Legal
Trendzact Service Level Agreement
This document contains the Service Level Agreement for TrendzAct.
THIS SERVICE LEVEL AGREEMENT
(“Agreement” or “SLA”) shall apply to all TrendzAct Services provided by TrendzAct expressly as an addendum to the Terms Of Service (“TOS”) for each client/user (“USER”). TrendzAct is committed to providing a highly available and secure contact relationship management (“CRM”) to support its USERs. Providing the USER with consistent access to TrendzAct Services is a high priority for TrendzAct and is the basis for its commitment in the form of an SLA. The overall service availability metric is 99.999%, measured on a monthly basis. This Service Level Agreement shall only become applicable to the TrendzAct Services upon the later of (a) completion of the “stabilization period,” as such term is defined in the Statement of Work (if any), or (b) ninety (90) days from the provisioning of TrendzAct Services.
Service Interruption
This SLA provides certain rights and remedies in the event that the USER experiences service interruption as a result of failure of TrendzAct infrastructure. For the purpose of this Service Level Agreement, the terms in bold are defined as follows:
Credits
Availability Credit Amount of Monthly Fee (or one twelfth Annual Fee)
> 97.9% but < 99.999% 10%
> 96.9% but < 97.9% 25%
< 96.9% 50%
Definitions
Available or Availability-When the USER whose account is active and enabled has reasonable access to the TrendzAct Service provided by TrendzAct, subject to the exclusions defined in Downtime Minutes below.
Total Monthly Minutes-The number of days in the month multiplied by 1,440 minutes per day.
Maintenance Time-The time period during which the TrendzAct Service may not be Available each month so that TrendzAct can perform routine maintenance to maximize performance, is on an as needed basis.
Downtime-The total number of minutes that the USER cannot access the TrendzAct Service. The calculation of Downtime Minutes excludes time that the USER is unable to access the TrendzAct Services due to any of the following:
a) Maintenance Time
b) USER’s own Internet service provider
c) Force Majeure event
d) Any systemic Internet failures
e) Enhanced Services
f) Any failure in the USER’s own hardware, software or Network connection
g) USER’s bandwidth restrictions
h) USER’s acts or omissions
i) Anything outside of the direct control of TrendzAct
Problem Response Time-The time period after TrendzAct’s confirmation of the Service event, from receipt of the information required from the USER for TrendzAct’s Support Team to begin resolution and open a trouble ticket in TrendzAct’s systems. Due to the wide diversity of problems that can occur, and the methods required to resolve them, problem response time IS NOT defined as the time between the receipt of a call and problem resolution. After receiving a report of fault, TrendzAct shall use a reasonable method to provide USER with a progress update.
Affected Seats-TrendzAct’s TrendzAct Service are provided in a multi-tenant architecture where seats of a USER’s domain may be extended across numerous servers. USER may obtain remedy only for affected seats residing on the server experiencing Downtime exceeding the SLA.
Maintenance Notices-TrendzAct will communicate on the front page of the support web site at least forty-eight (48) hours in advance (or longer if practical) when TrendzAct intends to disable access to the TrendzAct Services. The USER understands and agrees that there may be instances where TrendzAct needs to interrupt the TrendzAct Services without notice in order to protect the integrity of the TrendzAct Services due to security issues, virus attacks, spam issues or other unforeseen circumstances. Below are the Maintenance Windows and their definitions:
Emergency Maintenance-These change controls happen immediately with little notification ahead of time; however, we will post the information to our website soon after or during the change.
Preventative Maintenance-These change controls are when we detect an item in the environment that we need to take action on, to avoid emergency change controls in the future. These change controls, if possible, will usually occur in low peak hours with peak being defined by our metrics.
Planned Maintenance-When possible, planned maintenance will be posted 5-days prior; however, certain circumstances may preclude us from doing so, such as an external vendor issuing a change control to TrendzAct, e.g. the power company alerting us to perform power testing 48 hours ahead of time.
These are change control’s being done to:
a) Support on-going product and operational projects to ensure optimal performance
b) Deploy non-critical service packs or patches.
c) Periodic redundancy testing.
Minimum Requirements-The required configurations USER must have to access the TrendzAct Services include: Internet connection with adequate bandwidth, supported Internet Browser.
