“Cloud BackUp” Service Definition
SCOPE & PURPOSE
This document defines the “Cloud BackUp” Service covering the following subjects: • A Service Description Summary
• An overview of the service including: - Main cloud service characteristics
- Information assurance & Impact Level (IL) - Interoperability and standardization features - Available API
- Service constraints - Technical requirements
• Service operation, support and management: - On-boarding and Off-boarding processes
- Details of the level of backup/restore and disaster recovery that will be provided - Service levels (performance, availability, support hours, severity definitions, etc.) - Non-compliance penalties
- Service Support & ServiceDesk • Consumer responsibilities
• Details of two available trial services
Additional service conditions and terms to the ones further stated in this document are included in the “Cloud BackUp Terms & Conditions” document. So, some of above subjects and/or further concepts (e.g. “earlier termination” and others) could be partially or fully described in such document.
Besides, Pricing and Billing, including unit prices, volume discounts, earlier termination fees, payment conditions, and so on are defined in the “Cloud BackUp Pricing” document.
Therefore, this document is bound to both aforesaid documents, and all of them shall be considered as a whole.
(Page 2) © Tissat, S.A.
SERVICE DESCRIPTION SUMMARY
“Cloud BackUp Service” allows you to make a complete data protection of your information stored in your files system (network attached storage -NAS-), e-mail MS-Exchange Server or DataBase Servers as MS-SQL or MySQL. The back-up is done in a “hot” way, even for DataBases and MS-Exhange server. The feature-rich service makes integration, management, maintenance and monitoring of this service very easy, according to the following main service features:
• High Availability: The Service architecture is designed to keep the backup platform in operation at all times. Besides backed-up data are stored in a Tier IV Data Center (hereafter abbreviated as DC) that is part of our "DC Federation" interconnected via optical fibre based high-speed links, and all of them owned by us and located in EU countries. • Security: It uses excellent security-techniques to ensure that the backed-up data are 100%
private and not accessible to anyone but the end-user: saved data are stored encrypted with AES 256-bits with a private key, and data transmission is made over SSL connections. • EU Privacy laws compliancy. Besides, service and its operations are IS0 27001 and ISO
20000 certified, and we comply with Directive 95/46/EC, which relates to the processing of personal data and on the free movement of data. Therefore, this Service is able to process at Business Impact Level profiles 11x/22x.
• Finally, involved Data Centres management and operations are certified in the following standards:
- ISO 27001 (Information Security Management System) - ISO 20000 (IT Service Management System)
- ISO 50001 (Energy Management Systems) - ISO 14001 (Environmental Management System) - ISO 9001 (Quality Management System)
- And all of them adhere to the EU Code of Conduct for Data Centres.
- Besides, Tissat’s DC Federation has been awarded with AENOR’s Data Centres Energetic Sustainability Certification.
(Page 3) © Tissat, S.A.
MAIN CLOUD SERVICE CHARACTERISTICS & TECHNICAL ASPECTS Features:
Secure file servers
The Cloud Backup Service is able to efficiently backup data from file servers. The software supports a whole variety of server operating systems including MS Windows Small Business Server, MS Windows Server, Linux distributions and Mac OS X Server. MS Exchange Server Backup
Cloud Backup can back up Microsoft Exchange Server 2003, 2007 and 2010. It is able to backup the Exchange database without interrupting business operations; even during the backup window (hot backup).
MS SQL Server backup
Securing Microsoft SQL Servers is easy with Cloud Backup. The service supports backups of MS SQL Server 2005, 2008 and 2012. Cloud Backup is able backup the SQL database without interrupting business operations; even during the backup window (hot backup).
MySQL Database backup
Cloud BackUp enables the backup of MySQL databases on table level while they are actively in use. As a result data recovery can be performed fast and focused. Therefore, Cloud BackUp is able backup the MySQL database without interrupting business operations, even during the backup window (hot backup).
NAS Servers
To have all their business data at hand, most small offices use network attached storage (NAS) systems. This is a convenient solution for the availability of the data in the company, but not really safe. Cloud BackUp “agent” makes backups of these NAS servers and makes sure that this data is protected against any kind of loss.
Hot backup
As it has been already stated, file, database or email servers are continuously operational. Therefore Cloud BackUp can back up these servers without interrupting business operations; even during the backup window.
Using native APIs
For the backup of MS Exchange Server and MS SQL Server, the Cloud BackUp “agent” software makes use of the native API’s of the platforms. This makes the backup more reliable than the 'open file' type of backup.
