UserZoom’s SaaS Delivery Services comprise the complete set-up, delivery and administration of the Ordered Software Services on servers operated and maintained by or at the direction of UserZoom. UserZoom will set up, manage, monitor, tune, and react to all aspects of the Ordered Software Services, including Customer Content, databases, network, servers, security components, internet links, etc. By managing all these services, Customer can access the Ordered Software Services via a secured connection from a web browser. UserZoom may delegate the performance of certain portions of the SaaS Delivery Services to third parties, provided UserZoom remains responsible to Customer for the delivery of the Ordered Software Services. Capitalized terms used but not defined in this SaaS Delivery Services Exhibit shall have the meanings given to them in the Agreement.
UserZoom operates an information security program designed to protect Customer Content utilizing industry standard policies and technologies. UserZoom takes appropriate measures to protect the Ordered Software Services against “hackers” and others who may seek to modify the Ordered Software Services or the data therein without the consent of UserZoom or Customer, and to correct each Ordered Software Service to its original form in the event that it is modified without UserZoom's consent. UserZoom tests code for potential areas where security could be breached.
Data Centers and Physical Security
The equipment hosting the Software is located in one or more secure, fault-tolerant, seismically-compliant data centers (each, a “Data Center”). Physical access to each Data Center is restricted and controlled by access lists held by the colocation facility’s security department. Multiple forms of authentication are required to access each facility. Each Data Center is equipped with fire, water, and heat detection and protection systems. As of the Effective Date, UserZoom uses the following hosting service providers for the Ordered Software Services:
For Ordered Software Services hosted in the United States, UserZoom uses Amazon Web Services (“AWS”), currently located in Virginia and northern California. Data Center certifications include SSAE 16 - SOC2, ISO 9001, ISO 14001, ISO-IEC 27001, OHSAS 18001, Safe Harbor Self-Certification and CDSA Certification.
For Ordered Software Services hosted outside of the United States, UserZoom uses Amazon Web Services ("AWS"), currently located in Ireland. Europe based Data Centers certifications include SSAE 16 - SOC2, ISO-IEC 27001, BS7799, ISO 9000:2001 and ISO 14001.
System and Network Security
At the network level, UserZoom’s production environment is designed to provide maximum security based on industry-standard practices.
At the host level, UserZoom servers are fine-tuned or “hardened”.
Logging and Monitoring
UserZoom logs security relevant events, including, but not limited to, login failures, use of privileged accounts, changes to access models or file permissions, modification to installed software or the operating system, changes to user permissions or privileges or use of any privileged system function, on all systems. Security logs are retained for a minimum of 1 year. Access to security logs is restricted to authorized staff. System clocks are synchronized with a NTP to ensure the accuracy of audit logs.
Availability of Ordered Software Services
UserZoom shall use commercially reasonable efforts to maintain each Ordered Software Service in a manner that minimizes errors and interruptions and to make such Ordered Software Service available 24 hours a day, seven days a week, but it is understood that an Ordered Software Service may be temporarily unavailable due to (a) maintenance, application of Updates (as defined below) and testing of systems, applications and networks within the Data Center (collectively, “Scheduled Maintenance”), or (b) Force Majeure Events. UserZoom will use all commercially reasonable efforts to provide Customer with at least 72 hours advance notice of any Scheduled Maintenance.
In the event of an outage of an Ordered Software Service other than Scheduled Maintenance where users experience no response (“Emergency Downtime”), UserZoom will follow its standard outage procedure set forth below:
Emergency, non-routine, and other configuration changes to existing UserZoom infrastructure are authorized, logged, tested, approved and documented in accordance with industry best practices for similar systems. Updates to UserZoom’s infrastructure are done to minimize any impact on the customer and their use of the services. UserZoom will communicate with customers when service use is likely to be adversely affected.
