Service levels and IT security controls policy

If there is any conflict or inconsistency between the Service Levels and IT Security Controls Policy, and other terms of the Agreement,  the terms of the Service Levels and IT Security Controls Policy below shall take precedence. Unless otherwise defined, capitalised words and expressions have the same meaning as set out in the Agreement

Service levels and availabitility

I.      Availability

A.     Availability Requirement. HighQ shall use commercially reasonable efforts to make the Hosted Services available and operable for access and use by Licensee, its Permitted Affiliates and the Authorized Users in material conformity with the Agreement (“Available”), as measured over the course of each calendar month during the Term (each such calendar month, a “Service Period”), at least 99.9% of the time, excluding only the time the Hosted Services are not Available solely as a result of one or more Exceptions defined below (the “Availability Requirement”).

B.     Exceptions. Availability will be calculated without regard to downtime or degradation that is due to any of the following (“Exceptions”): (1) misuse of the Licensed Software or Services by Licensee, its Permitted Affiliates or the Authorized Users; (2) failure of internet connectivity; (3) Licensee’s failure to meet any minimum hardware or software requirements set forth in the Documentation; (4) Scheduled Downtime (as defined below); (5) Force Majeure events; (6) data corruption due to Authorized User error; (7) any actions, inactions or omissions (including but not limited to technical failures) of a third party provider outside of HighQ reasonable control;  or (8) an unauthorized change by Licensee that affects the configuration of the Licensed Software.

C.      Scheduled Downtime. All scheduled outages of the Hosted Services in whole or in part (“Scheduled Downtime”) shall be as set forth in the table below  provided that HighQ may request for Licensee’s approval, extensions of Scheduled Downtime above and such approval by Licensee may not be unreasonably withheld or delayed.

Scheduled Downtime

All date and times are London time Deployment window (up to 1 hour outage) Maintenance window (up to 2 hours’ outage)
UK Saturday 18:00 – 22:00 Saturday 22:00 – 23:59
US/Canada Sunday 06:00 – 10:00 Sunday 10:00 – 12:00
UAE Friday 10:00 – 14:00 Friday 14:00 – 16:00
Germany Saturday 18:00 – 22:00 Saturday 22:00 – 23:59
Australia Saturday 12:00 – 16:00 Saturday 16:00 – 18:00
Jersey Saturday 18:00 – 22:00 Saturday 22:00 – 23:59

 

II.      Support and Maintenance

A.     General. HighQ shall provide support to Licensee’s Authorized Users during the applicable time periods, which services shall include the maintenance and support services set forth below (collectively, “Support Services”) in connection with its access to and use of the Services. For avoidance of doubt, HighQ shall not be responsible to respond or address inquiries from anyone other than the Authorized Users.

B.     Hosted Services.

1.       HighQ shall: (a) use commercially reasonable efforts to respond to and correct any and all failures of the Hosted Services to be Available or otherwise perform in accordance with the Agreement (each, a “Service Error”) in accordance with the Support Service Level Requirements set forth below, including by providing defect repair, programming corrections and remedial programming; (b) provide telephone support; (c) provide online access to technical support bulletins and other user support information and forums, to the full extent HighQ makes such resources available to its other Licensees; and (d) respond to Support Requests (as such terms are defined below) as specified herein.  For the avoidance of doubt, a Service Error shall not be due to an Exception.

2.       HighQ shall use commercially reasonable efforts to monitor and manage the Hosted Services to optimize Availability that meets or exceeds the Availability Requirement. Such monitoring and management may include, in HighQ’s judgment: (a) proactively monitoring on a 24 hour by seven day basis all Hosted Service functions and (b) if such monitoring identifies, or HighQ otherwise becomes aware of, any circumstance that is reasonably likely to threaten the Availability, taking necessary and reasonable remedial measures to eliminate such threat and ensure full Availability; and (c) if HighQ receives knowledge that the Hosted Services are not Available.