(Page 4) © Tissat, S.A.
Technical Requirements & Service Constraints:
This service is connected (directly) to Internet trunks1 (via BGP4 since we are an Internet Autonomous System) and accessible from any device via Internet. So in the client side an Interconnection is needed, with traffic open (routing, ACL, firewall permission, open ports and so on) toward our DC
At the Customer site, the bandwidth you need depends mainly on the volume of information you want to back up, and the time you can spend in that process. For example, typical SOHO volumes, currently usual bandwidth is enough, but this subject should be carefully studied by you (and we will help you, if requested).
An “agent” must be installed in the Customer side. Details about the agent available options are explained further.
To manage your service instance all you need is web browser, as it’s explained above:
Self Management of Service
The Self Management Console is accessible via web and allows you to manage accounts and backups. It serves the Online Backup Clients. It contains the following functionality by default: • Easy and automatic account management
• Quick and logical insight in backup account status • Web-based management interface
• Web-based access for Customers to browse and download files • Incremental data traffic.
• High data security:
- SSL connection (HTTPS)
- Storage of encrypted data with AES 128 and 256 Bits • Multiple storage homes
Agent Options
The agents to be installed in the Customer equipments are based on .net o Java technology depending on the Customer equipment features: Operating System and kind of server
1
Our two Data Centres that host our IaaS platform for this service, Castellon (Tier IV) and Valencia (Tier III), are ready to connect to any network through Private Network technologies like MultiProtocol Label Switching mechanism (MPLS) or Point To Point circuits in addition to Internet trunks.
(Page 5) © Tissat, S.A.
application (File Server, MS-Exchange, SQL, MySQL). Next 2 points show the available agents for thee different cases:
1. Supported Operating Systems: 1.1 .NET based Online Backup Agent
(Page 6) © Tissat, S.A.
2. Supported Applications:
2.1 .NET based Online Backup Agent
1 Only Windows XP and Windows Server 2003
2 Folder Level Backup for Microsoft Exchange Server 2007 only works from a remote 32 bits machine 3 32 bits & 64 bits
2.2 Java based Online Backup Agent
Generic Cloud Features
This service can be classified as (Backup) Storage as a Service, and it works in an “elastic” way, i.e. resources must be requested by the user. This elasticity is applicable to both the level of the chargeable service units offered and the level of components thereof. It can be discussed if it it’s a IaaS or a SaaS service, pros and cons of each possibility can be argued, bur according to NIST model and focusing in the “control of scope” of both Customer and Provider it seem to us to be a SaaS model, but after reading the “questions and answers” around UK Cloud Store G4 RFP, we have decided to classified it as IaaS.
This Service Deployment is offered only in a Public Cloud model.
Besides, it works in a “non-guaranteed” modality, since the spare storage capacity is not reserved for any predefined user, but it is available for use by all Customers on a “first come
(Page 7) © Tissat, S.A.
first served” basis. Anyway, our real-time control of the system as well as our ISO-20000 capacity management processes prevent (or, at least, make difficult) we run out of storage, since we are warned with enough time to increase our capacity.
This service is stand-alone and its storage is “persistent” until this service is finished or data are erased by the Customer.
Finally, we commit to make this service available for purchase by third parties who intend to supply services to UK Government so they can offer SaaS or more traditional infrastructure/application delivery, etc.
Supporting Data Centres Features & Options
Our "DC Federation" is currently integrated by 3 Data Centres (from now on abbreviated as DC in singular, and DCs in plural), all of them in Spain, one in Madrid, another in Valencia and the third one in Castellon. In this service only the DC in Castellon is involved. So the Customer data will be accessed, processed or stored only in Spain.
Our Data Center located in Castellon (code-name Walhalla) is Tier IV certified by The Uptime Institute (we can submit its certification if required, or you can look for in The Uptime Institute web site).
All our Data Centres adhere to EU Code of Conduct for Operations. Besides, Tissat’s DCs have been awarded with AENOR’s Data Centres Energetic Sustainability Certification (audited according to UNE 216501 standard, which results are managed by the ISO-50001:2011 certified Energy Management System, and carbon footprint has been calculated accomplishing the ISO 14064-1). Finally their operation and management are certified in the following standards:
- ISO 27001, - ISO 20000, - ISO 50001, - ISO 14.001,
- Note: we can submit their respective certifications if required.
UK Government ICT and Greening Strategies, and Information Principles for the UK Public Sector.
