Cloud & Smarter Infrastructure © 2014 IBM Corporation

Cloud & Smarter Infrastructure
Legal, Security & Data Privacy for SaaS offerings for Partners
© 2014 IBM Corporation
 Legal
 Contracts
 Key terms
 Compliance Overview
 Service Level Agreement
 Data Privacy
 Overview
 EU Safe Harbor
 Hosting locations
 Security
 C&SI SaaS Security Practices
 IBM Standard ITCS104 & Industry Standards Certifications
© 2014 IBM Corporation
Kimi - verify that these only apply to IBM Software Value
Plus because SSP has its own set of contracts unless SSP
contracts are addendums.
Legal - C&SI SaaS Contract Options
IBM International Passport Advantage Agreement (IPAA) – includes SaaS terms regarding
ownership, customer’s right to use, subscription to SaaS, SaaS technical support, content
and termination of SaaS
Option 1 (Passport Advantage customers using direct or e-Commerce to purchase)
• Terms of Use (TOU) B – standard terms of use for IBM SaaS offerings. This is in addition
to IBM or IBM IPPA Express Agreement
• TOU A – terms of use specific to a SaaS offering (e.g charge metrics, renewal)
• Service Level Agreement (SLA) – specific to a SaaS offering
Option 2 (Non-Passport Advantage customers using direct to purchase)
• Cloud Service Agreement (CSA)– simplified agreement for SaaS that benefits legacy
customers from acquisitions, new customers and eCommerce (future).
• Services Description - similar to TOU A, specific T’s &Cs for each SaaS offering
• SLA – specific to a SaaS offering
Applies to IBM Software Value Plus
© 2014 IBM Corporation
Kimi - verify that these only apply to IBM Software Value
Plus because SSP has its own set of contracts unless SSP
contracts are addendums.
Legal - Key Terms
Automatic renewal – contract is automatically renewed unless customer cancels.
• Example: Customer purchases a 12 month term with monthly billing and on month 15
decides they no longer need the service they DO NOT have the option to terminate and
will be responsible for the remaining 9 months of coverage (the full 12 month term).
Indemnity - Customer agrees to hold IBM harmless against any third party claim arising out of
or relating to: 1) violation of the IBM Acceptable Use Policy by Customer or any of Customer’s
IBM SaaS Users; or 2) Content made available to the IBM SaaS.
Non-disclosure of Customer Content – TOU B indicates that IBM will not use client data for
any reason but to operate SaaS and will be kept confidential
Applies to IBM Software Value Plus
© 2014 IBM Corporation
Legal - Compliance Overview
Compliance = Softlayer Compliance + C&SI SaaS Compliance
Unless both are compliant we can’t claim compliance.
Payment Card Industry Data Security Standard (PCI DSS) - Compliant
• Set of requirements designed to ensure that ALL companies that process, store or
transmit credit card information maintain a secure environment.
• C&SI processes credit card information through IBM Payment Systems which is PCI
Federal Risk and Authorization Management Program (FedRAMP) - Not Compliant (in
 Government-wide program that provides a standardized approach to security
assessment, authorization, and continuous monitoring for cloud products and services.
 One of the key requirements is Federal Information Security Management Act of 2002
EU Safe Harbor (See EU Safe Harbor section) – Certification in process
© 2014 IBM Corporation
Legal - Service Level Agreements
One per CSI SaaS Offering (no charge)
Availability during a Contracted
Availability Credit
(% of Monthly Subscription Fee for
Contracted Month which is the
subject of a Claim)
Less than 99.8%
Less than 98.8%
Less than 95.0%
Terms found in TOU A or
Cloud Services Agreement
Services Description
“Availability” percentage is calculated as: (a) the total number of minutes in a Contracted Month,
minus (b) the total number of minutes of Downtime in a Contracted Month, divided by (c) the total
number of minutes in a Contracted Month, with the resulting fraction expressed as a percentage.
Example: 432 minutes total Downtime during Contracted Month
43,200 total minutes in a 30 day
Contracted Month
- 432 minutes Downtime = 42,768
43,200 total minutes in a 30 day
Contracted Month
= 2% Availability Credit for 99.0%
availability during the Contracted
© 2014 IBM Corporation
Data Privacy - What you need to know
Personal data generally includes information relating to an individual -think business card (e.g.
names, email addresses, home address) In some countries, also includes information about
identified partnerships, associations, or corporations.
IBM is a data processor, entity that processes personal data on behalf of the data controller,
who would be the client responsible for entering the data.
In most cases, Passport Advantage agreement covers data privacy for personal
EU and Switzerland have additional data privacy regulations but have
established the ability to create a framework with the U.S for accessing
personal data.
C&SI SaaS is in the process of obtaining EU Safe Harbor certification. This
requires a risk assessment after we Go Live. In the meantime, we have security
measures in place to restrict access to EU client data and for IBM non-U.S.
employee access to Amsterdam hosting center in order to comply.
IBM has an Online Privacy Statement which is another EU Safe Harbor
© 2014 IBM Corporation
Data Privacy - EU Safe Harbor Certification
EU and Switzerland have specific data privacy regulations and
have established the ability to create a framework with the U.S
for accessing personal data called EU Safe Harbor. to prevent
accidental information disclosure or loss
C&SI SaaS is in the process of obtaining EU Safe Harbor
•Ability to assert Safe Harbor to clients and prospects.
•Facilitates selling in the EU and Switzerland.
•Makes us competitive in selling situations.
© 2014 IBM Corporation
Data Privacy - Where are the C&SI SaaS solutions hosted?
Active Data Centers - SoftLayer
 Working with local partners to expand into additional regions
© 2014 IBM Corporation
Security - C&SI SaaS Security Practices
Data Security – each offering has a Security Practices document
• Security Policy – states that IBM has published privacy and security policies and that employees are
trained in security
• Access Control
• Only authorized employees can access client data
• Support staff for the Cloud Offering use multi-factor authentication and encrypted channels when
accessing client data
• Data transfers are logged
• Service Integrity & Availability
• Change Management process governs changes to O/S, application s/w and firewall
• Data center resources are monitored 24x7
• Internal and external vulnerability scanning and malware detection
• Information delivery protocols for transmission of data over public networks (e.g HTTPS, VPN)
• Physical Security
• Designed to restrict unauthorized physical access to data center resources.
• Entry and removal of equipment is logged
• Compliance
• Assessments and audits are conducted regularly by IBM’s team to confirm compliance with its
information security policies.
• Conduct workforce security education and awareness training
Note: The Security Practices are also included in the Cloud Service Agreement Service Description for each offering.
© 2014 IBM Corporation
Security – ITCS104 & Industry Standards Certifications
C&SI SaaS offerings adhere to the rigorous standards of ITCS104 security
There are many industry standards that require certification. C&SI is evaluating the
priority order based on client demand
 Health Insurance Portability and Accountability Act (HIPAA) – Not Certified
 Requires certification through HIPAA Program Office (HPO)
 Data Centers do not get certified in HIPPA – SoftLayer Internal HIPPA whitepaper
SSAE 16 - Not Certified
SOC2 Type II Compliance - Not Certified
Cloud Security Alliance STAR Self Assessment - Not Certified
EU Safe Harbor (See EU Safe Harbor section) – Certification in process
© 2014 IBM Corporation