SAP hybris Commerce, cloud edition, Managed Services Description

Effective June 2015

OBJECTIVES AND SCOPE

This document provides supplemental information regarding the Managed Services for the SAP hybris Commerce, cloud edition provided by SAP pursuant to the Agreement for the SAP hybris Commerce, cloud edition between SAP and Customer. As used in this document, “Project” or “Project Phase” means the activities of Customer and SAP in the period between the project kick-off meeting or call, and the Go-Live of the Cloud Service. “Go-Live” means the Production Environment is deployed and capable of live processing of end-user data. All other capitalized terms shall have the meaning set forth in the Agreement. This Managed Services Description is

incorporated by reference and made a part of the Agreement. The Cloud Service includes the services as described in this Managed Services description.

MANAGED SERVICES OVERVIEW

SAP shall use the following personnel in performing the Cloud Service:

▪ Project Manager- named resource assigned to customer Project and primary point of contact during implementation

▪ Technical Account Manager- named account management resource assigned to customer Project post Go-Live, and responsible for proactive oversight of the application and operational processes. Meets regularly with the customer to review the solution performance and the resolution of outstanding issues

▪ Database Administration team for database management

▪ Security Analysts- security operations staff, responsible for initial security set-up, and reviewing, assessing, and addressing security related information

▪ System Administrators - responsible for server health maintenance and management

▪ Network Architects - responsible for network set-up of customer project and connectivity to customer enterprise

▪ Monitoring Analysts - responsible for managing ongoing customer monitoring services

▪ Platform Implementation Experts – a team that deploys, implements, and supports the Hosting Platform throughout the Project Phase (pre Go-Live)

▪ Platform Service Experts – a team that manages the Hosting Platform post Go-Live, being involved in Support, deployment, configuration changes, applying security patches and other platform maintenance tasks. The Project setup services include:

▪ Project management services for the implementation phase of the Project

▪ Setup of the Development Environment – multi server environment, installation, setup/configuration of SAP application, app server, web server, networking, security setup

▪ Setup of Staging Environment – multi server environment, installation, setup/configuration of SAP application, app server, web server, networking, security setup

▪ Setup of Production Environment – multi server environment, installation, setup/configuration of SAP application, app server, web server, networking, security setup

SAP hybris Commerce, cloud edition, Managed

Services Description

▪ Additional server setup for third party applications, if applicable. Setup does not include third party application installation or configurations (subject to additional fees for added resources as specified in an Order Form).

SAP shall deliver the following deliverables as part of the Project:

• Project Kickoff presentation (covered topics include Project information, timeline, communication plan, team roles and responsibilities / RACI, deployment process, contract review, change control)

• Network Diagram

• Deployment Form – document to communicate deployment instructions • Whitelist Form – document to manage third party vendor security whitelisting

• Application Deployment Guide – how to deploy code from local installation to standard configuration • Client Deployment How To – guideline for packaging application releases

• Cloud Services Operations Manual – details on engaging SAP notifications, escalations, and maintenance. • Project Plan – details and schedule of implementation activities

• Webserver Configuration Form – detailing file structure and locations for the installation of SAP application

• VPN Access into the hosted environment

• Use of infrastructure and services outlined in the Order Form Operational Deliverable post Go-Live:

• Operations Scorecard – Monthly report on operational performance

SUPPORT TEAM

The Cloud Service includes an assigned Project manager during the initial Project Phase as well as a technical account manager once the Website is used in a production mode (live processing of end-user data), to provide Project and account management support for the Cloud Services. These individuals are the primary points of contact who work closely with customer’s team to help meet customer service needs and to help manage future requirements and growth. Furthermore, these individuals will help coordinate discussions with other technical resources as needed.

Once the Production Environment is used in a production mode, Customer will have a Technical Account Manager (TAM) assigned, as well as a backup TAM based in an alternate time zone for extended hours.