This service aligns with the Government ICT Strategy and the Greening Government ICT Strategy, since it let user implement a cost effective and energy efficient ICT estate, which is
(Page 8) © Tissat, S.A.
fully exploited, with reduced environmental impacts to enable new and sustainable ways of working for the public sector.
Besides, this is a backup information storage service that is built and operated in such way that let the user to accomplish the 7 Information Principles for the UK Public Sector:
1. Information is a Valued Asset 2. Information is Managed 3. Information is Fit for Purpose
4. Information is Standardised and Linkable 5. Information is Re-used
6. Public Information is Published
7. Citizens and Businesses Can Access Information About Themselves
PRICE LIST & DISCOUNT BY SERVICE DEPLOYMENT MODEL Prices are detailed in the “Cloud BackUp Pricing” document.
Other Billing and Commercial Issues and Conditions are described in the “Cloud BackUp Pricing” document, too.
Earlier Termination Conditions & Fees are explained in the “Cloud BackUp Pricing” document, too.
SERVICE OPERATION, SUPPORT AND MANAGEMENT Business Impact Level
This Service is able to process at Business Impact Level profiles 11x/22x, since it’s included under our Information Security Management System (ISMS) that is ISO 27001 certified (we got the certification first time in 2010 and we renovate each year since then).
We also accomplish the purpose of the Data Protection Act 1998 because we comply with Directive 95/46/EC, which relates to the processing of personal data and on the free movement of data, and the equivalent Spanish Law: “Ley Orgánica de Protección de Datos de Carácter Personal (LOPD) 15/1999”, and the regulations and rules that develops this law.
(Page 9) © Tissat, S.A.
Our ISO 27001 certification is issued, audited and accredited by AENOR, the Spanish Association for Standardization and Certification, an international certification body recognised by UKAS, that was founded in 1986, and is working in more than 60 countries, been among the 10 most important certification organizations in the world. Furthermore, if needed or requested by any Government Procurement Service or any Contractor, we will authorize Site Inspections by Pan Government Accreditor (PGA) or their agent.
Service Roadmap
As aforementioned, to build this Service we use a third-party product. This software provider is the company “BackupAgent” that from time to time add new features in its product. The last one (just delivered in Agost) have been the support of Hyper-V hypervisor, allowing the entire VM (virtual machine) back up: done in a “hot” way, but ensuring that programs on VM are not damaged by taking of snapshot of live DataBases.
When an updating decision is made, our ISO 27001 & ISO 20000 processes usually imply a 3 months delay (including change management and our internal service test) from a new “BackupAgent” version to our own service release deployed on the new version.
Moreover, next Service release (probably delivered by the end of 2013) won’t include any new feature, but the aforesaid Hyper-V VM back up support; neither any functionality feature will be depreciated.
Anyway in the Public Cloud model, Tissat will make the change decision (and date) by itself, but foreseen a service interruption lower than 1 day scheduled in week-end and the exact time for the change will be choose taken into account the lowest general activity in the service according to our historic week-end usage data.
On-boarding process
Once the Contract we must activate you Contract. About activation process 3 cases should be taken into account:
The service will be activated and available next day after we get the Contract signed by you. The last step of activation process will be to enable the service: Configure the access to the service, configure the firewall rules, assign credentials (user and password), set the data access url, set the dashboard url and provide all them to the customer by email. All that items are stored in our CMDB (Configuration Management Data Base) and managed by our ISO 20000 processes. Credentials are also stored in our Identity Management System.
(Page 10) © Tissat, S.A.
Customer’s user and password are sent in two separate emails for security reasons.
From this point the customer has full access to his dashboard to his ‘project’ and can manage its backups by himself.
If required, we also provide consultancy services for assist Customer in data migration process from his actual provider. We’ll apply an average price of £50.00 per hour (VAT not included). In that price is not included any component (hardware or software or anything else) that we need use; expenses associated or derived of possible trips are not included either. If any of them happen they’ll be billed in addition. The Customer is responsible for providing our staff the access to his actual service (user, password, url, IP and in general any necessary information to get access to its data).
Service provisioning
Once the service is activated, provisioning and de-provisioning will be made by the Customer as quick as they do it by itself, because of full self-service capabilities is intrinsic to the service, so the Costumer can manage its backup anytime.
Note: However, earlier service termination or contract cancellation by both legal issues and ISO 20000 & ISO 27001 standards compliance must be done via an ad-hoc document signed by Customer representative entitled to do it.
Off-boarding process
A couple of weeks before the end of the Contract we send you a notification with the expiration date a request for its renewal or advising you about to revoke the service and erase your data.
