D3CLARITY HOSTING TERMS OF SERVICE

1. The Hosting Terms of Service

These Terms of Service (“Terms”) constitute a binding contract between you, the customer that is set forth on an applicable Order Form (“Customer,” “you,” or “your”) and D3Clarity, Inc. (“D3Clarity,”, “D3C” “we,” or “us”). These Terms include and incorporate the Master Services Agreement (MSA or Agreement), the Order Form with which you purchased the Services and any subsequent Order Forms (submitted in written or electronic form) (collectively, “Hosting Agreement”). D3Clarity wishes to provide, and you wish to have the right to access pursuant to the terms of this Hosting Agreement, a subscription service. If you are entering into this Hosting Agreement on behalf of a company, organization, or other entity, you represent that you have such authority to bind such entity and are agreeing to this Hosting Agreement on behalf of such entity. If you do not have such authority to enter into this Hosting Agreement or do not agree with these terms and conditions, you may not use the Services. By browsing or otherwise accessing or using the Services, you represent that you have read, understand, and agree to be bound by the Hosting Agreement.  In the event of any inconsistency or conflict between the Terms and any Order Form, the terms of the Order Form control.


2. Defined Terms

Some words used in the Addendum have particular meanings:

  • “Acceptable Use Policy” or “AUP” means the D3Clarity Acceptable Use Policy.
  • “Business Day” or “Business Hours” means 8:00 a.m. – 6:00 p.m. Monday through Friday, United States central time, excluding federal public holidays in the United States.
  • “Cloud Service Provider (CSP)” is a third-party company (Amazon Web Services, Google Cloud, Microsoft Azure, Oracle Cloud, IBM Cloud) with a cloud-based platform, infrastructure, application and storage services.
  • “Country Specific Terms” means the addendum or addenda that may be incorporated into your Hosting Services Agreement if a portion of your Services are to be provided from a non-United States jurisdiction for which we have special legal terms.
  • “Customer Data”means all data, records, files, input materials, reports, forms and other such items, including any PII (as defined in the applicable Product Terms and Conditions) or “cardholder data” as that term is in the Payment Card Industry-Data Security Standard, that are received, stored, or transmitted using the Hosted System.
  • “Incident” means an unplanned interruption to the Hosting Service or a reduction in the quality of the Hosting Service. A failure of a component that has not yet impacted the Hosting Services is also an Incident. For example, failure of one disk from a mirror set.
  • “Service Level Agreement” means any provision which provides a specified credit remedy for an identified failure to deliver or provide the Services.
  • “Supplementary Services” means those Services you purchase from D3Clarity other than the Hosting Services, including time and materials based professional or consulting services (such as database administration or “DBA” services), one-time or non-recurring services which are not part of the existing Support (such as support for the application that you operate on your Hosted System), and any other services identified as “Supplementary Services” on the applicable Services Description.
  • “Support” means support for the Hosting Services as defined in the Order. Support is limited to availability and access to the Hosting Services infrastructure only. Solution-level support is outside of the scope of this service.
  • Downtime” means the time in which any service is not capable of being accessed or used by the Client, as monitored by D3C.
  • Monthly Uptime Percentage” means the total number of minutes in a calendar month minus the number of minutes of Downtime suffered in a calendar month, divided by the total number of minutes in a calendar month.
  • “Recovery Point Objective (RPO)” means the acceptable amount of time/data that can be lost between the point in time of a disaster occurrence and the most recent backup that can be used to restore solution functionality.
  • “Recovery Time Objective (RTO)” means the amount of solution downtime a client can tolerate.
  • Exclusion from Downtime” The following are not counted as Downtime for the purpose of calculating Monthly Uptime Percentage:
  1. Service unavailability caused by scheduled maintenance of the platform used to provide the applicable service (D3C will endeavor to provide seven (7) days’ advance notice of service-affecting scheduled maintenance); or
  2. Service unavailability caused by events outside of the direct control of D3C or its subcontractor(s), including any force majeure event, the failure or unavailability of your systems, the Internet, and the failure of any other technology or equipment used to connect to or access the service.

