ETAIN AS
Service Level and IT Security Policy
Effective date: 1 June 2021
1 GENERAL
This Service Level and IT Security Policy (the “Service Level Policy”) applies to Etain’s delivery of services provided as Software-as-a-Service (the “SaaS”) as further detailed in Etain’s general terms of service (the “General Terms”), and consultancy services (the “Consultancy Services”) further described in Etain’s terms and conditions for consultancy services (the “Consultancy Terms”).
The SaaS and the Consultancy Services are collectively referred to as the “Services”. The terms and conditions applicable for the specific Services made available to each Customer are referred to as the “Applicable Terms”.
Unless otherwise specified, this Service Level Policy shall be deemed an integrated part of the General Terms and the Consultancy Terms as relevant, as well as Etain’s standard data processing agreement (the “Etain DPA”).
In the event of inconsistency between the Applicable Terms and this Service Level Policy, the Applicable Terms shall take precedence.
2 DEFINITIONS
Unless otherwise defined, capitalized terms in this Service Level Policy shall have the same meaning as defined in the Applicable Terms.
The terms defined in this Service Level Policy are:
Applicable Law
means any law, statute, rule, regulation, judgment, order or other binding requirement of a governmental body in the jurisdiction of the Customer and/or Etain,
Applicable Terms
shall have the meaning set forth in clause 1,
Authorized Users
shall have the meaning set forth in clause 3,
Confidential Information
means any and all information about any party, its customers, clients, employees, hired consultants or other stakeholders involved in using or receiving the Services, including, but is not limited to: (a) any information concerning technology, such as systems, source code, databases, hardware, software, programs, applications, engaging protocols, routines, models, displays, and manuals, (b) any unpublished information concerning research activities and plans, customers, clients, shareholders, strategies and plans, costs, operational techniques, (c) any unpublished financial information, including information concerning revenues, profits and profit margins, and costs or expenses; and (d) any other information stored in, transferred through or otherwise made available to either party as a result of Etain’s delivery of the Services. Confidential Information is deemed confidential and proprietary to the party disclosing such information regardless of whether such information was disclosed intentionally or unintentionally, or marked appropriately;
Consultancy Services
shall have the meaning set forth in clause 1,
Consultancy Terms
shall have the meaning set forth in clause 1,
Customer Security Manager
means a representative designated by the Customer to be Etain’s main point of contact with the Customer for security related issues,
Customer Security Testing
shall have the meaning set forth in clause 4.5,
Error
shall have the meaning set forth in clause 4.1,
Error Notice
shall have the meaning set forth in clause 4.2,
Etain DPA
shall have the meaning set forth in clause 1,
Exceptions
shall have the meaning set forth in clause 3,
General Terms
shall have the meaning set forth in clause 1,
Personal Information
means personally identifiable information (a) that, when used separately and/or in combination with other information, identifies and/or can be used to identify or authenticate an individual or (b) as otherwise may be defined by Applicable Laws,
Plan
means a high-level description of the steps being taken by Etain to resolve the Error,
SaaS
shall have the meaning set forth in clause 1,
Security Breach
means any act or omission that compromises either the security, confidentiality or integrity of the Customer’s Confidential Information,
Security Program
shall have the meaning set forth in clause 5.2,
Services
shall have the meaning set forth in clause 1,
Service Level Policy
shall have the meaning set forth in clause 1,
Support Services
shall have the meaning set forth in clause 4.6, and
Workaround
means a feasible change in operating procedures whereby an Authorized User can avoid the deleterious effects of an Error without material inconvenience.
3 AVAILABILITY OF THE SAAS SERVICES
Etain shall use commercially reasonable efforts to make the SaaS available for the Customer and all users authorized by the Customer (“Authorized Users”) in material conformity with the General Terms.
Availability shall be defined without regard to downtime or degradation that is due to any of the following (“Exceptions”):
(i) misuse of the Services by the Customer or any Authorized User,
(ii) failure of internet connectivity,
(iii) the Customer’s failure to meet any minimum hardware or software requirements as defined by Etain to access or use the Services,
(iv) force majeure events,
(v) data corruption due to user errors,
(vi) any actions, inactions, or omissions (including but not limited to technical failures) of a third-party provider outside of Etain’s reasonable control, or
(vii) planned downtime communicated clearly to the Customer a reasonable time in advance of the downtime.
