Vetasi Cloud Services Summary Contents: Vetasi Cloud Services Summary ............................................................................................................................................. 1 Service Level Agreement and Services Management............................................................................................................. 2 Service Level Agreement .................................................................................................................................................... 2 Cloud Application Service Level Agreement ....................................................................................................................... 2 DEFINITIONS ....................................................................................................................................................................... 3 Service Level Exemptions ................................................................................................................................................... 3 Service Management ............................................................................................................................................................. 3 Emergency Notification ...................................................................................................................................................... 4 Miscellaneous..................................................................................................................................................................... 4 Disaster Recovery Plan ........................................................................................................................................................... 5 Scope .................................................................................................................................................................................. 5 Background ........................................................................................................................................................................ 5 Recovery Steps ................................................................................................................................................................... 5 Security................................................................................................................................................................................... 7 Overview ............................................................................................................................................................................ 7 Cloud Security Services....................................................................................................................................................... 7 Physical Data Center Security ............................................................................................................................................. 7 Virtual Data Center Security ............................................................................................................................................... 7 User Authentication and Authorization ............................................................................................................................. 8 Controlled Network Configuration ..................................................................................................................................... 8 Cloud Backup Services ...................................................................................................................................................... 10 Cloud Disaster Recovery Services ..................................................................................................................................... 11 Vetasi Limited ICE Service Level Agreements www.vetasi.com 1 Service Level Agreement and Services Management Service Level Agreement The Cloud Services will meet the service levels described in this Service Level Agreement. The Cloud Services are provided using our Intelligent Computing Environment (“ICE”) Platform and underlying cloud hosting infrastructure. Our secure data centers and networks are provided by third party suppliers including Amazon AWS, NTT Global-Dimension Data and other data centers located in North America, Europe, Africa, Australia and Asia. All data centers are SAS 70 certified (or similarly certified) or have related certifications for security and related performance levels. Cloud Application Service Level Agreement As part of the Master Subscription Agreement that governs Customer’s purchase of services, we will meet the service level agreements set forth below. Application Service Uptime Standard We intend to provide 99.9% availability of the Customer’s Application Services and use commercially reasonable efforts to make the Application Services available for access by Customer 24 hours per day, 7 days per week, excluding any Scheduled Downtime or Unscheduled Downtime, provided that the Customer agrees to meet the following Customer obligations: Allow us full access to the Customer's Cloud service and to deploy the application on our Platform infrastructure with our System Monitoring tools and with our application support; Customer's system is fully redundant at all tiers and is configured for failover operation; Allow us to audit all managed components and complete redundancy steps stipulated by us under a mutually agreed upon timeline; Possess no users or third party accounts that grant administrative or 'root' access to services within the Cloud systems; Off-premise systems are functioning properly and acceptable industry standards for network latency levels to offpremise systems on which the hosted application is dependent; Customer must provide licensed copies of any enabling software operating above the Operating System (OS) level on any system in the architecture excluding software licensed as part of the Platform or our