3. Backup Schedule

D3C’s backup schedule is defined below.  D3C does not promise to retain the data backup for longer than the posted data retention period.  Any changes to the backup schedule must be reflected on Client’s Order.  Temporary changes shall be requested via D3C’s Client Portal (https://d3clarity.atlassian.net/servicedesk/customer/portal/39)

 

Cadence

Retention

Purpose

Application Servers:

n/a

n/a

Not backed up because they are built from source control-based configs every time

Production Databases:

Daily

Last 7 days

Every day.  Sun – Sat

Nonprod Databases:

Daily

Last 7 days

Every day.  Sun – Sat

4. Shared Security Responsibility

Given the shared nature of cloud-based solutions all parties play a critical role in maintaining security

Segregated private IP subnets for DMZ (public Internet), app tier, and data tier with firewall security rules limiting access and strict egress control is provided as part of the Hosting Services.

There will be a Web Application Firewall (WAF) protecting all application service ports available on the public Internet.

D3C shall continually monitor the security of the service. Any security patches shall be reviewed and implemented at the earliest opportunity. Some aspects of security management are dependent on third party software and the hosting providers. D3C’s role is to manage those vendors to their contracted service levels and performance standards.

D3C’s shared responsibility/security model is depicted in Figure 1.

5. Cloud Service Provider Obligations

CSP is responsible for protecting the infrastructure that runs all of the services offered on the CSP Cloud. This infrastructure is composed of the hardware, software, networking and facilities that run the CSP’s Cloud services and product offerings that D3C purchases and configures for Client specific usage.

6. D3Clarity Obligations

D3C will provide the Hosting Services in accordance with the Order and other specifications in this Addendum. D3C will perform any Supplementary Services in a workmanlike and professional manner. D3Clarity will perform all Services in accordance with applicable law.

7. Client Obligations

Client must use reasonable security precautions in connection with Client’s use of the Hosting Services. Client must comply with the laws applicable to Client’s use of the Hosting Services and with the Acceptable Use Policy. Client must cooperate with D3C’s reasonable investigation of Service outages, security problems, and any suspected breach of the Agreement. Client is responsible for keeping your account permissions, billing, and other account information up to date with D3Clarity. Client must pay when due, the fees for the Hosting Services stated in the Order.

In addition to the foregoing obligations, Client acknowledges solely responsible for taking steps to maintain appropriate security, protection and backup of Client’s Customer Data. D3C’s security obligations with respect to Customer Data are limited to those obligations described in Section 6 above. D3C makes no other representation regarding the security of Customer Data. Client is solely responsible for determining the suitability of the Services in light of the type of Customer Data used with the Hosting Services.

8. Known Cloud Risks

D3C does not promise that the Services will be uninterrupted, error-free, or completely secure. D3C provides for system security but Client is responsible for access security.

Any services that D3C are not contractually obligated to provide but that D3C may perform for Client at Client’s request and without any additional charge are provided on an AS IS basis.

Client is responsible for all end user level users of the Hosting Services. D3C provides escalation support only to a limited number of Client administrative or technical contacts listed in the Order as Authorized MDM-as-a-Service Support Users. D3C will not provide support directly to Client end users unless specifically agreed in writing via D3C’s Client Portal.

Certain D3C Hosting Services are designed to help you comply with various regulatory requirements that may be applicable to you. However, Client is responsible for understanding the regulatory requirements applicable to Client’s business and for selecting and using those Services in a manner that complies with the applicable requirements. 

9. Access To Your Customer Data or Use of the Services

D3C is not responsible to Client or any third party for unauthorized access to Client’s data or the unauthorized use of the Services unless the unauthorized access or use results from D3C’s failure to meet its security obligations stated in Section 6 (D3Clarity Obligations) of this Hosting Addendum. Client is responsible for the use of the Services by any employee of Client, any person Client authorizes to use the Services, any person to whom Client has given access to the Services, and any person who gains access to Client’s data or the Services as a result of Client’s failure to use reasonable security precautions, even if such use was not authorized by Client.

D3C agrees that it will not use or disclose Customer Data. Customer Data is and at all times shall remain the exclusive property of Client and will remain in the exclusive care, custody, and control of Client.

D3C must also reasonably comply with any relevant data protection and privacy legislation in force.  D3C must take appropriate and business reasonable precautions to protect against any actual or anticipated threats, hazards, viruses, unauthorized or unlawful access to, use of or disclosure of Client’s information for components within control of D3C; components such as MDM applications configured by client or third parties are a shared responsibility. In the event of any actual or suspected breach of the foregoing or if any of the Client’s information is or is suspected to be lost, stolen, corrupted, used or disclosed to any third party except in accordance with this Agreement, D3C must fully cooperate at its own expense with Client to investigate and resolve any such event for components within control of D3C.

