Talkoot Terms of Service.

These Terms of Service, along with the Order Form or Statement of Work (collectively, the “Agreement”), govern the use and provision of Talkoot’s Software. This Agreement is between Talkoot (“Talkoot,” “Provider”) and the legal entity or individual that enters into this Agreement (“Client”), each of them hereinafter referred to as “Party”, together referred to as “Parties.”

1                  Definitions

1.1     “Client Data” means the data inputted by Client, Client’s authorized users or the Provider on Client behalf for the purpose of using the Software or facilitating Client use of the Software.

1.2    “Business Day” means Monday to Friday except for public holidays at Provider’s primary place of business.

1.3    “Confidential Information” means any non-public or proprietary information disclosed to the receiving Party under this Agreement, whether orally, digitally, or in writing, by or on behalf of disclosing Party, that is marked or designated as confidential or might reasonably be considered as confidential, including without limitation, all know-how, trade secrets, scientific, technical, statistical, strategic, financial or commercial information.

1.4    “Deliverables” means any deliverable identified as a Deliverable in a Statement of Work (SOW) prepared for Client in the course of the performance of Services.

1.5    “Order Form” means the document signed by an authorized representative of each party identifying the Solutions and Services to be made available, the fees to be paid and other relevant terms and conditions.

1.6    “Personal Data” means any information controlled by Client or any of its affiliated companies which relates to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

1.7    “Services” means services provided by Talkoot to Client as described in any Order Form or SOW, including implementation services, integration services, support services and other professional services.

1.8    “Service Hours” means Monday to Friday between 8:00 a.m. and 6:00 p.m. Pacific Standard Time.

1.9    “Software” means Provider’s software as a service platform, known as Talkoot.

1.10    “Workaround” means a method used to avoid the effect of Errors of the Software without replacing/and or supplementing the Software or parts thereof.


2                Subject matter of the contract

2.1    Under this Agreement, the Provider will provide Client with access to the Software via the internet from the date agreed for the purpose of creating, developing, producing and managing all of Client’s product copy and any other types of copy the Client may choose.

2.2    The Provider shall make the latest version of the Software for the duration of the Subscription Term available to Client via the Internet. The Provider shall fix any errors of the Service immediately in accordance with the technical possibilities and the agreed resolution An error exists if the platform is not available / accessible as agreed herein (Outage) or is slower than the performance contracted for.

2.3    The Provider shall continually provide updates and upgrades for the Software, creating additional features and functionalities and removing any defects or failures.

2.4    The Provider shall ensure that patches for critical vulnerabilities will be provided within 30 days at the latest, while other vulnerabilities must be fixed within 90 days.

2.5    Point of delivery for the Software and the generated user data shall be the router exit of the Provider’s data The Provider shall not be responsible for the telecommunication connection between Client and the point of delivery.


3                 Grant of rights

3.1    Subject to and in accordance with the terms of this Agreement, Provider shall make the Software available to Client, its Affiliates, and their respective employees, contractors, agents, consultants, third party providers and any other users authorized by Client or its Affiliates (collectively, “Authorized Users”).

3.2    Provider will also make available for the duration of the Subscription term (a) all operator’s and user manuals, training materials, guides, commentary, technical, design or functional specifications, requirements documents, product descriptions, proposals, schedules, listings and other materials related to the Service (“Documentation”) and (b) specifically include such copying, distribution, performance, display and derivative work creation rights as are required for an Authorized User to access and use the Service. For the duration of the Subscription Term, Client and its Affiliates shall have the right to make a reasonable number of copies of the Documentation, and to display and distribute the Documentation, for their respective ordinary day-to-day business purposes, and to allow Authorized Users to do the same.


4                 Obligations of Client

4.1    Client agrees not to store any illegal content or content that violates applicable law or material rights of third parties within the provided storage space.

4.2    Client is obliged to prevent unauthorized access of third parties to the Software and to use the Software with reasonable precautions.

4.3    Client is obliged to scan the Client Data (as defined in Sec. 5 below) and the content for viruses and other harmful components before storing them on the server and to use appropriate virus protection programs.