Application service; Customer must maintain 24X7 support agreements with the software vendor or industry recognized third party software support product; Customer must not modify the hardware, system or application code configuration or content without our written authorization; Customer must not program, modify the OS, launch new content, or perform stage and/or test periods without following our standard change control processes. Server Uptime (for all geographic regions other than Africa) We intend to provide 99.9% availability of individual virtual servers within our Cloud environment. For purposes of this Infrastructure SLA, only failures due to hardware and hypervisor layers delivering individual virtual servers are covered. The individual virtual server will be deemed 'available' if the virtualization hardware and hypervisor layers delivering individual virtual servers are available and responding to our monitoring tools as designed and in a non-degraded manner (as evidenced in the monitoring tool). Service Credit Calculation In the event of a failure to meet the Server Uptime or Application Service Uptime Standard, the duration of such failure period will be considered downtime. We will credit customer at a rate of 5% of the monthly subscription fee for the service per 1% below the availability. If we fail to meet its committed service level, customer must claim any penalties within 60 days of such failure in writing or email with the specific details of the outage. For the purposes of any claim, the duration of the outage will only count from the time that the outage was reported to us. Vetasi Limited ICE Service Level Agreements www.vetasi.com 2 The maximum penalty payable in any one month shall not exceed 100% of the applicable subscription fee. We will issue the Customer a credit which will be applied to the invoice in the month following the applicable event. Service credits are accumulated monthly with all SLA metrics being reset at the beginning of each calendar month. Our monitoring/ticketing systems shall be the information source of record for the accumulation of Monthly Cumulative amounts. DEFINITIONS Scheduled Maintenance Window Unless categorized as an emergency maintenance window, we follow a weekly maintenance schedule to be announced by Cloud operations. Scheduled Downtime “Scheduled Downtime” means time that the Application Service is unavailable due to the performance of system maintenance, backup and upgrade functions that has been scheduled in advance by us. A minimum of three days’ advance notice will be provided for all Scheduled Downtime. Scheduled Downtime will not exceed four (4) hours per month and will be scheduled in advance during off-peak hours when commercially practicable. Unscheduled Downtime “Unscheduled Downtime” means the time outside of the Scheduled Downtime when the Application Service is not available to perform the typical operations normally executed by the Customer. The Target Service availability is 99.9% for each service during each month excluding: Outages due to fire flood, acts of God and War; Outages due to customer’s use of the system or any changes made by a third parties or their employees; and Outages due to problems with internet access to the service either ours or customer’s. Service Level Exemptions The following items or situations are exempt from our availability calculations: Unavailability of Customer's Cloud System during scheduled maintenance window, emergency maintenance or any other agreed-to scheduled downtime activity. Downtime that resulted from modifications or changes of the operating system, database, application code or other customer code, not provided by us. Attacks (i.e. hacks, denial of service attacks, viruses) by third parties, and other acts not caused by us, provided that we make every reasonable effort to maintain current versions of software patches. Events of force majeure, including acts of war, god, earthquake, flood, embargo, riot, sabotage, labor dispute (outside of our own employees), government act, or failure of the Internet. If we are providing Application Services to Customer: o Modifications to hardware, system applications or application code configuration, or code not authorized by us. Changes or modifications to code that contributed to downtime. o Unavailability of Customer's System due to Customer programming, modifications to OS, content, development, staging and/or testing period(s) or acts or omissions of Customer which are not performed in accordance with our standard change control processes. o Unavailability of Customer System caused by failures of third party systems or services that are not under our control. Customer must be current on all outstanding invoices to be eligible for the credits referenced in this SLA. No credits will be extended if Customer is delinquent in its payment of outstanding invoices Service Management We provide support services via our Service Desk, which can be contacted through phone, email or direct entry into our Online Customer Support Site. The Online Customer Support Site is available 7x24, providing a means of reporting, Vetasi Limited ICE Service Level Agreements www.vetasi.com 3 tracking and communicating incidents to us. During subscription provisioning, we will create a unique user account for the Customer organization, allowing access to the Online Customer Support Site so that the Customer may report postimplementation incidents to the support team. Once an incident has been reported online, its ongoing status may be viewed through the Online Customer Support Site. Support Services Our support services include application and technology infrastructure support. Application support includes managing a customer’s Application Service Subscription to meet agreed service levels and support related questions. Technology infrastructure support includes managing the underlying physical hardware and embedded infrastructure software to ensure secure and reliable access to the Application Services. Support services are provided to address technical problems