Measurement-TrendzAct uses a proprietary system to measure whether the TrendzAct Services are available, and the USER agree that this system will be the sole basis for resolution of any dispute that may arise between the USER and TrendzAct regarding this Service Level Agreement.
Availability is calculated based on the following formula:
· A = (T – M – D) / (T – M) x 100%
· A = Availability
· T = Total Monthly Minutes
· M = Maintenance Time
· D = Downtime
Bug-Problem Response
Problem Response Time-TrendzAct’s failure to meet the Service Level Metric for Problem Response Time for a month shall result in a Service Level Credit of $250 per incident up to a maximum Service Level Credit of $1500 per month. The response time per incident will vary upon the degrees defined below:
Category Level Criteria Problem Response Time
Sev 1 High Unplanned interruption rendering the Services un-Available; no work-around (4) Hours
Sev 2-High Unplanned interruption rendering the Services un-Available; work-around available (8) Hours
Sev 1 Low Low Services are un-Available for a single User or small percentage of USER affected (48) Hours
Sev 2 Low Intermittent problem (72) Hours
Sev 3 Next iteration
Remedy and Procedure
The USER’s remedy and the procedure for obtaining the USER’s remedy in the event that TrendzAct fails to meet the Service level metrics set forth above are as follows:
To qualify for remedy:
(a) There must be a support ticket documenting the event within 24 hours of the service interruption
(b) USER account must be in good standing with all invoices paid and up to date
The USER must notify TrendzAct in writing within five (5) business days by opening a support ticket and providing the following details:
Subject of email must be: “Claim Notice – ‘Client Name”
List the type of TrendzAct Service that was affected
List the date the Downtime Minutes occurred
List user(s) Display Name and E-mail address affected by Downtime Minutes
List an estimate of the amount of actual Downtime Minutes
Ticket number of the documented event
TrendzAct will confirm the information provided in the Claim Notice within five (5) business days of receipt of the Claim Notice. If TrendzAct cannot confirm the Downtime Minutes, then the USER and TrendzAct agree to refer the matter to executives at each company for resolution. If TrendzAct confirms that TrendzAct is out of compliance with this Service Level Agreement, the USER will receive the amount of Service Level Credits set forth above for the affected Service level metric and the affected Seats for the affected month. The SLA credit will be reflected in the TrendzAct invoice to the USER in the month following TrendzAct confirmation of the Downtime Minutes. Please note that SLA credits can only be applied to accounts that are in good standing with all invoices paid and up to date.
TRENDZACT PRIVACY AND SECURITY POLICY
This Exhibit shall be updated prior to Jan 1 2020 to comply with the California Consumer Privacy Act of 2018 (CCPA) including the Online Privacy Protection Act and Shine the Light.
The terms of this Exhibit are incorporated by reference as terms of the Agreement and may, from time to time, be modified by mutual consent of both Parties.
Introduction
This Privacy and Security Exhibit (“Exhibit”) governs the manner in which specified information shall be handled or processed by Company (referred to in the Agreement as TrendzAct).
Definitions
“Affiliate Companies” shall mean any companies controlling, being controlled by, or under common control with another company.
“Company” shall mean the party entering into an agreement with Customer, under this Addendum which has been incorporated by reference, as well as all Affiliate Companies of said Company.
“Confidential Information” shall mean Information which (i) is proprietary to, about, or created by a specific person or company; (ii) gives the specified person or company some competitive business advantage or the opportunity of obtaining such advantage, or the disclosure of which could be detrimental to the interests of the specified person or company; (iii) is designated as Confidential Information by the specified person or company, or from all the relevant circumstances should reasonably be assumed by the receiving party to be confidential and proprietary to the specified person or company.
“Individual” shall mean, unless otherwise indicated, any natural person.
“Customer” shall mean ____________________. and its Affiliate Companies.
“Customer Confidential Information” shall mean Customer Personal Information and Confidential Information pertaining to Customer.
“Customer Personal Information” shall mean Personal Information received or collected by Customer or Company pertaining to Customer’s current, former, or potential customers and Personal information pertaining to Customer staff members, employees, contractors and subcontractors, or other agents.