4.4    The content stored on the Provider’s server by Client might be protected by copyright or other legal regulation. Client therefore grants the Provider a non-exclusive, non-transferable and non-sublicensable right for the term of this Agreement to make the content available to Client over the internet and to reproduce and transmit the content for this sole purpose and to reproduce the content for the sole purpose of creating data back-ups.

4.5    In order to safeguard legitimate interests, for example in the context of legal disputes, Client is authorized to scan, extract and evaluate data and to disclose such data to third parties, e.g. lawyers or courts of law. In this context, transmission of the data abroad is also not excluded.


5                Client Data

5.1    Client shall own all right, title and interest in and to all of Client Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of Client Provider may not use Client Data for any purpose other than to provide the Software and Services to Client and for the purpose of statistic reporting to Client.

5.2    The Provider shall perform a full back-up on a weekly basis and an incremental back-up on a daily basis (every 24 hours). This back-up cycle might be updated and agreed between the Parties from time to time.

5.3    If the last back-up according to the agreed back-up plan failed, the Provider is liable for the loss of Client Data. Additionally, the Provider is obliged to take any measures necessary to restore the last available back-up and to restore the lost or damaged Client Data which is not covered by this last working back-up.


6                Provider’s obligations

6.1   The Provider undertakes that the Services will be performed substantially as described in Annex 1 and in accordance with up-to-date recognized industry standards and with reasonable skill and

6.2    Provider warrants that it has and will maintain all necessary licenses, consents and permissions necessary for the performance of its obligations under this

6.3    The Provider shall:

a) comply with all applicable laws and regulations (especially data protection regulation) with respect to its activities under this Agreement;

b) make sure that its network and systems comply with the recognized industry standard specifications and

c) be solely responsible for procuring and maintaining its network connections and telecommunications links from its systems to the WAN connection point of the data centers, and all problems, conditions, delays, delivery failures and all other loss or damage arising from or relating to the Provider network connections to the designated point of delivery.


7                 Third Party Rights

7.1    The Parties shall indemnify each other from all claims of third parties for a possible violation of third party intellectual property rights by the offending Party and reimburse the damage resulting from any violation.

7.2.   Provided that the rights of any third party be infringed, the Party acquiring knowledge of such infringement will immediately inform the other The offending Party shall take suitable defense measures and negotiations for settlement at the offending Party’s cost. The non-offending Party shall provide all necessary information and provide adequate and reasonable support.

7.3    In the event suitable defense measures and negotiations for settlement are not taken by the offending Party, the non-offending Party shall be entitled to take the necessary steps In this case the offending Party shall reimburse to the non-offending Party the expenses and damage resulting.

7.4    In case that Client is hindered from using the Software due to a possible violation of third-party rights, the time of hindrance shall count as unavailability.


8                Term and Termination

8.1    The term of this Agreement begins on the Effective Date and will continue unless terminated by either Party as set forth herein. The subscription term for the Software will be set forth on a quote, order form or Statement of Work and will include the initial term (the “Initial Term”).  After the Initial Term, this Agreement may renew for one or more successive twelve (12)-month terms (each, a “Renewal Term”).

Either Party may terminate this Agreement for good cause upon 30 days written notice, if

a) the agreed availability of a Service is not met for three consecutive months;

b) the actual availability of a Service is 3 or more percent below the agreed Availability within three consecutive months;

c) in 25% of the cases within three consecutive months Provider does not meet the agreed resolution times; or

d) the agreed maximum uninterrupted downtime for a Service is actually exceeded by 50% for three consecutive months.

Provider may terminate this Agreement for good cause upon 30 days written notice, if Client is in default of the original terms (defined as 30, 60 or 90 days).

8.2    Without prejudice to any other rights or remedies to which the Parties may be entitled, either Party may terminate this Agreement without liability to the other if:

a) the other Party commits a material breach of any of the terms of this Agreement and (if such a breach is remediable) fails to remedy that breach within 30 days of that Party being notified in writing of the breach; or

b) that party would be entitled to terminate this Agreement for good cause as specified in 9.2 above; or

c) the other Party becomes insolvent.

