7,
Quito 2
ASIA, PACIFIC, JAPAN (APJ)
Languages:
English 24x7 (for priority 1 incidents)
Mandarin 9x5
Primary Telephone Number:
1800-448-226
Local Telephone Numbers:
Australia 1800-448226, New Zealand 0800-445300, Japan 01209-84480, China 400881-1275, Taiwan 0800-666727, Malaysia 377-237177, South Korea 080-457-0880,
Philippines 1-800-441-3391, Indonesia 001-803-442424, Thailand 1-800-441-3391,
India 000-800-440-205, Hong Kong 307-13718
EUROPE, MIDDLE EAST AND AFRICA (EMEA)
Languages:
English 24x7 (for priority 1 incidents)
French, German 9x5
Primary Telephone Number:
0800-013-5689
Local Telephone Numbers:
UK 0800-013-5689, Norway 800-10761, Denmark 384-87678, Sweden 0851-761-603,
Finland 0972-519-224, Estonia 800-0044-358, Czech Republic 239-014184, Hungary
777-4708, 061-777-4739 outside Budapest, Poland 00-800-442-1123, Russia 81-08002299-1044, Bulgaria 800-118-4483, Spain 912-757-137, Egypt 0800-000-0043,
Pakistan 800-9004-4167, Turkey 800-4488-26575, Austria 0800-297281, France 805540655, Germany 0800-5893105, Switzerland 0800-561703, Netherlands 08004000009, Italy 800-917955, Belgium 800-81193, Ireland 1800-806281, Ukraine 888249-6264 (2 stage dialing call AT&T Direct® Code 0^00-11 country code 380 city
code Lvov 32, Kiev 44, Kharkiv 57)
Marketing Applications Service Level Addendum (Version 1.0, English)
Page 4
MARKETING APPLICATIONS SERVICE LEVEL ADDENDUM
5. AVAILABILITY CLOUD SOFTWARE
5.1 Teradata will use commercially reasonable efforts
to make Cloud Software available 24 hours a day,
7 days a week. Teradata shall provide at least the
following Minimum Uptime Availability for its Cloud
Software during any calendar month:
99 % Minimum Uptime Availability
Uptime Availability means that the connection
between the servers on which the Cloud Software is
hosted and Teradata's side of the Demarcation
Point is uninterrupted and Customer is able to log in
and access the cloud Software. The Minimum
Uptime Availability does not refer to test and
development servers.
5.2 Teradata measures the Uptime Availability of an
availability test page within the Cloud Software at
frequent
intervals.
The
Uptime
Availability
percentage of the respective calendar month is
calculated by dividing the number of successful
availability measurements (test page available) by
the total number of availability measurements of
the respective calendar month, excluding Exclusion
Times (as defined below). Uptime Availability
measurement shall be carried out by Teradata and
Teradata’s measurement shall be relied upon by
the parties and Teradata shall keep and shall send
to the Customer, upon request, full records of its
Uptime Availability measurement activities.
Exclusion Times are times during which the Cloud
Software is unavailable due to (i) Scheduled
Maintenance; (ii) Customer-caused or third partycaused outages or disruptions (except to the extent
that such outages or disruptions are caused by third
parties sub-contracted by Teradata to perform
Marketing Applications Service Level Addendum (Version 1.0, English)
Page 5
Teradata’s contractual services) and/or (iii) outages
or disruptions attributable in whole or in part to
Force Majeure.
5.3 If the actual Uptime Availability percentage falls
below the Minimum Uptime Availability in a given
calendar month (Service Delivery Failure),
Customer is entitled to a Service Credit. The
Service Credit amounts to 1 % of the software
license fees for the Cloud Software owed by the
Customer for the affected calendar month for
each 0,1 % by which the Uptime Availability
percentage falls below the Minimum Uptime
availability. The Service Credit shall be limited to
25 % of the applicable fees of the affected
calendar month. Service Credits shall be set off
against subsequent invoices only, shall not be
refunded to the Customer and shall lapse upon
termination of the Agreement. A Service Credit
shall not be credited unless the Customer requests
it within two months of the end of the affected
calendar month.
5.4 The Customer acknowledges and agrees that the
terms of this SLA relating to Service Credits in case
of a Service Delivery Failure constitute a genuine
pre-estimate of the loss or damage that the
Customer would suffer as a result of the Service
Delivery Failure, shall be Customer’s exclusive
remedy with respect to the Service Delivery
Failure and are not intended to operate as a
penalty for the Service Delivery Failure.