“Personal Information” (“PI”) shall mean any factual or subjective information that pertains to an individual about an identifiable person. PI can include, but is not limited to: name, address, phone number, fax number, email address, financial profile, medical information or profile, tax return information as defined under IRC 7216, taxpayer identification number or other governmental identifier, credit card information, personal profile, age, income, credit information, unique identifier, biometric information, and IP address. For the purposes of this Addendum, information about an individual in the business context is considered Personal Information. For example, business contact information is considered Personal Information.
Data Handling and Access
Customer maintains internal privacy policies that govern how Customer and its third parties manage Customer Personal Information. These policies follow the principles set forth below:
Notice – Offer clear, conspicuous notice before collection of Customer Personal Information from any individual.
Choice – Provide individuals choice regarding additional uses of Customer Personal Information, including but not limited to marketing-related uses; and before sharing Customer Personal Information with other third parties not acting as agent.
Security – Provide adequate protections against unauthorized access and exposure of Personal Information, commensurate with the sensitivity of the Personal Information.
Data Integrity – Take reasonable steps to ensure that Personal Information is relevant, reliable for its intended use, accurate, complete, and current.
Access – Take reasonable measures to provide individuals the ability to view, and in some cases, amend or correct, their Personal Information.
Enforcement – Provide specific mechanisms for ensuring compliance with these principles, including recourse, and consequences for non-compliance.
Company shall comply with the above principles, the terms of this Exhibit, the applicable Customer Privacy Statement(s), and all applicable laws, policies, rules and regulations relating to the collection or use of Customer Personal Information. Company agrees to impose and enforce compliance of this Exhibit on all its employees, contractors, and other third party service providers with access to Customer Personal Information.
Company shall document in writing Confidential Information handling procedures designed to implement technical and organization measures to protect Customer Confidential Information as required by the applicable Privacy Statement, laws, and this Exhibit. Company will train employees/contractors/vendors on and implement said procedures in a way that produces the same degree of care as is used with its own Personal Information and Confidential Information, but never less than a reasonable degree of care, to prevent the unauthorized collection, use, sharing, retention/destruction, and other inappropriate or prohibited Confidential Information handling practices.
Company and its authorized agents and vendors shall never sell, rent, or lease Customer Confidential Information to any individual, organization, or third party.
Access to Customer Confidential Information stored on Company’s systems and with Company’s third party providers must not be granted to members of Company’s staff, subcontractors, or other agents, unless the following conditions are met:
The staff member, subcontractor, or other agent has a need to view the information in order to perform authorized work;
The staff member, subcontractor, or other agent is trained in the proper handling of Customer Confidential Information;
The staff member, subcontractor, or other agent is subject to an obligation to handle Customer Confidential Information in ways at least as restrictive as those practices outlined in this Addendum;
The staff member, subcontractor, or other agent requesting the access can be uniquely identified (e.g., by a unique User ID);
The staff member, subcontractor, or other agent requesting the access has entered a correct password or other authorizing token to indicate that he/she is the authorized user of the Customer account. If passwords are the only method used for authentication, they must satisfy certain minimal standards mutually agreeable to Customer and Company (e.g., eight characters minimum length, required use of special- and/or mixed-case characters, no words that could be found in a dictionary, and required to be changed every ninety (90) days) that make them sufficiently robust to effectively resist both educated guessing and brute-force attacks.
In all cases, access permissions must be established in a manner that allows only for the minimum access level(s) required for each staff member, subcontractor, or other agent to perform his or her job function. The ability to read, write, modify or delete Customer Confidential Information must be limited to those individuals who are specifically authorized to perform those data maintenance functions.
The date, time, requestor, and nature of the access (i.e., read-only or modify) has been recorded in a log file.
Customer Confidential Information stored on Company’s systems must be stored behind firewalls with access to such data limited as described in the preceding requirement.
Passwords used by Customer’s Customers are not required to conform to the password standard described above; however, Company must ensure that Customers do not have access to Confidential Information other than that which pertains to them.
Company must always encrypt the following Customer Confidential Information when it is stored on Company’s systems:
Account numbers
Credit Card Information
Background check information
Beneficiary information
Government Issued Identifying Number (e.g. Driver’s license number, Social Security Number)
Encryption keys
Passwords
Tax return information
In addition, Company must encrypt all Personal Information stored on laptops or other portable devices.