8.3    Upon termination of this Agreement for any reason:

a) all licenses to data granted under this Agreement shall terminate as soon as Client has migrated all Client Data;

b) each Party shall return and make no further use of any equipment, property, documentation and other items (and all copies of them) belonging to the other Party;

c) the Provider may under no circumstances destroy or otherwise dispose of any of the Client Data in its possession unless the Provider receives a written allowance for the destruction of such data. The Provider shall deliver the back-up of the Client Data to Client within 3 days of its receipt of such written request, and confirm the deletion in writing.


9                Confidentiality

9.1    Each Party shall keep in strict confidence all Confidential Information of the other Party. The Party disclosing Confidential Information shall hereafter be referred to as “Disclosing Party”, the Party receiving Confidential Information shall hereafter be referred to as “Receiving Party”. The obligation to confidentiality ends when Confidential Information becomes known publicly through no fault of the Receiving Party or when the Disclosing Party has agreed to the disclosure in writing. The Provider shall use Confidential Information for no other purpose than for the performance of this The Receiving Party will use the same measures to protect Disclosing Party’s Confidential Information as it uses to protect its own information of a similar nature. Receiving Party will use at least a reasonable standard of care.

9.2    Confidential Information does not include information that: (a) is public, so long as it did not become public due to a breach of this Agreement; (b) is known by the Receiving Party prior to its disclosure by the Disclosing Party; (c) is independently developed by the Receiving Party; or (d) was disclosed by a source who does not have an obligation to treat the information as confidential. The Receiving Party must prove the existence of any of the foregoing exceptions. Personal Information remains Confidential Information, even if it qualifies as one of these exceptions.

9.3    The disclosure restriction does not apply to the extent that such disclosure is compelled by law or by any order of a court of competent jurisdiction provided that the Party obligated to disclose provides the other Party with prompt written notice of such requirement prior to disclosure and takes steps sufficient to allow the other Party to object to such disclosure.

9.4    The Receiving Party is allowed to disclose Confidential Information to its employees and to employees of its affiliated companies only if the employee has a need to know it for the purpose of this Agreement. The Receiving Party shall ensure that those employees are made aware of the confidentiality restrictions contained in this Agreement and the Receiving Party shall be responsible for any breach of this Agreement by its own employees or by employees of its affiliated companies.

9.5    The Provider shall be entitled to disclose Confidential Information to its subcontractors provided such subcontractors are involved in the performance of Services and the subcontractor signs provisions concerning confidentiality, security, and data protection similar to those contained in this Agreement and that the subcontractor agrees to oblige its employees and subcontractors (such as freelancers) in writing to maintain data secrecy, the secrecy of telecommunications, confidentiality, and IT security as set out in this agreement. Client shall be entitled to disclose Confidential Information to third parties provided such third parties are performing services for Client or are providers or customers of Client and provided such third parties are obliged by contract not to disclose any Confidential Information for an unlimited period of time. Client shall ensure that those third Parties are made aware of the confidentiality restrictions contained in this Agreement.

9.6    Notice of Disclosure. The Receiving Party will notify the Disclosing Party immediately if it discovers any inadvertent disclosure or unauthorized use of the Disclosing Party’s Confidential Information, and will promptly take reasonable steps to prevent any further disclosure or unauthorized use.

9.7    Destruction of Information. Immediately upon expiration or termination of the Agreement for any reason, or otherwise upon the Disclosing Party’s request, the Receiving Party will promptly destroy all Confidential Information (in all forms) of the Disclosing Party and certify in writing that it has destroyed everything. Nothing in this Section 11.7 shall require the destruction of (a) computer files created by automatic archiving and back-up procedures which cannot reasonably be deleted or (b) Confidential Information which is required by Law to be preserved.


10              Data Protection and IT: Security and Software Policy

10.1    When performing the agreed services, the Provider may obtain knowledge of certain Personal Data. The Provider shall ensure that Personal Data is stored, used, or transmitted only to the extent required in order to perform the agreed services. The Provider is not allowed to store, use, or transmit Personal Data for any other In case Personal Data is stored at systems of the Provider or any of its subcontractors, the Personal Data must not be kept longer than necessary to perform the agreed services.