Contact information for Cloud Service Support is as follows: • Telephone Number:

 EMEA: +49-89-558930700 North America: +1-514-9076158 • Email/Web:

 By submitting tickets through the support ticketing system or through [email protected]

DATA CENTER

SAP utilizes 3rd party data centers to provide the Cloud Service.

The data centers used to host the Cloud Service provide secure facilities for hosting and have a direct connection to the global Internet backbone.

The data centers provide a secure and controlled hosting environment, with: • Heating, ventilation and air conditioning (HVAC) systems

• Very early smoke detection alarm (VESDA) and dual interlock fire suppression systems • Uninterruptible power supply (UPS) with automatic power transfer bridge system • Integrated biometric/card access control

• 24/7 CCTV video surveillance and recording

• Monitoring for HVAC and mission-critical power systems

The data centers provide diverse power and network connections, backup generators and air conditioning systems supporting the equipment’s online availability 24 hours a day, 7 days a week.

HOSTED INFRASTRUCTURE AND INFRASTRUCTURE MANAGEMENT

Initial infrastructure sizing is performed according to traffic estimates and additional requirements provided by the customer. Core+ modules might also require separate servers to be supplied at an additional cost.

Systems Infrastructure

The Cloud Service will reside on a redundant server infrastructure ensuring that if one server (or part of the server infrastructure) fails, a backup is in place designed to support the operation of Customer’s systems.

The infrastructure is balanced for high availability of the system during peak usage periods. The load-balancing allows the systems to handle large volumes of simultaneous users load-balancing the load of activity across multiple servers.

The server and network infrastructure is based on a private cloud virtualized infrastructure. Infrastructure Components:

• Redundant Firewalls • Redundant Routers • Redundant Load balancers • Web file storage

• Database storage • Intrusion detection

SAP will perform the setup and configuration of all infrastructure components.

The following 3rd party application software is included with Cloud Service solely for use with and as part of the Cloud Service on the Hosting Platform:

• Linux (Debian) • Apache Webserver

• Tomcat Applications Server

• database setup with the application • Virtualization hypervisor VMWare • File Integrity Management Software • Log Management Software

Data Storage Management

Storage is provided through the use of redundant high performance storage solutions. The storage solution includes the use of NetApp storage technology including solid state disks on the first tier with expandable fast cache. Storage is safeguarded through the use of Raid DP, NetApp’s raid technology which is a double-parity RAID 6 setup that helps prevent data loss when two drives fail.

Server Infrastructure and Management:

The Cloud Service includes server management, OS patching and proactive maintenance of the server

environment. With respect to RAM, SAP reserves the Production Environment VM’s allocation so that no swap can occur. The Cloud Service uses vSphere DRS (Distributed Resources Scheduler) to balance the load based on actual load on the host and affinity rule. The database runs on dedicated virtualized servers with dedicated compute power.

Network:

The SAP Internal network used to provide the Cloud Service is comprised of: • Fortinet Fortigate FireWalls (300c)

• Cisco Routers for VPN connectivity

• Citrix Netscaler Load Balancer with Web Application Firewall • HP Core and L2 Switching

• Brocade Fiber Channel is used for the databases servers • Network device management as part of network monitoring.

CONNECTIVITY

The Cloud Service delivers connectivity through Tier 1 internet backbone access. The redundant multi-tier network is based on high-end gateway routers, core switches, and distribution switches. The data center is connected directly to the high-performance global IP network.

The hosted environment is supported by 2 x 1 Gbps connections to the Internet backbone, each burstable to 8 Gbps. bandwidth.

SAP uses the 95th percentile measurement rule of the total of the ingress and egress traffic to calculate the additional bandwidth used above the base bandwidth. Additional bandwidth can be purchased for an additional fee in the Order Form.

95th Percentile Measurement - The bandwidth reporting system captures average data points usage every 5 minutes for each network line for ingress, egress, and total bandwidth data. The highest 5 percent of the data points out of a given set (ingress or egress or total) of data points over the billing period are discarded. The highest data point from the remaining data points is considered as the 95th percentile value of the data set.