and do not include assisting or training users on the use of the application. Standard Service Desk Support hours are 9am-5pm Monday to Friday local time for customer. Service Request Process Flow All service requests submitted to our Service Desk are assigned a ticket number. The Online Customer Service Center allows for the tracking of all tickets. Every ticket will be assessed and assigned a status by our support team based on the information reported by the Customer. We will manage the resolution of the problem until it is resolved and the ticket is closed. The Customer will provide us with all accurate and complete information concerning the request which is reasonably required and requested to diagnose and evaluate the request, and will use commercially reasonable efforts to assist, cooperate and facilitate the remedying of such request, which will include the provision to us of reasonable detail of the nature of the request, all of the circumstances in which it occurred and any other available information, data and/or documents reasonably relating to the request which might aid in the diagnosis and resolution. The Customer will designate at least one (1) individual who will be authorized to request support. The Customer will provide us with written notice of the identity and contact information of all designated users and may from time to time replace a designated user with another individual by providing written notice of the change at least five (5) Business Days prior to the proposed effective date of such change. For certainty, we will not be responsible to provide any software support or services directly to Customer users other than the designated users. In the event that an incident is reported which is: an incident or situation that is caused by Customer or a user; or an incident that proves to be due to or the result of or caused by Customer or a user or a fault or problem with any Customer or user system, Then to the extent of the foregoing, the correction of such problem by us will not be included in support services provided as part of the Application Services subscription and we will charge Customer at our then current professional services rates to remedy such reported problem. The Customer will pay us for same within thirty (30) days of receipt of an invoice. Emergency Notification If an event occurs that causes one or many major services to stop being delivered to many Customers, we will create an emergency email alert to all members of the Customer organization currently registered for this communication. The Customer will be notified of the problem as soon as possible and continually updated by email and notified until resolution. Prior to the contract coming into effect, the Customer must provide us with the names, telephone numbers and email addresses for at least one contact person in the Customer organization. Miscellaneous Additional Support Services The Customer may request from time to time that we perform certain services that do not expressly form a part of the support services. Any agreement to provide any requested services may be subject to additional charge (at our then current rates or on a mutually acceptable fixed charge basis). Any such additional services will be in writing and require the prior written approval of the parties and may require the execution of a separate professional services agreement. Vetasi Limited ICE Service Level Agreements www.vetasi.com 4 Disaster Recovery Plan Scope This document describes the planned disaster recovery processes under different scenarios for the ICE Cloud application services. It does not provide prescriptive steps for task assignments and executing the processes but is intended to serve as an overview document to describe the safeguards and procedures which are in place to protect our customer’s data and business activities in the event of a problem and the options to increase that protection. Background Our partners provide application hosting services for a number of business customers. These services are delivered from a suite of servers located at contracted data centers. Each application service consists of a set of web based applications running exclusive application servers coupled with an Oracle database on a shared database server. These servers are provided as virtual machines (“VM”s) in VMware on a high availability hardware cluster. From a hardware perspective, this environment reduces the risk of interrupting service due to a hardware failure to almost negligible. Virtual machines can be moved seamlessly between one server to another to cope with any hardware issues. Backups of the VM’s are taken once a day and copied to the geographically separate data center facilities. The hosting environments operate independently of any partner offices or other infrastructure. All daily tasks are automated. Our partner staff can only access the servers for administration tasks and can do so from any location with a laptop and internet connection with appropriate credentials. This reduces the likely disaster scenarios which will need to be actively managed to the following: Catastrophic failure or damage to the primary facility. Serious fire, bomb or earthquake or similar event. Earthquake or similar event interrupting internet access for all internet carriers. Recovery Steps Standard Service Level Standard service level includes the off-site backups of all VMs and data but does not provide for any hot or cold equipment on standby in another facility to deliver service. To recover the environment, the backup VMs will be deployed on a new virtualization environment and the data will be recovered to an attached data storage system. All software components required to recover the environments, are readily available at alternative data center environments. Any issues which impair the availability or cause an outage of the application hosted services will be reviewed by senior staff for severity, likely time to recovery and risk of delays. Given the safe guards in place as noted above, the most logical path will be