UserZoom applies a systematic approach to managing change so that changes to customer impacting services are thoroughly reviewed, tested, approved and well communicated. UserZoom’s change management process is designed to avoid unintended service disruptions and to maintain the integrity of service to the customer. Changes deployed into production environments are:
Whenever possible, software changes are scheduled during regular Scheduled Maintenance/change windows. Emergency changes to production systems that require deviations from standard change management procedures are associated with an incident and are logged and approved as appropriate.
Service Level Agreement
Monthly Availability Credit
UserZoom will use all reasonable efforts to minimize downtime of the Ordered Software Services and to ensure a Monthly Availability Percentage of 99.5%, except as set forth below. The Monthly Availability Credit is calculated on an aggregate Monthly basis as follows:
Monthly Availability Percentage = (total minutes in the month – total number of minutes that the Ordered Software Service is inoperable in that month) / total minutes in the month
So long as UserZoom takes commercially reasonable steps to restore service as rapidly as possible, the Monthly Availability Percentage excludes (1) periods of Scheduled Maintenance; (2) problems caused by use by Customer of the Ordered Software Services in a manner not in accordance with the Documentation; (3) outages due to problems with Customer Content; (4) outages due to system administration, commands, file transfers performed by Customer representatives; (5) outages due to denial of service attacks, natural disasters, changes resulting from government, political, or other regulatory actions or court orders, strikes of third parties or labor disputes of third parties, acts of civil disobedience, acts of war, acts against parties (including carriers and UserZoom’s other vendors), and other force majeure items; (6) lack of availability due to untimely response time of Customer to respond to incidents that require its participation for source identification and/or resolution; (7) outages due to Customer’s breach of its material obligations under the Agreement; and (8) outages due to failure of the Customer Access Equipment or other Customer hardware or software.
If the Monthly Availability Percentage is less than 99.5% in any given month, Customer will be entitled to receive a refund of the Subscription Fees attributable to that particular month as follows:
97.50% - 99.49%
95.50% - 97.49%
92.00% - 95.49%
Less than 92.00%
Calculation of Refunds
The refund is calculated as a percentage of one-twelfth of the annual Subscription Fees paid in that year for the month during which the Data Center does not achieve the guaranteed 99.5% Monthly Availability Percentage set forth above.
Upon request, UserZoom will deliver to Customer’s designated principal contact person a report regarding the operations of the Data Center and the usage of the Ordered Software Service(s) in the prior month. Such report shall include, among others, a summary of the Monthly Availability Percentage for the Ordered Software Service(s) in the previous month, the amount of Scheduled Maintenance and Emergency Downtime.
Business Continuity and Backups
The AWS infrastructure has a high level of availability and provides UserZoom with the features to deploy a resilient IT architecture. AWS has designed its systems to tolerate system or hardware failures with minimal customer impact. All data centers are online and serving customers; no AWS data center is “cold.” In case of failure, automated processes move customer data traffic away from the affected area. Core applications are deployed in an N+1 configuration, so that in the event of a data center failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites. UserZoom will back up Customer Content, and will create a full backup (complete data copy) at least once per week at a secure backup location. UserZoom will maintain all such backup files for up to (6) months post-subscription. Upon the Customer’s written request, UserZoom will restore data from the backup files. The backup recovery process itself shall not cause downtime of the applicable Ordered Software Service; however, such Ordered Software Service(s) will be inaccessible during the backup restoration process. UserZoom will ensure that daily incremental backups in combination with weekly full backups are complete so that no more than twenty-four (24) hours’ worth of data will be lost in the event of a disaster. UserZoom will restore data as requested by the Customer within 48 hours of the Customer’s written request.
In the event of a disaster or failure, UserZoom will promptly respond to Customer’s requests for restoring data and Customer backups will be restored to the latest verified backup prior to the outage. UserZoom’s Recovery Time Objective (RTO) for the application is 48 hours and its Recovery Point Objective (RPO) is 24 hours. RPO refers to the amount of data at risk. This is determined by the amount of time between data protection events and reflects the amount of data that potentially could be lost during a disaster recovery. RTO refers to the targeted time to recover from a data loss event and how long it takes to return to service.