10.2    The Provider must have in place appropriate technical and organizational measures to protect the Confidential Information/Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access. The same obligation applies for any Confidential Information/ Personal Data filed on the Provider’s data processing systems and data carriers of any kind. Unless required for the performance of contractual duties under this Agreement, storage of Confidential Information/Personal Data on external media and printouts are not allowed.

10.3    In all cases where the Provider gets access to Client systems, the Provider will use best commercial effort to comply with the following measures

a) Access can only be requested for and granted to a specific person. Before deciding whether access is to be granted, Client may request evidence from the Provider of the persons’ obligation to comply with data secrecy and IT security

b) The Provider is obliged to keep its personal password and user name strictly In case of any disclosure to unauthorized third persons or in suspicion thereof the Provider has to change the password immediately.

c) The Provider must notify its contact person without delay if it recognizes access to data which it should not have.

10.4    In case of programming assignments for Client, the Provider shall allow only designated staff access to Production (live) source code and libraries, maintaining a strict segregation of duties process.

10.5    The Provider and its staff shall apply and observe the Client Group IT Security & Compliance Requirements if such a document exists and is appended to this document, and all guidelines and instructions issued to the Provider by Client’s IT security.

10.6    The Provider shall give Client immediate notice of any suspicions with regard to possible faults of Client’s IT security. Without delay the Provider shall take all suitable precautions within his field of responsibility. This shall apply especially if suspicion arises that access rights have become known to unauthorized persons or are used by unauthorized persons or unauthorized persons are trying to get access to access rights.

10.7    Usage by the Provider of software which is in use at Client would always be in conformity with the provisions of the license terms. No software and no documentation may be duplicated by the proider. The Provider is not permitted to pass on or lend software to unauthorized persons. The Provider shall not reverse engineer, decompile or reverse compile, disassemble, list, print or display any software or otherwise attempt to obtain the source code or other proprietary or confidential information from any software.


11                Indemnification and Limitation of Liability

11.1    Mutual Indemnity. Each party (“Indemnifying Party”) will defend and compensate the other party, its Affiliates, and their respective employees, directors, managers, officers, partners, shareholders, contractors, and agents (collectively, the “Indemnified Persons”) against and for any claims, demands, suits, actions, or other proceedings brought by third parties (each a “Claim”), and all losses, damage, judgments, payments made in settlement, and costs and expense, including reasonable attorneys’ fees and disbursements and court costs as a result of such Claims, relating to (a) bodily injury or death of any person or damage to real and/or tangible personal property to the extent directly or indirectly caused by the Indemnifying Party, its personnel, subcontractors, or agents; or (b) relating to or arising out of the Indemnifying Party’s, its personnel’s, subcontractors’, or agents’ performance of its obligations under this Agreement, including a breach of any provision of this Agreement by the Indemnifying Party, its personnel, subcontractors, or agents.

11.2    Provider Intellectual Property Indemnity. Provider will defend and compensate the Client Indemnified Persons from and against any Claims and all losses, damage, judgments, payments made in settlement, and costs and expense, including reasonable attorneys’ fees and disbursements and court costs as a result of such Claims, that the Service, Deliverables, Provider Materials, applications, or any other item, information, system, deliverable, Documentation, software or service provided under this Agreement (“Protected Materials”) by Provider (or any Provider Affiliate, agent, contractor, subcontractor or representative), or Client’s use thereof (or access or other rights thereto) in accordance with this Agreement, infringes or misappropriates any patent, trade secret, trademark, copyright or other intellectual property or proprietary right of a third party. In the event that the Protected Materials are held or are believed by Provider to infringe or misappropriate a third party’s intellectual property rights, Provider may, at its option and expense (a) replace the Protected Materials so that the affected portions are substantially equivalent in function to the allegedly infringing Protected Materials; (b) obtain a license for Client to continue using the affected portions of the Protected Materials; or (c) modify the Protected Materials so that the affected portions are non-infringing. Alternatively, if Provider and Client determine that none of these alternatives is reasonably available, then Provider or Client may terminate this Agreement with respect to the affected portions of the Protected Materials and, in that event, Provider shall provide to Client a refund of any Fees paid by Client to Provider for the Service, any implementation Services, and Deliverables not yet provided to Client.