At a minimum, financial services industry-standard encryption techniques must be employed to safeguard such Information in Company’s systems from retrieval by unauthorized persons. Company shall adopt best industry practices where appropriate. Whenever possible, message digest algorithms such as SHA-256 shall be used to hash and verify the user’s password, and “salt” shall be added to the input string prior to encoding to ensure that the same password text chosen by different users will yield different encodings.
Procedures must be in place to modify or revoke access permissions to Confidential Information when staff members leave Company or when their job responsibilities change.
Printed material that contains Customer Confidential Information must be stored in secured areas to which access is limited to those staff members who have a business need to access it. It must also be disposed of in a secure manner. At a minimum, financial services industry-standard protections must be employed to ensure the secure storage and destruction of printed Confidential Information. Whenever possible, secure disposal alternatives such as on-site shredding prior to recycling or placement in publicly-accessible trash bins with subsequent off-site shredding by a licensed contractor shall be implemented.
Company shall under no circumstances collect, access, use, store, destroy, reproduce, disclose, or otherwise handle or process Customer Confidential Information other than as specifically authorized by this Addendum or the Agreement which this Addendum is incorporated. Should Company become legally obligated to handle Customer Confidential Information other than as permitted by this Addendum or the associated agreement, it shall, unless legally prohibited from doing so, first provide notice to Customer.
Transmission of Confidential Information
Except as restricted by law, Company must not electronically transmit Customer Confidential Information over publicly-accessible networks without using 128-bit encryption in transit (SSL, TLS, etc.) or another mechanism that affords similar or greater security and confidentiality.
Confidential Information must never be passed in a URL (e.g., using a GET method) in a manner that potentially exposes the information to third parties and causes such information to appear in log files.
Company shall only send Customer Confidential Information in an email message over publicly-accessible networks if one of the following conditions is met
The email message is between representatives of Company and representatives of Customer.
The content of the email has been approved in advance by Customer.
The email is encrypted using a previously-approved encryption mechanism or is otherwise made secure with an approach that has been mutually agreed upon in advance by Customer and Company.
Maintaining a Secure Environment
To protect the accuracy and integrity of Customer Confidential Information, all such data must be backed up regularly (no less often than weekly unless otherwise stipulated in this agreement), and the backups stored in secure, environmentally-controlled, limited-access facilities.
Company must run internal and external network vulnerability scans at least monthly and after any change in the network configuration (e.g., new system component installations, changes in network topology, firewall rule modifications, or product upgrades).
Company must promptly install any security-related fixes identified by its hardware or software vendors, if the security threat being addressed by the fix is one that threatens the privacy or integrity of any Confidential Information covered by this Addendum. Such upgrades must be made as soon as they can safely be installed and integrated into Company’s existing architecture and systems.
Customer may, from time to time, advise Company of recent security threats that have come to its attention, and require Company to implement specific modifications to its software, policies, or procedures that may be necessary to counter these threats. Company must implement these modifications within a mutually-agreeable time, or must obtain written permission from Customer to take some other course of action to ensure that the privacy and integrity of any Confidential Information is preserved.
Notwithstanding the minimum standards set forth in this Addendum, Company should monitor and periodically incorporate reasonable industry-standard security safeguards.
Reviews, Audits and Remedies
Company shall maintain records to demonstrate its compliance with the terms of this Addendum and shall permit Customer, or a third party chosen by Customer and reasonably acceptable to Company, to audit Company’s books, records, facilities, computer systems, and practices relating to its obligations under this Addendum upon reasonable notice and during regular business hours, and at Customer’s expense, at the locations where such records and data are maintained, for purposes of verifying Company’s compliance. Notwithstanding the foregoing, if Customer in good faith believes that a threat to security exists that could affect Confidential Information, Company must provide Customer or its agent access to its premises immediately upon request by Customer.
