Service Level Agreement
This exhibit (“Exhibit SLA”) is subject to the terms in Sections 2.2 (Provision of Services) and 2.3 (Protection of Customer Data).
Summary of severity levels and response time
Classification | Failure Description | Response |
Level 1 | Fatal, no useful work can be done. | Resolve within 2 hours, 90% of the time. |
Level 2 | Severe impact, major functionality disabled. Errors cause intermittent system failure. Performance issues. | If problem not resolved in 24 hours, status update with projected timeframe for resolution or next update. |
Level 3 | Degraded operations/minimal impact, Errors causing malfunction of non-critical functionality. | Status updated provided periodically until resolved. |
Availability
Scheduled Hours | 7 days a week, 24 hours a day. |
Scheduled Uptime | 99.5% of scheduled hours. |
Scheduled Downtime | Any downtime where Customer is notified in advance. |
Scheduled Maintenance will be scheduled to avoid impact to service delivery, typically on Saturdays during a window that starts at 2am Eastern Time and has a length of 4 hours.
The services shall be available 99.5% of the time in any given month during the Term, excluding scheduled maintenance coordinated with Customer.
Security and Disaster Recovery Addendum
A. General. ServiceChannel.com, Inc. (“Company” “we” or “our”) believes that information is an extremely valuable asset that must be protected. Therefore, we have created and implemented an Information Security Program (the “Program”), as further described in this Security and Data Recovery Addendum (the “Addendum”). The objective of the Program is the effective protection of personally identifiable and other sensitive information relating to Company’s company, customers, and business partners (collectively, “Sensitive Information”).
B. Definitions. For the purposes of this Addendum, the terms below have the following meanings whenever capitalized:
- “Data Incident” means any unauthorized access to or acquisition, disclosure, use, or loss of Sensitive Information resulting from breach or compromise of Company Systems.
- “Privacy and Security Requirements” means, to the extent applicable: (i) legal requirements (federal, state, local, and international laws, rules and regulations, and governmental requirements) related to the storage and collection of Sensitive Information; and (ii) generally accepted industry standards concerning privacy, data protection, confidentiality, or security of Sensitive Information.
- “Security Coordinator” means a manager-level employee who is responsible for implementing, coordinating, and maintaining the Program, including without limitation the training of personnel, regular testing of the Program’s safeguards, and evaluation of third party service providers.
- “Company Systems” means Company’s information technology systems and devices that store, process, and/or transmit Sensitive Information, including without limitation Company’s network, databases, computers, and mobile devices, to the extent applicable.
C. Sensitive Information. For clarity, Sensitive Information includes:
- Any information that personally identifies an individual (including, but not limited to, name, postal address, email address, telephone number, date of birth, Social Security number, driver’s license number, other government-issued identification number, financial account number, or credit or debit card number).
- All financial, business, legal, and technical information which is developed, collected, learned, or obtained by Company in the course of its business activities that would reasonably be understood to be confidential, including information belong to or pertaining to Company’s customers.
D. Security Program. Company shall create, implement, and maintain the Program to include reasonably appropriate administrative, technical, and physical safeguards to protect the confidentiality and security of Sensitive Information. Company shall also periodically review and update the Program, paying attention to developments in technology, Privacy and Security Requirements, and industry standard practices. Currently, protection for Company Systems includes:
- User authentication controls, including secure methods of assigning, selecting, and storing access credentials, restricting access to authorized users, and blocking access after a reasonable number of failed authentication attempts.
- Access controls and physical facility security measures, including controls that limit access to Sensitive Information to individuals that have a demonstrable genuine business need-to-know, supported by appropriate policies, protocols, and controls to facilitate access authorization, establishment, modification, and termination.
- Regular monitoring of Company Systems to prevent loss or unauthorized access to, or acquisition, use, or disclosure of, Sensitive Information.
- Technical security measures such as firewall protection, antivirus protection, security patch management, and intrusion detection.
- Ongoing training and awareness programs designed to ensure workforce members and others acting on Company’s behalf are aware of and adhere to the Program’s policies, procedures, and protocols.
- Ongoing adjustments to the Program based on periodic risk assessments, comprehensive evaluations (such as third-party assessments) of the Program, and monitoring and regular testing of the effectiveness of safeguards. Such review shall occur at least annually with additional review occurring whenever there is a material change in Company’s technical environment or business practices that implicate the security of Company Systems. Company’s Systems have been certified as SSAE 18 (SOC 1 Type II and SOC 2 Type II) compliant.
E. Access Control.
- Company management provides guidance in creating a secure access environment by establishing access management policies, approving roles and responsibilities, and providing consistent coordination of security efforts across the company.
- Rights to use and access Company Systems are based on each user’s access privileges. Access privileges are granted on the basis of specific business need (i.e. a “need to know” basis) and are restricted to only those personnel who require such access to perform their job functions as determined by Company management.