11.3    Indemnification Procedures. An Indemnified Person must promptly give written notice to the Indemnifying Party of any Claim. The Indemnifying Party may elect to retain counsel of its choice to represent the Indemnified Person in connection with any Claim, and will pay all fees and costs of such counsel. An Indemnified Person may participate at its own expense and through legal counsel of its choice in any such Claim. The Indemnifying Party will not settle any Claim without the prior written consent of the Indemnified Person, which shall not be unreasonably withheld. However, the Indemnified Person may assume control of the defense of the Claim and retain counsel reasonably acceptable to the Indemnifying Party, if: (a) the Indemnifying Party does not assume control of the defense; (b) conflicts of interest exist between the parties with respect to the Claim; or (c) the other party to the Claim is seeking relief which in an Indemnified Person’s reasonable judgment may adversely affect the Indemnified Person’s business. In this case, the fees, charges, and disbursements of no more than one counsel per jurisdiction selected by the Indemnified Person will be reimbursed by the Indemnifying Party.


12              Compliance

12.1     Laws. Provider, its Affiliates, and their subcontractors, including any of their employees, will perform the Services and the Deliverables in accordance with all applicable Laws.

12.2    Anti-Discrimination. Provider affirms that it is committed to equal employment opportunity and does not and will not discriminate against individuals based on race, ethnicity, gender, gender identity, sexual orientation, disability or veteran status. Provider agrees the following clauses from the Code of Federal Regulations will apply to this Agreement to the extent applicable and are incorporated herein by reference: the Equal Employment Opportunity Clause of Section 202 of Executive Order 11246 (41 CFR 60-1.4(a)), the Equal Employment Opportunity Clause for Workers with Disabilities (41 CFR 741.5(a)), the Equal Opportunity Clause for Disabled Veterans, Recently Separated Veterans, Other Protected Veterans and Armed Forces Service Medal Veterans (41 CFR 60-300.5(a)), and the Notice Clause of Executive Order 13496 regarding Employee Rights under the National Labor Relations Act (NLRA) (29 CFR Part 471, Appendix A to Subpart A).  For additional obligations that may apply to purchases of $50,000 or more, including annual EEO-1 Report, VETS-4212 Report and affirmative action plan (AAP) requirements, please see 41 CFR 60-1.2, 60-1.7, 60-1.12, 60-2.1, 41 CFR Part 61-300 and 29 CFR §1602.7. Also, under 29 CFR §10.11(a) and §10.21, you may be covered by the minimum wage obligations of Executive Order 13658 and/or the paid sick leave provisions of Executive Order 13706.  If/as applicable, Provider makes the following additional affirmation: This contractor and subcontractor will abide by the requirements of 41 CFR 60-300.5(a) and 41 CFR 60-741.5(a). These regulations prohibit discrimination against qualified protected veterans and qualified individuals on the basis of disability, and requires affirmative action by covered prime contractors and subcontractors to employ and advance in employment qualified protected veterans and individuals with disabilities.

12.3    Policies. Personnel performing the Professional Services at Client’s premises or accessing Client’s networks will comply with Client’s standards and policies, including facility, network and usage policies.

12.4    Force Majeure. Neither party will be liable under, or deemed to be in breach of, this Agreement for any delay or failure in performance under this Agreement that is caused by any of the following events: acts of God, civil or military authority, the public enemy, or war; accidents; fires; explosions; power surges; earthquakes; floods; unusually severe weather; strikes or labor disputes (excluding Provider’s subcontractors); delays in transportation or delivery; epidemics; terrorism or threats of terrorism; and any similar event that is beyond the reasonable control of the non-performing party (“Force Majeure Event”). The party affected by the Force Majeure Event must diligently attempt to perform (including through alternate means).  During a Force Majeure Event, the parties will negotiate changes to this Agreement in good faith to address the Force Majeure Event in a fair and equitable manner. If a Force Majeure Event continues for ten (10) days or longer, and the non-performing party is delayed or unable to perform under this Agreement as a result of the Force Majeure Event, then the other party will have the right to terminate this Agreement, in whole or in part, upon written notice to the non-performing party.