Customer may inspect or employ third parties to conduct studies of Company’s operational processes, systems, vulnerability scan results and computer network security relating to the collection, transmission, and storage of Customer Confidential Information. Customer agrees to coordinate the scheduling of any such study with Company to minimize disruption to Company’s business. Company agrees to cooperate with Customer to commence such a study within thirty (30) days from Company’s receipt of written notice of Customer’s intent to conduct, or to employ a third party to conduct, such a study. At Company’s request, Customer will require any third party it employs to conduct such a study, to sign a non-disclosure agreement and agree not to disclose any Confidential Information. Customer will make the results of any such study available to Company and, depending on the seriousness of any problems found, may require Company to remedy any and all such deficiencies in a timely fashion. Costs of such audits shall be borne by Customer, unless Company is deemed, as a result of such an audit, to be in material non-conformity with the Agreement or this Addendum.
Notwithstanding any time-to-cure provision in this Agreement to the contrary, it shall be completely within Customer’s discretion to require correction of any demonstrated security-related problem within a shorter period of time. Customer shall provide written notice of the problem to Company, and Company must immediately take appropriate steps to correct the problem. If Company fails to correct any demonstrated security problem within a commercially-reasonable time, considering the work that must be completed to address the problem and resulting in the material disclosure or threatened disclosure of Customer’s Confidential Information, Customer may instruct Company to take such interim measures as necessary to protect Customer’s Confidential Information. If Company fails or refuses to take those interim and/or permanent measures which are necessary to prevent the material disclosure of Customer’s Confidential Information within a commercially-reasonable time, Customer may terminate any and all affected agreements between Customer and Company for cause.
Termination Obligations
Within ten (10) days after the expiration or termination of the Agreement, Company shall destroy all Customer Confidential Information in a manner that renders such information unrecoverable and certify that it has complied with the foregoing in writing.
Compliance with Applicable Laws and Regulations
In addition to any compliance requirements provided in the Agreement, Company will at all times be in compliance with and shall not violate any applicable privacy and security related international, national, state and local statutes, laws, rules or regulations.
In addition to the general requirement stated above, Company understands that if Personal Information includes sensitive tax return information subject to IRS regulations (including sections 6713 and 7216) governing its use and disclosure, the penalties for unauthorized disclosure or use of such tax return information under IRC 6713 and 7216 can result in criminal prosecution, imprisonment and the assessment of monetary fines. Company shall access such Personal Information only to provide the services specifically authorized by this Addendum or the Agreement to which this Addendum is incorporated, and shall not disclose it to any third persons. Additionally, Company shall notify, and hereby represents and warrants that it has notified, in writing any of its employees who may have access to such Personal Information of the applicability of sections IRC Sections 6713 and 7216 including a description of the requirements and penalties of those sections.
Changes to Requirements
Customer may amend this Addendum from time to time as may be required by law or otherwise. If Company is not willing or is unable to meet the updated requirements of such amendments, Customer may terminate the Agreement under which this Addendum is incorporated upon thirty (30) days written notice.
Notifications
Immediately upon discovery, Company must notify Customer (a) if it knows or suspects that Customer Confidential Information has been compromised, disclosed to unauthorized persons, or used in an unauthorized manner, (b) if there have been any complaints about Company’s information and collection practices as they relate to Customer Confidential Information, or (c) if there has been any meaningful or substantial deviation from the requirements contained in the Agreement or this Addendum.
Company agrees that Customer shall have the right to participate in the investigation, response and/or correction of any of the above. In addition, unless otherwise required by law, Customer shall have the right to control and direct any public communication, including but not limited to communication with Customer customers, regarding the same.
Additionally, Company must immediately notify the Customer Internet Operations Center (“IOC”) of any relevant, urgent security issues identified by Company, including, but not limited to, ongoing denial of service attacks, actively exploited vulnerabilities, and ongoing exposure of Customer Confidential Information.
Contact Information
Company agrees to designate a single point of contact as its Privacy and Security Coordinator. This Privacy and Security Coordinator will (i) maintain responsibility for applying adequate protections to Customer Confidential Information, (ii) oversee application of Company compliance with the requirements of this Addendum, and (iii) serve as a single point of contact for internal communications and communications with Customer pertaining to this Addendum and compliance with or any breaches thereof.
Additionally, both Customer and the Company shall designate a single point of contact for urgent security issues (a “Security SPOC”) and provide contact information for such Security SPOC. Both parties agree that either the Security SPOC will be available at all times (“24/7/365”).