MONITORING SERVICES

The Cloud Service provides 24x7 monitoring of the hosted SAP applications and infrastructure. Monitoring systems in-place include OpsView, Solarwinds, Ignite and WebMetrics. The tools provide monitoring and alerting of such areas as CPU, memory, disk space, db performance, page loadtime performance and availability. Reporting access from OpsView, Ignite and Webmetrics is made available to the customer. The Cloud Service includes alert

messaging and reporting for systems uptime and page load performance. In addition, web performance monitors can test across geographic locations. SAP uses application profiling tools to perform application analysis to determine the source of an issue.

Included as part of the web performance monitoring are a monitor for 1 site that checks a designated URL every minute and a monitor for 1 site that checks a 5 page user flow every 5 minutes.

Each time a page is monitored, it consumes 1 unit.

Capacity Monitoring and Planning

On a monthly basis, SAP reviews performance and utilization reporting to determine if capacity increases will be required. If the data supports the need to increase capacity, SAP will discuss such capacity changes with the customer.

SECURITY SERVICES AND INFRASTRUCTURE

The security infrastructure includes firewall security and hardened security policies on all servers. Log management procedures are in-place for log review for firewall, applications, network devices, including file-integrity management. SAP utilizes technologies from leading security firms for Log Management and File Integrity Management and the SAP security team monitors these systems.

The infrastructure also offers the customer configurable web application firewalls (WAF) and DDoS monitoring and mitigation services.

In addition, security policies and change management policies are in-place ensuring that access and changes to customer systems and information is accessible only by SAP staff with access authorization.

• Fortinet Fortigate FireWalls (300c) • Citrix Netscaler Web Application Firewall • LogRhythm SIEM

• Symantec AntiVirus

• SourceFire Intrusion Prevention System (IPS) • VMware® vCloud Networking and Security (Phase I)

The application of security processes and requests follows SAP Change Management Process and further documentation is available on SAP’s Change Management Processes upon request.

Security of the software application remains the responsibility of the customer. Security processes and procedures related to the development and deployment of custom implemented code are the responsibility of the customer. The customer is also responsible for its own external vulnerability scans and penetration tests to secure the regular deployments of the applications.

Firewall Management

Firewall management is included as part of the Cloud Service offering. Firewalls are maintained in an Active/Active mode and are secured to allow only approved traffic inbound and outbound. Firewall logging is in place with 90 day retention periods.

Two Factor Authentication

The Cloud Service makes use of two factor authentication throughout the SAP-controlled network to ensure enhanced security access to the network.

File Integrity Management

File Integrity Management helps identify authorized changes versus unauthorized changes and possible malicious activities, to exclude operational integrity being compromised. File integrity monitoring (FIM) examines files and directories on a server, identifying changes to content and permissions.

VPN Services

Point-to-point VPN services are available to provide VPN tunnels between external site and the hosted

environment. The required infrastructure for a VPN s the responsibility of the customer and must be supplied by a telecommunications operator, while SAP may provide any support services that might be required for setup and operation of the VPN for an additional fee.

DATABASE MANAGEMENT

The backend of the Production Environment runs off a configured database.

The clustered database runs on redundant virtualized server infrastructure. In addition, synchronized copies of the data are stored offsite providing offsite data protection.

• Production/Test/Development databases

• Maintenance and Patching of the hardware and database software • Daily incremental database backup

• Database restore services • Backup of archive logs

• Implementation of database patches • Emergency triage of database problems

The managed database service includes managing capacity on demand based on actual database requirements. The database costs are included in the overall environment sizing to support the Peak Page Views per second. Incremental Peak Page views per second costs would include the database requirements for that level. The current capacity will be visible to the customer within an online dashboard using Ignite.

Database patching is performed during Scheduled Maintenance. Any restore procedures on the database would only be performed with the written authorization of the customer.