C.     License Software. HighQ shall use commercially reasonable efforts to maintain the Licensed Software to comply with the Terms and Conditions of the Agreement. Such services may include, as determined by HighQ, providing to Licensee and its Authorized Users updates, bug fixes, enhancements, new releases, new versions and other improvements to the Licensed Software so that the Licensed Software operates in accordance with the Terms and Conditions of the Agreement. Licensee shall have 4 months from the release of a new version to upgrade the Licensed Software (“Transition Period”). Should the Licensee not upgrade during the Transition Period HighQ shall automatically upgrade the Licensed Software. HighQ shall only support the current version of the Licensed Software, save for the Transition Period where HighQ shall be responsible for supporting the previous version of the Licensed Software. HighQ shall, at its sole discretion, make necessary unscheduled deployments of maintenance releases (which shall include but will not be limited to changes, bug fixes, patch releases, updates or any enhancements to the Licensed Software).

D.     Service Levels. HighQ shall use commercially reasonable efforts to address all Service Errors and respond to all Support Requests in accordance with the required times and other Terms and Conditions set forth below (“Support Service Level Requirements”).

1.       HighQ shall classify requests for Service Error corrections in accordance with the descriptions set forth in the chart below (each a “Support Request”).

Support Request Classification Description
1
Critical
A critical part of the Licensed Software infrastructure is unavailable or inaccessible other than during Scheduled Downtime, resulting in total disruption of work or critical business impact. Software error that results in the loss of critical documented feature/function for which there is no suitable Workaround. Data is corrupted or lost and must be restored from backup.
2
Major
The Licensed Software is operational but highly degraded performance to the point of major impact on usage. Important features of the Licensed Software are unavailable with no acceptable Workaround; however, operations can continue in a restricted fashion.
3
Minor
Service is operational but partially degraded for some or all users, and an acceptable Workaround or solution exists. Problem with non-critical feature or functionality.

2.       Authorized Users shall notify HighQ of Support Requests by e-mail, telephone or such other means as the parties may hereafter agree to in writing. Support questions may be communicated (a) via email to support@highq.com; (b) via telephone by region (North American +1 212 203 5246, Australia +61 (0) 2 9188 5045 or UK/Europe +44 (0) 20 72 20 5341), or (c) via internet at http://support.highq.com.

3.       Response times will be measured from the time HighQ receives a Support Request until the respective times HighQ has responded to such Support Request. HighQ shall respond to all Support Requests within the following times based on the severity of the Service Error:

Support Request Classification Response Time Resolution Process
1
Critical
30 minutes Respond to Licensee with a Workaround or Plan for resolving the Service Error within 8 hours of initial contact. HighQ shall assign all necessary resources on a priority basis to resolve the issue and ensure that those resources work continuously on the issue until an actual resolution is provided.
2
Major
60 minutes Respond to Licensee with a Workaround or Plan for resolving the Service Error within 2 business days of initial contact. HighQ shall address the Service Error in the next release of the Software.
3
Minor
8 hours Respond to Licensee with a Workaround or Plan for resolving the Service Error within 10 business days of initial contact; however, the actual fix for Service Request may be addressed in the next release of the Software as timing and planning permits.

For purposes hereof:

Workaround” means a feasible change in operating procedures whereby an Authorized User can avoid the deleterious effects of a Service Error without material inconvenience.

Plan” means a description of the steps being taken by HighQ to resolve the Service Error which includes: (a) a description of the HighQ staff skill sets that have been assigned to work on the Services Error, (b) a high level description of the actions those staff are taking as part of the effort to resolve the Service Error, and; (c) a preliminary technical plan for how the Service Error will be resolved.

E.     Availability Failures. If the Licensed Software is not Available for seven consecutive days during any rolling 30 day period, Licensee shall have the right to terminate the Hosted Services, upon five days written notice to HighQ.