to await service restoration and if required, recover from backups at the primary facility. If the outage will be prolonged, more than 24 hours, and/or the risk of delays is high, our partner and its partners will initiate steps to bring VM’s online at the hosted facility in the alternative data center using the most recent backups available. The time frame for the recovery cannot be assured and will be dependent on the workload at the backup facility. Vetasi Limited ICE Service Level Agreements www.vetasi.com 5 Premium Service Levels Our partner and its partners offer various options for providing improved disaster recovery services. These can range: From providing a set of VM’s at the backup facility to load a customer’s VM images to and provide a base level of service on 1-2 hours’ notice To maintaining a full mirrored environment with data synchronization allowing full failover within a matter of minutes. These services can be tailored to the customer’s specific requirements. Customer Site Backups As a further safeguard and security measure, our partner can provide customers with their own database backup copies on a regular basis. Vetasi Limited ICE Service Level Agreements www.vetasi.com 6 Security Overview Vetasi’s Cloud Services leverage our patent pending Intelligent Computing Environment, the “ICE” Platform, to securely provide software as a service solution to enterprise customers throughout the world. Our cloud services are deployed as private cloud solutions that meet the security and data segregation requirements of enterprise customers. Our cloud services are delivered from multiple data centres through-out the world. Our data centers are currently located in Europe, North America and Africa. Within each region, two physical data centers in different cities provide the facilities for full system failover for back up and disaster recover purposes. The following section describes our Cloud Security, Backup and Disaster Recovery services and the underlying infrastructure used to provide these services. Cloud Security Services With the constant threat of security breaches, having a clear and robust security implementation is a necessity, not an option. Vetasi’s Cloud Services are guided by a “defense-in-depth” security strategy, in which a series of security layers are implemented so that no single solution is relied upon to provide security. Our Cloud Security Services address both physical and virtual security. For physical security, all data centers meet or exceed Tier III security and resiliency requirements. For virtual data centers, all virtual servers and VLANs are secured behind our authentication and identity management service, and multiple layers of firewalls and proxy servers. With our cloud service, our customer’s data is thus encrypted and store behind multiple layers of security fabric. Vetasi configures VLANs between servers, configures ACL-based firewalls, and controls and tracks administrative usage. Data is encrypted while being transferred as well as at rest. Physical Data Center Security Our data center partners provide unique security features. The facilities meet or exceed Tier III standards, the highest commercially available data center rating. Network connectivity is provided by Global Tier-1 IP Networks: All areas within the facility are monitored 24x7x365 by closed-circuit cameras and onsite guards. Data Center space is physically isolated and accessible only by site administrators. Access is restricted to authorized personnel through biometric two-factor authentication. CCTV digital cameras cover the entire center, including cages, with detailed 24x7 surveillance and audit logs. Virtual Data Center Security Our virtual data center security is implemented with multiple layers of defence to protect our customer’s data and dedicated application servers. A multiple VLAN design is used to where the web, application and database servers all exist on separate VLANs with separate firewalls. Access to the various servers is handled through our proxy servers thus further limiting external access to the servers. Unlike many cloud application services, our Cloud services do not intermingle customer data. While database server resources leverage shared infrastructure, each customer is provisioned with separate database schemas. Optional, separate database servers can also be provided. Vetasi Limited ICE Service Level Agreements www.vetasi.com 7 User Authentication and Authorization To authenticate and authorize individual user access, we have implemented a federated identity management system. Our system can be configured to use any Identity Service Provider such as a customer’s Active Directory environment as the primary identity services. Each user has a unique user id and password with the ability to implement multi-form authentication such as security tokens. Each users is authenticated upon accessing our Cloud services. An complete entitlement management system is also implemented to manage access authorization to the ICE Cloud services and third party Cloud services. The ICE User Management can establish trust relationships with enterprise identity providers and cloud service providers. Controlled Network Configuration Configurable Layer-2 VLANs based on Cisco-based switching fabric allows us to virtually segregate web, application, data and management VLANS. Customizable ACL-based firewall rules allow us to control access into each network VLAN NAT and VIP functions expose private IP addresses to the public Internet only where necessary Load-balancing and port translation across multiple virtual servers, with the ability to take servers in and out of service manually, programmatically, or based on monitoring probes Layer 2 Multicast supports high availability clustered server deployments for enterprise applications and the underlying ICE Platform services. Vetasi Limited ICE Service Level Agreements www.vetasi.com 8 Encryption Data is stored with 256-bit encryption at rest and 128-bit SSL encryption while in transit. SSL Certifications are implemented for all