MARKETING APPLICATIONS SERVICE LEVEL ADDENDUM
are defined.
6. INFORMATION SECURITY
The following technical and organization measures shall
be applied to Teradata’s Cloud Software.
f)
The building or property is monitored outside of
business hours.
The monitored are is defined
Motion detectors are implemented.
Ingress and egress points are subject to video or
camera surveillance.
Alarm
systems
connected
to
response
authorities are implemented.
6.1 Physical Access Control
a)
Security perimeter
Security perimeters are defined and used to
protect areas that contain sensitive or critical
information.
b)
Physical entry controls
g)
All possible entry points have been secured
against unauthorized entry.
Binding access authorization procedures have
been implemented.
A physical access control system was set up.
c)
Determination of persons with physical access
authorization
Roles or group concept exists.
Role or group assignments are documented.
Responsibilities for role and group concepts are
assigned.
d)
Management of physical access authorizations
Rules on authorizations for accessing
business zone are defined.
The issuing of credentials is documented.
e)
the
Procedures for the loss credentials are defined.
Management of visitors and external personnel
Policies are implemented.
Visitors are monitored.
Rules for cleaning and maintenance personnel
Marketing Applications Service Level Addendum (Version 1.0, English)
Page 6
Monitoring rooms after business hours
Logging
For electronic access control equipment in use,
physical access logs are stored in a tamperproof manner for 12 months. Regular sampling is
carried out to detect improper use.
6.2 Access Control
a)
Authentication
Access to all data processing systems is
protected by user authentication.
Password conventions are defined including
requirements for password length (at least 8
characters) and complexity (upper-/lower-case
letters, number/character mix, etc). Trivial
passwords not allowed. The password must be
changed at the end of a certain period.
Where strong identity assurance is required for
maximum level of protection, two-factor
authentication is implemented.
The authentication credentials are always
encrypted when transmitted over the network.
MARKETING APPLICATIONS SERVICE LEVEL ADDENDUM
b)
De-activation and re-setting of blocked access
b)
Access is blocked on failed attempts.
A secure method exists for resetting the blocked
access (e.g. by assigning a new user ID).User
access is blocked after long periods of
inactivity.
c)
Each authorized person can access only the
data that he specifically needs to process the
current transaction according to the order and
which is configured in his individual profile.
To the extent that data of multiple customers is
stored in the same database or is processed
with the same data processing system, logical
access restrictions must be provided which are
aimed exclusively at processing the data for the
customer concerned (multi-tenancy).
Unique features are incorporated into the data
processing systems which enable the accessing
person to determine that the data processing
system is authentic.
The scope of the authorizations must be limited
to the minimum need to perform the authorized
person’s duties and functions.
Banning storage of passwords
Access passwords and/or form input are not
stored on the client itself or in its vicinity. Users
have been instructed on these requirements.
d)
Authorization and access management
A role concept is in place.
Access rights are assigned on an individual
basis.
The number of authorized persons was kept to
the minimum needed for operation.
Privileges are checked regularly for necessity.
There are no reusable access accounts.
A process for requesting, approving, issuing, and
accepting the return of credentials and access
authorizations has been be set up and
described and is being used.
Responsibilities
for
assigning
access
authorizations have been assigned.
A deputy arrangement is in place.
e)
c)
Logging
User workstation
If the workstation or terminal is inactive, a
password-protected screensaver must be
activated automatically using mechanisms
specific to the operating system.
Workstations and terminals are protected
against
unauthorized
use
when
users
temporarily leave the workplace. Users are
trained to apply this measure.
Data access management
A process for requesting, approving, assigning
and revoking and checking data access
privileges is implemented.
Data access privileges are linked to a personal
user ID and an account.
If the basis for an authorization no longer exists
(e.g. job change), this access privileges will be
immediately revoked.
Data access management processes are
documented and the documentation will be
retained for 12 months.
Suitable steps have been taken to prevent
different roles or access rights from being
concentrated in one person and thereby, in
combination, giving that person an excessively
powerful overall role.
All successful and failed access attempts are
logged and securely retained for at least 6
months.
To detect improper use, regular access log
reviews are carried out.
f)
Implementing access restrictions
d)
Logging
All read, input, modification and deletion
transactions are logged and securely retained
for at least 6 months.
To detect improper use, regular access log
reviews are carried out.