13              Miscellaneous

13.1    Annexes 1 and 2 form an integral part of this Agreement. This agreement contains the entire agreement between the Parties related to the subject matters contained herein and there are no agreements, oral or written, which are not expressly included herein. The general terms and conditions of the Parties shall not apply to the subject matter of this Agreement.

13.2    Any alteration or modification of this Agreement is not valid unless it is made in writing. This mandatory written form also applies to the alteration of the mandatory written form. Any termination shall be in writing.

13.3    Nothing in this Agreement shall be construed to create a partnership, joint venture, corporation or similar relation between the Provider and Client.

13.4    If one or more of the provisions of this Agreement should be or should become invalid, this shall not affect the remaining provisions. Invalid provisions shall be replaced if possible, by those valid provisions which achieve essentially the desired economic objectives.

13.5    This Agreement will not be assignable or transferable without the prior written consent of the other Party.

13.6    This Agreement and all claims arising under and in connection with this Agreement shall be governed by the substantive laws of the State of Oregon.

Annex 1: Service, Availability and Maintenance

Availability of the Software and Services

Availability of the Services shall be calculated as follows:

Availability =AST-DT x100%

AST = Agreed Service Time

DT= Downtime

The Provider owes the agreed availability of the Service, the generated user data and other services during the agreed service time as defined in Annex 1 at the point of delivery for the duration of the contract. Availability shall be measured separately for each of the provided Services as defined in Annex 1.

The Service is available if all of its functionalities are technically usable by Client at the point of delivery.

The generated user data is available if all of its data is technically usable by Client at the point of delivery.

Further details on the availability of all Services, in particular the method of measurement, the relevant service times, the maximum uninterrupted downtime, agreed maintenance windows and remedies in case of non-compliance with the agreed availability shall be defined in Annex 1.

Irrespective of any compliance with the agreed availability, the maximum uninterrupted downtime shall not exceed 8 total hours for each of the Services during the Term as defined in the Talkoot License Agreement between the Parties.

The above agreed service time availability shall not include planned maintenance carried out during the maintenance window as agreed with customer in Annex 1; and

In case the availability of a Service as defined in above is partially or fully not met, the remuneration will be provided as a 10% credit based on an on the Customer annual contract.

The Provider has the burden of proof if noncompliance with the agreed availability marks is caused by reasons for which the Provider cannot be held legally responsible.

The Provider shall ensure that (starting) from the time the Provider is notified of an error by Client or by a system alert (whichever comes first), depending on the criticality of the error, the Provider

a) shall inform Client of the respective error and begin with its resolution within the agreed timeframe (Response Time) as well as

b) resolve such error within the agreed timeframe (Resolution Time)

Errors shall be determined and removed according to the following classifications, response times and resolution times:

Error Classification Response Time Resolution Time
An error that prevents the execution of business operations because relevant parts of the Services are not functional.
 1 hour

Workaround: 6 hours

Full Resolution Fix: 1 Business Day (or as mutually agreed with Client)

An error that has considerable impact on business operations to an extent preventing their normal execution or allowing execution thereof only with unreasonable efforts, because relevant parts of the Services are not functional, unavailable/not accessible or the Services or relevant parts thereof are significantly slower than the performance contracted for.
 4 hours

Workaround: 1 Business Day

Full Resolution Fix: 3 Business days (or as mutually agreed with Client)

An error that has minimal impact on the normal execution of business operations, because minor functionalities of the Services are unavailable or actual performance is only insignificantly slower than the performance contracted for.
 1 Business Day Next maintenance Window (or as mutually agreed with Client)

The above error classification shall be mutually determined by the Parties. In case the Parties cannot agree, the following escalation shall apply:

a) Project managers will try to find a solution to the problem within another 5 business days. In case the project managers cannot resolve the dispute within this period, the project managers have to immediately escalate the problem to the next level.

b) The respective heads of department will try to find a solution to the problem within the following 5 business days. In case the heads of department cannot resolve the problem within this period, they have to immediately escalate the problem to their superiors.

c) The superior level will try to find a final solution to the problem within the following 5 business days.