10. Limitations on Damages

D3C is not liable to Client for failing to provide the Services unless such failure results from a breach of a Service Level Agreement, or results from our gross negligence, willful misconduct, or intentional breach of the Agreement. The credits stated in the Service Level Agreement are Client’s sole and exclusive remedy for our failure to meet those guaranties for which credits are provided unless such failure is due to D3C’s willful misconduct. 

Neither party (nor any of employees, agents, affiliates or suppliers of either party) is liable to the other for any indirect, special, incidental, exemplary or consequential loss or damages of any kind. In addition, neither party is liable for any loss that could have been avoided by the damaged party’s use of reasonable diligence, even if the party responsible for the damages has been advised or should be aware of the possibility of such damages. In no event shall either party be liable to the other for any punitive damages or for any loss of profits, revenue, customers, contracts or goodwill.  The foregoing limitations shall not apply to losses, claims, suits, controversies, breaches and/or damages caused by a party’s gross negligence, willful misconduct, and a breach of Section 9 (Access To Your Customer Data Or Use of the Services).

Subject to Section 9, D3C is not liable to Client for lost data unless D3C fails to provide the backup services as agreed. Client will release D3C from liability for loss of data to the extent that the data has changed since the time that D3C were last required by the Agreement to perform a backup.

Notwithstanding anything in the Agreement to the contrary, except for liability based on willful misconduct or fraudulent misrepresentation, and liability for death or personal injury resulting from D3C’s negligence, and liability for breach of Section 9, the maximum aggregate monetary liability of D3C and any of its employees, agents, suppliers, or affiliates in connection with the Hosting Services, the Agreement, and any act or omission related to the Hosting Services or Agreement, under any theory of law (including breach of contract, tort, strict liability, violation of law, and infringement) shall not exceed: (i) for Hosting Services an amount that is twelve (12) times one month’s recurring fee under the Agreement for the Services that are the subject of the claim as of the time of the occurrence of the events giving rise to the claim, and (ii) for Supplementary Services, fees paid for the Supplementary Services that are the subject of the claim. 

11. Service Level Agreement

During the term of the applicable Order between Client and D3C for the services listed on the Order, D3C will use reasonable efforts to achieve a Production Monthly Uptime Percentage of at least 99.5% for any calendar month (the “D3C SLA”). If D3C does not meet the D3C SLA, and so long as Client’s account with D3C is current, Client will be eligible to receive the credits described below. These credits are Client’s exclusive remedy (and D3C’s sole liability) with respect to D3C’s inability to meet the D3C SLA requirements. D3C explicitly disclaims all other remedies, whether in law or equity.

Note: For MDM-as-a-Service clients, this Uptime Percentage applies to the cloud infrastructure D3C is providing. The uptime of an individual application running on this infrastructure is not included in this measure. It is possible for the infrastructure to be operating correctly while the solution fails to respond due to an configuration error at the solution level. Application maintenance and support is a Client responsibility. If application-level support is desired, D3Clarity offers optional solution-level support agreements that include application-level uptime SLAs. Need to add verbiage about CSP responsible for CSP outage.

11.1. Service Credits

Credits are issued as a financial reimbursement if D3C does not meet the D3C SLA for a particular month of the ordered term. Upon approval of a claim D3C will provide the applicable remedy set forth below:

Monthly Uptime Percentage Production Environment only

Service Credit

<99.5% but >= 99.2%

5% of the monthly fee

<99.2% but >= 99.0%

10% of the monthly fee

<99.0% but >= 98.7%

15% of the monthly fee

<98.7%

20% of the monthly fee

 

11.2. Maximum Credit

The maximum credit available to Client if D3C is unable to meet the D3C SLA is up to twenty percent (20%) of the monthly fees for the month of the occurrence. Any credit will be applied to fees due from Client for the service and will not be paid to Client as a refund. All claims for credit are subject to review and verification by D3C, and all credits will be based on D3C’s measurement of its performance of the service and will be final.

11.3. Claim Procedure

To receive a service credit for D3C’s failure to meet the D3C SLA in a particular calendar month, Client must submit a claim via support@d3clarity.com within thirty (30) days of the end of the month during which the D3C did not meet the D3C SLA, and include the following information:

  • Client name and account number;
  • the name of the service to which the claim relates;
  • the name, email address, and telephone number of the Client’s designated contact; and
  • information supporting each claim of Downtime, including date, time, and a description of the incident and affected service, all of which must fall within the calendar month for which Client is submitting a claim.