F.     Disaster Recovery – Alternate Site. If HighQ’s hosting site becomes inoperable, inaccessible or subject to a material disruption, HighQ will use its commercially reasonable efforts consistent with good industry practices to switch to the alternate site within the same geographical area, within 4 hours of HighQ notifying the Licensee of the same. For avoidance of doubt, in the event of a Support Request Classification of Critical or, the cause of which is an infrastructure issue associated with the data center hosting the Licensed Software, the Licensed Software will be made available at a failover data center within 4 hours.

G.     Data Ownership. Licensee shall solely and exclusively own all right, title and interest in and to any Licensee Data, as defined in the Agreement. HighQ may use Licensee Data during the Term solely as necessary in order to provide services to Licensee as set forth in this Agreement. At any time during the Term or within 15 days of termination of the Term, the Licensee may request in writing access to the Licensed Software so as to obtain a copy of the Licensee Data. HighQ will only hold a backup of Licensee Data for a 30 day rolling period.

H.     Security Testing. Licensee shall provide HighQ at least 30 days’ notice for performing any type of security testing, penetration testing or vulnerability scans of the Licensed Software (collectively, “Security Testing”) whether such Security Testing is performed directly by Licensee or by a third party engaged by Licensee. HighQ shall provide Licensee with a test instance (of a similar configuration of that of Licensee’s live instance) to perform the penetration test. Licensee agrees to provide the results of such Security Testing to HighQ within a reasonable period of time after completion of the Security Testing (but in no event more than two   weeks later), at least in summary format, provided, however, Licensee shall be under no obligation to share any Confidential Information contained in the test results with HighQ.

 

Privacy and Information Technology Security Controls Policy

1. Definitions.

a. “Approved Information Technology Security Program” has the meaning given to it in Section 3(c)

b. “Licensee Security Manager” means the representative designated by Licensee, which may be updated by Licensee from time to time during the Term.

c. “PII” means personally identifiable information (i) that, when used separately and/or in combination with other information, identifies and/or can be used to identify or authenticate
an individual or (ii) as otherwise may be defined by Applicable Laws. PII, includes names, addresses, telephone numbers, e-mail addresses and other unique identifiers, employee identification numbers, government-issued identification numbers, passwords or PINs, answers to security questions and other personal identifiers, as well as financial account number, credit card number, debit card number, credit report information, with or without any required security code, access code, personal identification number or password, that would permit access to an individual’s financial account.

d. “Security Breach” means (i) any act or omission that compromises either the security, confidentiality or integrity of Licensee’s Confidential Information, or the Approved Information Technology Security Program; (ii) HighQ’s receipt of any request for disclosure or inquiry regarding Licensee’s Confidential Information from a third party; and/or (iii) any law enforcement or administrative investigation or inquiry into suspected misuse or abuse of Licensee’s Confidential Information.

2. Licensee Data.

HighQ agrees to comply with all Applicable Laws and Terms and Conditions of the Agreement. Without limiting the generality of the foregoing, HighQ shall not use the Licensee Data for any purpose other than performing its obligations under the Agreement, and shall limit access to and disclosure of the Licensee Data solely to HighQ Personnel on a “need to know” basis who are essential to performing its obligations under the Agreement and for purposes directly related to the performance of HighQ’s obligations under the Agreement. Further, HighQ shall not sell, license, distribute, make available or otherwise disclose the Licensee Data or any portion thereof to any third party for any reason, unless specifically permitted by Licensee in its sole discretion or other expressly required by Applicable Laws, in which case HighQ, if permitted, shall provide prompt written advance notice to Licensee in order to provide Licensee with the opportunity to object to such required disclosure. The parties acknowledge and agree that all Licensee Data shall be deemed the Confidential Information of Licensee.