access. Secure Access Access to our Cloud Services is provided via any of the Public Internet, MPLS, VPN, Carrier Ethernet or Private Networks. Firewall Fully-managed, hardened, stateful inspection firewall technology is used with customized customer-specific firewall rules. Firewalls exist at each VLAN access point as well as at the application server level. Intrusion Detection Fully-managed Intrusion Detection System (IDS) utilizing signature, protocol and anomaly based inspection methods are deployed. Edge-to-Edge Security Visibility Edge-to-edge security, visibility and carrier-class threat management and remediation utilizing industry leading Arbor Networks Peakflow to compare real-time network traffic against baseline definitions of normal network behavior, immediately flagging all anomalies due to security hazards. Denial of Service Protection Protection against Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks, worms or botnets. Security Compliance including SSAE 16 and PCI Compliance and adoption of ISO 27001/2 Our Data Center providers maintain SSAE-16 attestation. Our SSAE-16 attestation is based on an in-depth series of documented controls covering the operational management of the Cloud infrastructure. Vetasi can also offer a PCI-compliant environment that implements a number of security measures required for applications storing, transmitting, or processing credit or debit card information. Vetasi has adopted ISO 27001 and is committed to related quality management and security audits. 24x7 Incident Response A Security Incident Response Team (SIRT) is in place to handle reports of security incidents. The SIRT escalates incident to law enforcement and/or executive management as prescribed in security policies. Our virtual operations center provides 7x24 monitoring of all cloud operations and layers within the infrastructure services. Reporting Audit logs of all environmental changes are maintained. Event logs are also maintained. These logs track CPU, RAM and related computer usage, as well as access times and user ids. Vetasi Limited ICE Service Level Agreements www.vetasi.com 9 Cloud Backup Services Our Cloud Backup Services utilize disk-to-disk backup with options for both onsite and off-site backup solutions to insure a robust product that meets a wide range of backup needs. The onsite option takes advantage of our private network to backup and restore data in a fast and efficient manner. The off-site option provides data replication over an encrypted IP VPN connection to a secure remote Data Center. Server Retention Scheme The retention schemes for storage on the servers utilize a 28 day, father/son retention scheme: Son: Daily backup – six (6) incremental copies kept for seven (7) days Father: Weekly backup – Four (4) Synthetic Full backup copies and one (1) Full backup kept for twenty-eight (28) days SAN/NAS Retention Scheme For data in SAN or NAS storage, our cloud services offers 2 day, 28 day and 90 day retention options. Database and Application Back-up Database and application specific data has hourly incremental backups, daily snapshots and weekly full backups. The backups are stored on separate server and data partitions and also sent to off-site storage within the region. Vetasi Limited ICE Service Level Agreements www.vetasi.com 10 Cloud Disaster Recovery Services Vetasi offers a fully-managed Disaster Recovery option that provides a path to recovery in the event of a natural or manmade disaster affecting the primary data center. Vetasi offers two different disaster recovery options: “Cold” Disaster Recovery: This option utilizes offline servers prepositioned at a geographically dispersed data center that can be activated in case of a disaster. “Warm” Disaster Recovery: This option uses servers located in geographically dispersed offsite data centers that are actively supporting either staging or production purposes, but are transitioned to a production role in case of a disaster. With either option, Vetasi offers Service Level Agreements that commit to a 48 hour Recovery Time Objective (RTO) and 24 hour Recovery Point Objective (RPO). The Vetasi Disaster Recovery Service includes the following features and benefits: Offsite data backup option To ensure that data is available even after a disaster, Vetasi offers a disk-to-disk off-site option. Vetasi encrypts the data, then transfers it to a secure remote storage facility. With the data stored off-site, customers can rest assured that even a local disaster will not have global ramifications. On-going simulated testing No matter how well a Disaster Recovery product is designed and implemented initially, things change and that's why the Cloud Disaster Recovery Service includes ongoing simulated testing with published results which are documented and delivered directly to the customer. 24x7 DR Standby Servers Vetasi maintains multiple offline servers at a geographically dispersed data center ready to be spun up as soon as the customer declares a disaster. Flexible Recovery Options Should a disaster occur, Vetasi ensures a smooth transition to the new DR environment by working closely with the customer over the next 30 days to determine the best solution going forward. Options include moving production back to the original environment or transitioning the new DR environment in to the primary going forward (removing the need to transition a second time back to the original data center and keeping the customer removed from the aftermath of a widespread disaster). Robust Service Level Agreements DR planning requires guarantees and concrete objectives and Vetasi delivers that as part of the standard DR offering. The Disaster Recovery Solution includes Service Level Agreements around multiple objectives, such as a 48 hour RTO (Recovery Time Objective - the amount of time after a disaster to bring the application back up and running) as well as a 24 hour RPO (Recovery Point Objective - the data that can be recovered as measured back in time prior to the disaster). Vetasi Limited ICE Service Level Agreements www.vetasi.com 11