6.4 Data Transmission Control
6.3 Data Access Control
a)
Authorization concept
Rules and procedures exist for creating,
changing and deleting authorization profiles
and user roles.
Responsibilities are regulated.
Marketing Applications Service Level Addendum (Version 1.0, English)
Page 7
a)
Legal requirements
To ensure the legality of data transmission to
other countries, written approval of the
customer will be obtained (if applicable).
MARKETING APPLICATIONS SERVICE LEVEL ADDENDUM
b)
Transport over networks
Data is transmitted between clients and servers
in encrypted form.
Connections to back end systems are
protected.
The connections between the back end systems
are protected.
Data requiring a high level of protection is
encrypted.
Data that leaves the protected zone (such as
the one in a computer center) is encrypted.
Data having a high level of protection is
generally encrypted when being transmitted to
external systems.
c)
Logical system access
Networks are segmented. DMZ design is
applied.
A network plan is in place.
Network / hardware firewalls are implemented.
Endpoint firewalls are implemented.
Firewalls are always active and cannot be
deactivated by users.
All systems and applications apply latest patch
versions.
Unnecessary hardware interfaces and services
are deactivated.
Default service accounts are deactivated.
Up-to-date anti-malware systems are applied.
Information
security
incident
response
procedures are implemented.
d)
a)
Information disposal
Data media and documents are destroyed in
compliance with data protection rules.
Marketing Applications Service Level Addendum (Version 1.0, English)
Page 8
Input logging
Input in the data processing system is logged.
The logs are retained for a period of 12 months.
6.6 Order Control
a)
Rules and limitations
Service specifications specify the allowed work.
Controls on the part of the customer have been
agreed on.
The customer will establish a process for
checking the electronic and paper-based
orders.
The incidents that must be reported have been
specified.
b)
Documentation
A documentation method is in place which
ensures that the individual steps required in
executing the order can be fully tracked.
6.7 Availability Control
a)
Storage and retention
Data is backed up in encrypted form.
Temporary storage areas are configured so that
their contents are automatically deleted
immediately after exiting or when the
application or operating system starts up at the
latest.
Procedures for the use of data media are
implemented.
The creation of copies is documented. This
documentation is retained for 12 months.
f)
6.5 Input Control
System interfaces
All system interfaces are documented.
Machine-to-machine
interfaces
implement
mutual authentication and ensure that each
machine has individual credentials.
e)
Data media are erased in compliance with
data protection rules before being used by
other users.
Hardware components or documents are
destroyed in such a way that they cannot be
recovered or only with extreme difficulty.
The complete and permanent erasure of data
and data media containing personal data in
compliance with data protection rules is
logged.
The logs must be retained securely for at least 24
months.
Backup concept
A backup concept is defined.
Regular backups are carried out.
Backup responsibilities have been assigned.
Regular
backup
recovery
checks
are
performed.
b)
Disaster recovery
A disaster recovery plan is in place with
procedures for notifying relevant stakeholders
including the customer in case of an incident.
Backups are retained at offsite secure facilities.
Uninterruptible power supply units and surge
protection devices are inspected regularly and
monitored continuously.
MARKETING APPLICATIONS SERVICE LEVEL ADDENDUM
Employees are obliged to maintain the
confidentiality of business and trade secrets.
Other special confidentiality obligations are
applied if necessary.
Employees are required to handle data and
data media properly and carefully.
Trainings are repeated regularly.
Trainings and participations are documented.
Rules for providing access to data processing
systems to external personnel are defined
including applicable obligations to data
secrecy and the requirement to receive training
prior to be allowed to use the data processing
systems.
6.8 Intended Use Control
a)
Data minimization
Only the minimum amount of data that is
needed to directly serve the actual purpose
and perform the contract work or carry out the
process is collected, stored or processed.
b)
Data separation
Technical and organizational measures exist to
ensure that data and/or data media used for
different contractual purposes are processed
and/or stored separately.
6.9 Organizational Control
a)
Policies and standards
Appropriate policies, standards and operating
procedures are defined and documented.
Implementation and compliance with policies
and standards are monitored.
b)
Training and obligations
Employees are trained on the principles of data
protection.
Marketing Applications Service Level Addendum (Version 1.0, English)
Page 9
c)
Separation of duties
Operating and administrative functions are
separated.
d)
Deputy arrangements
Deputy arrangements are in place for all
functions that are necessary for operation.