3. Information Technology Security Program.

a. HighQ agrees that its collection, use, storage and disposal of Licensee’s Confidential Information and Licensee Data shall at all times comply with all Applicable Laws, and HighQ shall implement and maintain, a security controls program that complies with all Applicable Laws, accepted industry standards, and the Terms and Conditions of the Agreement in order to address security and confidentiality concerns, protect against any anticipated or actual threats or hazards to its security or integrity, and prevent unauthorized access, acquisition, destruction, use, modification and/or disclosure thereof. Additionally, HighQ shall have a security and privacy policy that provides guidance to HighQ Personnel on ensuring the confidentiality and integrity of Licensee’s Confidential Information which addresses the following: (i) instructions regarding the steps to take in the event of a compromise or other anomalous event; (ii) delegation and assignment of responsibilities for security and privacy; (iii) management oversight for the policy and its deployment; (iv) means for managing security and privacy within the enterprise; (v) policies and procedures for data confidentiality and privacy and data protection and access thereto; (vi) handling of Confidential Information; and (vii) planning for incident response in the event of a Security Breach or unauthorized disclosure of any Confidential Information.

b. HighQ’s security program shall include the implementation of administrative, physical and technical safeguards to protect Licensee’s Confidential Information that are consistent with accepted industry practices, and shall take commercially reasonable efforts to ensure that all such safeguards, including, without limitation, the manner in which PII is collected, accessed, used, stored, processed, disposed of and disclosed, whether by HighQ or its providers comply with all Applicable Laws, as well as the Terms and Conditions of the Agreement.

c. The parties shall work together to agree upon security requirements as applicable based on the nature of the Services to be provided by HighQ under the Agreement. HighQ shall provide the agreed upon documentation to the Licensee Security Manager in connection therewith. In the event that the Licensee Security Manager reasonably identifies controls gaps in HighQ’s supplied documentation or test evidence as it relates to its proposed security program, HighQ agrees to work with Licensee in good faith to update associated controls in line with industry-recommended solutions consistent with the requirements set forth herein. For purposes of this Agreement, the HighQ security controls program that has been prior approved by the Licensee Security Manager in writing shall be deemed the “Approved Information Technology Security Program”. Any such approvals shall not be unreasonably withheld or delayed.

4. Security Breach Procedures and Obligations.

a. HighQ shall provide Licensee with the name and contact information for an employee of HighQ who shall serve as Licensee’s primary security contact in resolving obligations associated with a Security Breach. HighQ shall promptly notify the Licensee Security Manager of a Security Breach.

b. Immediately following HighQ’s notification to Licensee of a Security Breach, the parties shall coordinate with each other to investigate the Security Breach. HighQ agrees to cooperate with Licensee in Licensee’s handling of the matter, including: (i) assisting with any investigation; (ii) facilitating interviews with HighQ Personnel involved in the matter; and (iii) making available all relevant records, logs, files, data reporting and other materials required to comply with Applicable Laws or as otherwise reasonably required by Licensee for investigation purposes.

c. Except as required by Applicable Laws, HighQ agrees that it shall not inform any third party of any Security Breach without first obtaining Licensee’s prior written consent.

5. IT Security Compliance and Oversight.

HighQ shall conduct penetration testing of the Licensed Software at least annually. Upon Licensee’s reasonable request, and subject to confidentiality obligations that may be owed to HighQ clients, HighQ shall make available to Licensee for review copies of the executive summary report of such tests. Licensee shall treat such reports as HighQ’s Confidential Information under the Agreement. HighQ agrees that it shall ensure that any and all Subcontractors used by Licensee to deliver the Services under the Agreement shall do so in accordance with good industry practice.

6. Data Transfers.

HighQ shall not transfer any Licensee Data governed by the Agreement outside of the Hosting Location without the prior written consent of Licensee. Licensee acknowledges that, under the anticipated use of the Licensed Software, Authorized Users and Designated External Users may be located outside of the Hosting Location and may transfer and download content, including Licensee Data, to locations outside of the Hosting Location (collectively, “User Outside Transfers”). Notwithstanding anything herein to the contrary, HighQ shall not be responsible or liable for User Outside Transfers.

Last Updated 22 November 2017