The Cloud Service includes the database license for use with the SAP application running from the Cloud Service environment within the SAP pre-determined database infrastructure. The license is valid only while paying the Cloud Service fees and while being hosted by SAP. The license is non-transferable, and does not allow for it to be used outside of SAP Cloud Service datacenters.

BACKUP AND RECOVERY SERVICES

The Managed Services include daily offsite backup of all system data in accordance with appropriate industry standard backup procedures.

Backup services include daily offsite backup services. Procedures for backup of the application and data are configured by SAP. Backup services are supplied for the Production Environment only. Additional environments such as Development Environment and/or Staging Environment may also be covered as an optional service for an additional fee.

Backup of data is offsite with 30 days retention as well as local disk backups with hourly snapshots held for 3 days, nightly backups kept for 7 days and weekly backups kept for 3 weeks.

Database Backup

As per the backup schedule set forth above, SnapManager will transition the database into backup mode: • Step 1- All the write operations will be appended in a reserved disk area;

• Step 2 - Read operations will run normally;

• Step 3 - A backup file will be generated and exported;

• Step 4- Backup mode will be transitioned to off and all data generated on step 1 will be appended to it. Exports will remain on disk for faster recovery if needed as well as being sent off site. All datasets will be kept off site for a minimum of 30 days.

Any request to rollback/restore in production must be verbally confirmed by one of the personnel on the

escalation list set forth in the customer-specific operations guide. The verbal approver cannot be the same as the ticket submitter.

MAINTENANCE SERVICES

SAP and the customer will schedule application deployments during a mutually agreed upon maintenance timeframe.

SAP’s standing infrastructure Scheduled Downtime window is currently every Wednesday from 01:00 AM to 05:00 AM in the time zone of the applicable datacenter. For urgent security issues or other issues that may have significant impact on the Cloud Service, the infrastructure of other customers of the Cloud Service, SAP may also schedule Scheduled Downtime windows outside the standing infrastructure window by sending a notification beforehand.

The customer must provide SAP with notice 10 days prior to any maintenance to be performed by the customer which may impact the performance of the Cloud Service by opening a ticket with SAP support.

CHANGE MANAGEMENT

The IT Infrastructure Library (ITIL) is an integrated, process-based, best practice framework for managing IT services. Covering 17 different IT service areas, ITIL outlines how best to complete critical IT practices using checklists, tasks, and procedures that although rigorous are nevertheless flexible enough to be tailored to organizations of all types and in all industries.

SAP follows the IT Infrastructure Library, and uses Service-Now, designed with ITIL v3 framework in mind, to manage the internal change management processes:

• IT Service Management dashboard

• ITIL v3.0 compliant Service Desk, Incident Management, Problem Management, Change Management, Release Management, Configuration Management and Service Catalog

• Status snapshots of Incident Management, Problem Management and Change Management in real time • Service response reporting

DEPLOYMENT SERVICES

For Build Deployment in excess of two (2) hours per month, a separate statement of work and time and materials fees are required.

Updates to the customer Website must be deployed by SAP in the Staging Environment and Production

Environment. The customer will manage deployments to the Development Environment. All requested database changes must be communicated by Customer or its partner to SAP and performed by SAP. The Build Deployment process is described in the following diagram. Adherence to this process by Customer is required for SAP to meet

its obligations with respect to the Build Deployment and may affect the number of Build Deployments SAP can perform within the two (2) hours per month of included SAP Build Deployment services.

Typical Build Deployment requests should be made 1 week in advance, however deployment requests will be accepted up to 3 days in advance of the desired deployment date. Other services related to Build Deployment not included in the Cloud Service and charged as time and material include, but are not limited to, activities performed outside of business hours, application troubleshooting support, platform upgrade services, customized reporting, non-standard configurations and specific database requests.

Build Deployment packages provided to SAP must include the ability to roll-back a deployment. Build Deployment package deployment is done in Business Hours and the Build Deployment package must be provided to SAP at least two (2) hours in advance of the planned deployment time in order to provide sufficient time for adequate task completion during the same Business Day.