- All Company resources, systems, and applications have access controls unless specifically designated as a public access resource.
- Physical access to locations where Sensitive Information is stored is restricted to personnel and service providers who require access in order to perform their designated job functions or services. Where possible, storage areas containing Sensitive Information are protected against potential destruction or damage from physical hazards such as fire or floods.
- Company’s employees, temps, contractors, consultants, and other workers including all personnel affiliated with third parties, are responsible for participating in maintaining secure access to Company Systems and for ensuring that Company adheres to its posted Privacy Policy.
F. Encryption.
- Company uses industry leading technologies and techniques to secure Sensitive Information. All Sensitive Information is encrypted in transit and at rest. Sensitive Information at rest is encrypted using strong cipher AES_256 encryption. All Sensitive Information in transit is encrypted using SSL certificates offering a 2048-bit RSA key (“strong SSL security”). Company’s deployment of end-to-end encryption for all service transactions through SSL/TLS represents a best industry practice. Where applicable, encryption is negotiated using modern protocols such as TLSv1.2. Company encrypts customer facility maintenance information transmitted through the Company website, including company and contact information, service requests and work history, reports, proposals and invoices. Information is scrambled and then transmitted to a user’s browser where it is decrypted automatically. Other methods of data transmission, such as FTP/sFTP/AS2, can be encrypted as well using standard secure protocols (SSL or SSH).
G. System Monitoring, Protection and Backup.
- Company reasonably monitors Company Systems for unauthorized use of or access to Sensitive Information.
- Company retains, either in-house or on a consultant basis, at least one technician to provide support and routine maintenance of Company Systems and to report any actual or attempted attacks or intrusions to Company.
- Malware protection software is installed on all computers storing Sensitive Information. At least once per year, all operating systems and applications are upgraded with any currently available security patches or other security-related enhancements available from their providers. To the extent that any personnel use home computers or remote access devices to conduct business, malware protection software is installed on such home computers or remote access devices.
- To the extent that personnel are supplied with remote access devices such as laptops and handheld wireless access devices, Company labels them and takes inventory at least once per year.
- Sensitive Information stored on Company Systems is backed up on a regular basis. All Sensitive Information is redundantly stored and distributed in data centers across multiple physical locations. Core Company Systems are deployed so that in the event of a data center or individual equipment failure, there is sufficient capacity to enable traffic to be load-balanced and rerouted to the remaining sites. By utilizing cloud-based deployment, Company isolates its application from its customers’ internal servers to reduce the risk of unauthorized access to Company’s customer’s internal systems.
- Company maintains redundant, cloud IP-based telecom systems. This includes Company’s telephone, call center, and IVR systems. In the event of a problem delivering calls to Company’s primary telecom system the calls are automatically rerouted to alternate systems.
H. Evaluation and Adjustment of the Program.
- Company management shall periodically re-assess the reasonably foreseeable internal and external risks to the security and confidentiality of Sensitive Information.
- Company reserves the right to revise the conditions of this Program at any time. Adequate notification of updates will be provided to all personnel. Personnel are responsible for understanding or seeking clarification of any rules outlined in this document and for familiarizing themselves with the most current version of this Program.
- Company management will periodically evaluate and adjust the Program as appropriate to address: (a) the current risk assessment, management and control activities; (b) new risks or vulnerabilities identified by Company top management using the standards set forth above; (c) technology changes that may affect the protection of Sensitive Information; (d) material changes to Company’s business, including to the size, scope and type of Company’s business; (v) the amount of resources available to Company; (vi) the amount of Sensitive Information stored or held by Company; (vii) any increased need for security and confidentiality of Sensitive Information; and (viii) any other circumstances that Company management believes may have a material impact on the Program.
I. Personnel and Service Providers.
- Company shall exercise necessary and reasonably appropriate supervision over its employees and others acting on its behalf to maintain confidentiality and security of Sensitive Information.
- Prior to engaging any third-party service provider who may receive Sensitive Information, Company will take reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect the Sensitive Information.
- Company shall terminate an individual’s access to Company Systems as soon as reasonably practicable after such individual is no longer employed or engaged by Company. Terminated personnel are required to surrender all keys, IDs, access codes, badges, business cards and the like that permit access to Company’s premises and/or systems.
J. Data Incidents.
- In the event of a Data Incident, the Security Coordinator will conduct a post-incident review of events and decide the appropriate actions to take to minimize the Data Incident and mitigate the consequences.
- The Security Coordinator shall be in charge of assembling a qualified incident response team, which will be responsible for handling matters related to the Data Incident.
- If necessary, the Security Coordinator shall make changes in business practices relating to protection of Sensitive Information following a Data Incident.
- The Security Coordinator shall document the foregoing and provide a report to management.
K. Secure Return or Dispositions. Company shall return or dispose of Sensitive Information, whether in paper or electronic form, in a secure manner.