If expiration date is reached, unless we have received your termination notification, a new notification is sent asking you for its urgent renewal on the next 2 business days or warning the service unavailability then.
After those 2 business days the access to data will be lost. During that period (or previously) the Customer can explicitly request for a free extra-persistence of data for a 5 calendar day period (unless an explicit agreement with other conditions), after which data will be completely erased: this complimentary extra service is only to let Customer verify the consistency of (if needed) its downloaded data, but without normal access to our service. Then, if previously requested, the Customer will be able to audit the probes of its destruction
(Page 11) © Tissat, S.A.
for 10 days after the effective day of destruction: expenses of this audit will be afforded by Customer.
If by chance you detect any problem in your original data and in your downloaded data during the extra-persistence period, you could decide to renew the service for a month more at your cost in order to have enough time to duly terminate the service or contract our consultancy services to help you in that task.
Concerning to the Data extraction, once Customer has shown (either explicitly or implicitly or in omission or by default) he is not interested on the renewal of his Contract or in case of “earlier termination” we commit to help Customer (if needed) to recover its data. In such way, we also provide consultancy services to assist you, the Customer, in your data extraction process. This consultancy services should be requested with enough time in advance, because if they were asked for during the 5 day period of extra-persistence it could happen that we are not able to help you just in that period: so if you problem keep unsolved you should pact with us an additional persistence period that could be billed to you (at the established services prices) depending on your historic usage of our service. For these consultancy services we’ll apply an average price of £50.00 per hour (VAT not included) and the same remaining condition stated for on-boarding processes. You, the Customer, will be responsible for providing our staff the access to your data destination (user, password, url, IP and in general any necessary information to get access to your data destination).
Service Support
There are 2 ways and four channels for a Customer to get support:
• Self-service: Via ‘frequently asked questions’ FAQ dashboard where most common issues are solved.
• Assisted service: The Customer can contact our ServiceDesk via e-mail, chat and phone number.
Our ISO 20000 certified Service Desk is available in the following schedule: • 7x24 for web and e-mail access
• 8h to 17h, Monday to Friday for phone calls (Central European Time)
Service Levels & Performance
(Page 12) © Tissat, S.A.
1. Service Availability Level (SLA): 99,995% (time measured from incident customer notification to verification of service restoration with customer representative).
Where the Service Availability is calculated according to the following formula:
(Service committed hours) – (Service down hours)
________________________________________________________ X 100 = % Availability (Service committed hours)
o Service committed hours: Amount of hours where service infrastructures will be available apart from maintenance windows.
o Service down hours: Amount of hours where service infrastructures won´t be available apart from maintenance Windows.
o Availability: Percentage of committed service hours where service infrastructures are available.
2. Incident Resolution Level: 95% (percentage of incidents solved under correspondent resolution times, see table below).
Severity definitions and resolution time table:
Severity Impact Resolution
time 1 Service unavailable or highly degraded (response time to user
actions more than 1 hour above medium of last month)
4 hours 2 Service slightly degraded (response time to user actions more than
10 minutes above medium of last month)
8 hours 3 Service minimum degraded (a non critical function, for example
access to statistics, is unavailable)
2 days
3. Specific Service Performances:
Concerning to Services Performances it should be noted that they are directly related to bandwidth on both sides, Customer and Data Centre. We can only guarantee bandwidth on Data Centre side:
(Page 13) © Tissat, S.A.
Guaranteed Service Bandwidth: 2Mbps per TB of stored data.
Non-compliance Penalties
In case of non-compliance with our offered SLA and subject to conditions stated in the “Cloud Backup Terms & Conditions” document we offer the following Financial Recompense Model for not met service levels:
We apply a discount on next month quota in case of one o more the service levels are not met as follows:
• 5% discount for meeting service level under 95% (measured over last month medium). • 2% discount for meeting service level under 98% (measured over last month medium). These are valid for any of the three indexes Availability, Performance and Resolution Time, but they are not accumulative, i.e. only one penalty will be applied: the worst of any possible non-compliance.
OTHER SERVICE TERMS AND CONDITIONS. CUSTOMER RESPONSIBILITIES
Additional service conditions and terms to the ones stated in this document are included in the
“Cloud BackUp Terms & Conditions” document. That document also establishes the Customer obligations for having right to price list and discount (defined in the “Cloud BackUp Pricing”
document) as well as its responsibilities and liabilities. Therefore, this document is bound to the former as well as to the latter, and all three documents shall be considered as a whole.
SERVICE TRIAL OPTIONS