Change requests which require SAP action are performed on a time scale appropriate with the request. For example, certain requests such as firewall changes would be scheduled for the next maintenance period. To provide optimal implementation of customer change requests, SAP also has a no Build Deployment or firewall change policy on Fridays, weekends and during public holidays recognized in Bavaria, Germany.

ROLES AND RESPONSIBILITIES

The following roles and responsibilities shall apply to the cooperation between SAP, Customer and the Customer’s designated Implementation Firm. As between Customer and SAP, only those responsibilities with an “R” assigned to SAP shall form part of SAP’s Cloud Service obligations. All other responsibilities shall, in relation between SAP and Customer, be deemed part of Customer’s obligations.

R=Responsible ¦ A=Accountable ¦ C=Consulted ¦ I=Informed

Activities _SAP Pa rtn er Cu st om er

Project and Account Management

Assign and make available a Project Manager R R R

Assign and make available a Technical Account Manager R/A R

Manage relationship with Application Support partner R/A

Traffic volume forecasting C C R/A

Participate in monthly Cloud Service review calls R/A I R

Infrastructure and Server Management

Server Management (all servers) up to and including the OS R/A I I Server OS and Network Infrastructure Patch Management R/A I I

Network Management R/A I I

Initial Server configuration (Dev, Staging, Production) R/A I I DEV – Initial Installation and configuration of the default SAP

Application R/A I I

STAGING – Initial Installation and configuration of the default

SAP Application R/A I I

PRODUCTION – Initial Installation and configuration of the

default SAP Application R/A I I

DEV – Server (above OS) and Application additional

configuration and management - SAP web/app C R/A I

STAGING – Server (above OS) and Application additional

configuration and management - SAP web/app R/A C I

PRODUCTION - Server (above OS) and Application additional

configuration and management - SAP web/app R/A C I

Initial and ongoing Server and Application configuration and

management - Non-SAP web/app/db servers (ie: Vertex) I I R/A

Backup Services R/A C C

3rd party services connectivity (excluding functionality) R C A

Monitoring

Infrastructure Monitoring (Memory, CPU, disk) R/A I I

Website Availability Monitoring R/A I C

Security

Network Infrastructure Security (ie: Firewall, IDS/IPS) R/A I I

Server OS Security Patching R/A I I

Access Security (VPN, Two Factor Authentication) R/A R R

DDoS Monitoring R/A I I

Security Software: Anti-Virus, File Integrity Management,

SIEM R/A I I

Web Application Firewall R/A C C

Application security vulnerability and penetration testing and

application security auditing I C R/A

Secure custom application development I R A

Security incident management related to hosting

environment R/A C C

Security incident management related to non-SAP application

code (initial alerting) R A C/I

Security incident management related to non-SAP application

code (mitigation / remediation) I R/A I

Database Management

Database installation and configuration R/A I I

Patching of the database R/A I I

Database backup and restore R/A C C

Database updates to indexes and tables R/A C I

Database monitoring R/A I I

Application Development / Deployment / Testing

Development of new code I R/A C

Preparation of deployment packages C R/A A

Scheduling of deployments C R/A A

Deployment to Development Environment (not included in

Cloud Service) I R/A I

Deployment to Staging Environment (not included in Cloud

Services) R/A C I

Deployment to Production Environment (not included in

Cloud Services) R/A C I

User Acceptance Testing I C R/A

Overall Application Quality Assurance I R A

Load Testing C R R/A

SAP application upgrades I R/A C

Support & Incident Management

First line support – for hosting support issue R/A C/I C/I Application Support – any issue specific to the SAP

application I R/A I

Create new incident based on automated alerts or support request by phone or email from Customer or Application Support partner

R/A I I

Capture incident details (Hosting) R/A I I

Categorize incident (Hosting) R/A I I

Investigate and diagnose incident (Hosting) R/A I I Assign incident to appropriate support group within SAP or to