The aforementioned escalation process shall not suspend any response and resolution times described in this Agreement. The lower error classification between the Parties shall determine the applicable response and resolution times.


Planned Maintenance will normally not lead to any service interruption. If however, any planned maintenance should require a service interruption or if such should be expected, Provider shall notify Client in writing of such maintenance with at least 48 hour prior notice. Provider shall undertake all reasonable endeavors to perform such maintenance 6 p.m. PT Fridays through Sundays 12:00 a.m. PT.

Planned maintenance requiring or leading to an interruption of the Service shall in total not exceed four (4) hours per month. In exceptional cases and as mutually agreed between the parties, the aforementioned maximum maintenance time/Service interruption due to planned maintenance may be exceeded.


Annex 2: IT Security & Compliance Provisions

1. Basic Security Requirements

Appropriate technical and organizational measures. The Provider shall implement the necessary technical and organizational measures to ensure and maintain the level of IT security adequate for the type and scope of the services provided, as well as for the confidentiality of the data the Provider has access to.

All information about Client IT security and the applied IT security measures are confidential information.

The level of adequate Security is subject to the current technological standards taking into account industry best practices and further development.

Detailed security concept. Upon Client request, the Provider shall provide a detailed security concept with associated risks, applied countermeasures and a description of the architectural IT design. The security concept would be specified for all systems and transfer interfaces and demonstrate how risks are minimized for transfer, storage, data integrity and error handling. Subsequent significant changes with regard to involved people, processes and technology which could have an impact on the security of Client data or systems would be documented and presented to Client for reassessment.

2. Security Management

Security policy. The Provider shall have a security policy that covers the current state-of-the-art IT- Security Management by following industry standards and best practices (e.g. ISO 270XX). The Provider shall review its security processes, procedures and controls at least annually.

Audit report. Upon Client request, the Provider shall provide an industry-recognized Information Security audit report.

Contact person. The Provider shall name a contact person (e.g. Security Manager) who is responsible for all IT Security related issues and accountable for complying with the applicable Client IT Security & Compliance requirements. The Provider shall have an efficient management structure in place to regulate and escalate security issues.

Security. The Provider shall inform the Client IT Security contact person of any security incident without undue delay, in case a risk for Client Systems or data is possible. In the event of a breach of data or other justified reason that indicates a risk to the confidentiality, integrity or availability of Client data caused by the Provider, Client shall be entitled to conduct an audit on systems/infrastructure in scope.

Employees and subcontractors. The Provider shall ensure that its employees when working on Client premises or having access to the Client network or using Client Systems will comply at all times, with all instructions given and/or applicable policies provided by Client in relation to Client IT-Security and the usage of the provided systems. The Provider shall maintain inventories of subcontractors with access to Client information. The inventories shall comprise:

a) subcontractors’ names and services provided

b) access, transfer and/or storage details for Client data

c) subcontractors’ access to IT systems (of Provider) providing services to Client.

3. Physical Security

Buildings and premises. Buildings and premises used by the Provider to perform services for Client would be physically protected and secured against unauthorized access and forced

Authorization of The Provider shall ensure that only authorized persons can access premises and company buildings where Client’s data is stored or processed.

4. Logging and Monitoring

Log entries. Log entries would identify the individual whose action is being audited, the individual affected by the action and the time of the action. Log entries shall not contain any sensitive information. Log files shall be in a human readable format (i.e. ASCII, XML) and analyzable with standard software tools.

5. Data Handling

Confidential Information. All information about Client IT security and the applied IT security measures are confidential information. Especially information concerning data flow, product processes or security features shall be kept locked and handled strictly confidential. The use of production data for developing and testing a new system or system changes is not allowed.