4 MAINTENANCE, BUG FIXES AND SUPPORT
4.1 BUG FIXES, FAILURES AND MAINTENANCE OF THE SAAS SERVICES
Etain shall use commercially reasonable efforts to respond to and correct any failures of the SaaS compared to the quality agreed in the General Terms (each, an “Error”) in accordance with the provisions set out herein, including by providing bug fixes and critical updates to the SaaS.
Etain will use commercially reasonable efforts to monitor and manage the SaaS to optimize availability, function and user experience. Such monitoring and management may include, at Etain’s sole discretion
(i) proactively monitoring all SaaS functions,
(ii) if such monitoring identifies, or Etain otherwise becomes aware of, any circumstance that is reasonably likely to threaten the availability of, or quality of performance of, the SaaS, taking necessary and reasonable remedial measures to eliminate such threat,
(iii) prompt fix of bugs, failures and defaults on the SaaS if Etain otherwise receives information about such, and/or
(iv) providing to the Customer and its authorized users updates, bug fixes, enhancements, new releases, new versions and other improvements to the SaaS in accordance with the General Terms.
4.2 SERVICE LEVELS
Fixing Errors is highly prioritized at Etain and known Errors will continuously and proactively be fixed. Etain will use commercially reasonable efforts to address all Errors reported to Etain as soon as practically possible. Etain’s maximum response time guidelines are included below.
Etain will, in its sole discretion, classify requests for Error corrections in accordance with the descriptions set forth in the chart below (each an “Error Notice”):
Error Notice classification – Description – Etain’s response
Critical: A critical part of the SaaS is unavailable or inaccessible other than due to Exceptions, resulting in total disruption of work or critical business impact. Software error that results in the loss of critical documented feature/function for which there is no suitable Workaround. Data is corrupted or lost and must be restored from backup.
Response: Etain will respond within 12 hours. Response shall include a Workaround or Plan for resolving the Error. Etain shall assign all necessary resources on a priority basis to resolve the issue and ensure that those resources work continuously on the issue until an actual resolution is provided.
Major: The SaaS is operational but highly degraded performance to the point of major impact on usage. Important features of the SaaS are unavailable with no acceptable Workaround; however, operations can continue in a restricted fashion.
Response: Etain will respond within 12 hours. Response shall include a Workaround or Plan for resolving the Error. Etain shall address the Error as soon as reasonably possible taking into account the effect of the Error for the user.
Minor: The SaaS is operational but partially degraded for some or all users, and an acceptable Workaround or solution exists. Problem with non-critical feature or functionality.
Response: Etain will respond within 48 hours. Response shall include a Workaround or Plan for resolving the Error within reasonable time.
4.3 DISASTER RECOVERY
If a SaaS hosted by Etain becomes inoperable, inaccessible, or subject to a material disruption, Etain will use its commercially reasonable efforts consistent with good industry practices to switch to an alternate site within the same geographical area.
4.4 DATA OWNERSHIP AND BACK-UP
The customer shall retain full and exclusive ownership to all right, title, and interest in and to any Customer Data, as defined in the Applicable Terms.
Etain may use Customer Data as necessary to provide the Services to the Customer in accordance with the relevant Order Forms and Applicable Terms. The Customer may at any time request a copy of all Customer Data stored by Etain.
Etain will hold a backup of Customer Data for 24 hours on 8 hour rolling period.
4.5 CUSTOMER’S SECURITY TESTING
The Customer shall provide Etain at least 20 business days’ notice for performing any type of security testing, penetration testing or vulnerability scans of the SaaS (collectively, “Customer Security Testing”) whether such Customer Security Testing is performed directly by the Customer or by a third party.
Etain may choose to provide the Customer with a test environment (of a similar configuration of that of Customer’s live environment) to perform the penetration test. The Customer agrees to provide the results of such Customer Security Testing to Etain within a reasonable period of time after completion of the Customer Security Testing, at least in summary format, provided, however, that the Customer shall be under no obligation to share any Confidential Information contained in the test results with Etain.
4.6 ADDITIONAL SUPPORT
In addition to the service levels described in this Service Level Policy, Etain may offer additional support services to the Customer, such as user support to the SaaS, HighQ or other relevant services provided by Etain or third parties (hereinafter referred to as “Support Services”).
Support Services shall be considered add-on Consultancy Services to be governed by the Consultancy Terms and separate Order Forms and shall not be subject to the specific requirements set in in this Service Level Policy.