Correctness and integrity. The Provider shall ensure that procedures are established which guarantee correctness, integrity and availability of Client data throughout all stages of data processing. These procedures would be documented.

6. Operational Security

Operational Appropriate operational procedures for managing IT systems used to access, process and/or store Client data or accessing Client IT systems, would be implemented, maintained, documented and made available to all users who need them. At a minimum, operational procedures would be implemented for:

a) Change, configuration and release management

b) Capacity management

c) Technical vulnerability and patch management

d) Network

Operational segregation. Duties would be segregated and user access rights kept to the necessary minimum to reduce opportunities for unauthorized or unintentional modification or misuse of Client assets. Provider would also segregate development, test and production systems and network to reduce the risks of unauthorized access or changes to the operational IT systems.

Antivirus software. Every system of the Provider used to provide services to Client shall have approved, properly configured and managed antivirus Antivirus software would be updated at least daily and real-time scan would be enabled at all times. Every device of the Provider used to provide services to Client would be protected by a properly configured firewall that protects the systems from unwanted access through the network. The Provider shall ensure that all systems receive and apply up-to-date security patches at all times.

Remote access to Client Systems. The use of remote connections (e.g. VPN, RDP, Citrix, VNC etc.) would be subject to Client IT Security prior approval. Access to Client Systems can only be allowed via secured network connections with systems authorized by Client IT Security. The Provider shall ensure that remote access accounts provided by Client (user names and passwords) will not be shared and used by other individuals. If wireless connections are used (WLAN, Bluetooth, IR DA, etc.), they must be securely configured. In case of WLAN-usage, WPA2 must be used for wireless connections. In case there is reason to believe that any Client account information has been disclosed to or accessed by an unauthorized person, the Provider shall inform Client without undue delay.

Authentication process. The Provider shall ensure that systems are restricted by a proper authentication process, at minimum by a username/password combination. Any access to the computer must be prohibited for 3rd parties or other non-authorized people.

7. Software/Application Development (applicability depending on the provided services)

Development standards. Software development for Client shall be based on industry best practices and also incorporate information security throughout the software development life cycle (SDLC).

Production environments. Only designated staff shall be allowed access to Production (live) source code and libraries, maintaining a strict segregation of duties The entire application code promoted to the production environment would be validated through a secure process. All Client applications would be tested in a near-Production (Staging) environment.

8. Provision of Software (applicability depending on the provided services)

The Provider shall provide all technical and management documentation about the software product requested by Client IT Security.

Provision of software. Any software to be provided for use on Client Systems or within the Client IT infrastructure would undergo a security assessment by IT Security teams prior to its final usage. Software packaging and distribution of the software on any media (e.g. USB, CD, download link) would be done in a secure way to ensure integrity of the software until its delivery to Client (e.g. protection against unauthorized modifications, malicious code).

9. Business Continuity Management (BCM) (applicability depending on the provided services)

Appropriate BCM. To be capable of responding adequately to emergency situations, the Provider would have a functioning business continuity management system. This involves developing appropriate organizational structures and plans that enable a rapid response when emergencies occur and a quick resumption of at least the crucial business processes.

Practice of the BCM processes. To verify the efficacy of measures in the business continuity management area, the Provider shall carry out regular tests and emergency exercises. These would not only check that the crisis management strategies and plans work, can be implemented and are auditable, but would also ensure that Provider’s staff will acquire the necessary practice in dealing with exceptional situations. The Provider agrees with Client on a yearly test schedule including the necessary involvement from Client side.

RTO, RPO and RCL The Provider and Client agree on the following values:

RTO Recovery Time Objective = 8 hours (value in hours or days or refer to SLA section, if RTO is defined there) max. unscheduled outage time that can be accepted by Client

RPO Recovery point objective = 4 hours (value in hours or minutes or refer to SLA section, if RPO is defined there) maximum loss of data that can be accepted by Client

RCL Recovery capacity level = 90% (value in % of the initial capacity or reduced response times or refer to SLA section, if RCL is defined there) capacity level (measured by available hardware capacity, system performance or response times) available for Client during emergency operations until the original / primary services are recovered.

Microsoft Clarity