5 PRIVACY AND INFORMATION TECHNOLOGY SECURITY CONTROLS POLICY
5.1 ETAIN’S HANDLING OF CUSTOMER DATA
Etain shall comply with all Applicable Laws, the Applicable Terms, and this Service Level Policy including, without limitation with respect to privacy and personal information.
Without limiting the generality of the foregoing, Etain shall not use Customer Data for any purpose other than performing its obligations towards the Customer, and Etain shall limit access to and disclosure of Customer Data solely to personnel on a “need to know” basis, i.e., personnel that are essential for Etain to be able to perform its obligations towards the Customer.
Further, Etain shall not sell, license, distribute, make available or otherwise disclose Customer Data or any portion thereof to any third party for any reason, unless specifically permitted by Customer in its sole discretion, or otherwise expressly required by Applicable Laws or the Applicable Terms.
In the event that Etain is obliged to disclose Customer Data to third parties, including public authorities, Etain shall, if permitted, provide the Customer with an advance written notice to the Customer in order to provide the Customer with the opportunity to object to the disclosure.
The Parties acknowledge and agree that all Customer Data shall be deemed and always remain the Confidential Information of the Customer.
5.2 SECURITY PROGRAM
Etain shall implement and maintain a security controls program (the “Security Program”) that complies with all Applicable Laws, accepted industry standards, and the Applicable Terms to address security and confidentiality concerns, protect against any anticipated or actual threats or hazards to its security or integrity, and prevent unauthorized access, acquisition, destruction, use, modification and/or disclosure thereof.
Additionally, the Security Program shall include security and privacy policies that provides guidance to Etain’s personnel ensuring the confidentiality and integrity of Customer’s Confidential Information which at least addresses the following:
(i) instructions regarding the steps to take in the event of a compromise or other anomalous event;
(ii) delegation and assignment of responsibilities for security and privacy;
(iii) management oversight for the policy and its deployment;
(iv) means for managing security and privacy within the enterprise;
(v) policies and procedures for data confidentiality and privacy and data protection and access thereto;
(vi) handling of Confidential Information; and
(vii) planning for incident response in the event of a Security Breach or unauthorized disclosure of any Confidential Information.
The Security Program shall include the implementation of administrative, physical and technical safeguards to protect any Customer Data and all Customer’s Confidential Information in a way which is consistent with accepted industry practices, and shall take commercially reasonable efforts to ensure that all such safeguards, including, without limitation, the manner in which Personal Information is collected, accessed, used, stored, processed, disposed of and disclosed, whether by Etain or its providers comply with all Applicable Laws, as well as the Applicable Terms.
5.3 SECURITY DOCUMENTATION
Etain will provide documentation on the Security Program upon request.
If the Customer Security Manager reasonably identifies gaps in the Security Program, Etain agrees to make commercially reasonable efforts to work with the Customer in good faith to update the Security Program in line with industry-recommended solutions to ensure an adequate level of security.
6 SECURITY BREACHES
Etain shall provide the Customer with the name and contact information for an employee of Etain who shall serve as the Customer’s primary security contact in resolving obligations associated with a Security Breach.
In the event Etain becomes aware of a Security Breach, Etain shall promptly and without undue delay notify the Customer Security Manager.
Immediately following Etain’s notification to the Customer of a Security Breach, the parties shall coordinate with each other to investigate the Security Breach. Etain shall make commercially reasonable efforts to assist with the Customer’s handling of the matter, taking the nature and potential impact of the Security Breach into account.
Except as required by Applicable Laws, Etain will not inform any third party of any Security Breach without first obtaining the Customer’s prior written consent.
7 IT SECURITY COMPLIANCE AND OVERSIGHT
Etain shall conduct penetration testing of the SaaS at least annually.
Upon the Customer’s reasonable request, and subject to confidentiality obligations that may be owed to other customers of Etain, Etain shall make the executive summary from the penetration report available to the Customer for review. The Customer shall treat such reports as Etain’s Confidential Information.
8 DATA TRANSFERS
Etain shall not transfer any Customer Data stored by Etain outside the Hosting Location without the prior written consent of the Customer.
The Customer acknowledges that, under the anticipated use of the SaaS, the authorized users of the Customer may be located outside of the Hosting Location and may transfer and download content, including Customer Data, to locations outside of the Hosting Location. Notwithstanding anything to the contrary herein, Etain shall not be responsible or liable for any such use of Customer Data.
