AAG Cloud Connector Terms & Conditions
The terms and conditions set out in this AAG Secure Cloud Backup with Backup Schedule (this “Schedule”) shall apply to each AAG Cloud Connector with an AAG Cloud Connector Work Order executed by the Provider and the Client (each “Work Order”), and shall be deemed to be incorporated into each AAG Work Order.
1. Definitions. In this AAG Secure Cloud Backup with Backup Schedule:
1.1 “AIS” shall mean AAG IT Services Ltd.
1.2 “Provider” shall mean AIS.
1.3 Any capitalised terms used but not defined in this Schedule or the remainder of the Agreement shall have the meanings set out in the relevant AAG Work Order.
1.4 “Archive Storage” shall mean storage resources within the Target Site, provided on traditional shelves of disk, accessed from the Machines.
1.5 “Cloud Resources” shall mean storage and network bandwidth that comprises a Virtual Data Center as described in the AAG Work Order.
1.6 “Deployment” shall mean the period of time beginning once the Provider has provided the Client with login credentials for the Cloud Resources.
1.7 “Machine” shall mean the computing equipment on which the Client is running the AAG Cloud Connector software and the computing equipment used by the Client to access the Cloud Resources (but excluding the Cloud Resources).
1.8 “Provider Network Demarcation Point” shall mean the extension from the AAG Cloud Connector Services infrastructure to the router located in the Target Site data center that provides the outside interface for each of Provider’s WAN connections to the backbone providers.
1.9 “Reserved Resources” shall mean Cloud Resources that are dedicated to the Client.
1.10 “Source Site” shall mean the Client’s physical location from which the Client’s Virtual Machines will be backed up.
1.11 “Target Site” shall mean Provider’s physical location as specified in the AAG Work Order to which the Machines will be backed up.
1.12 “Testing” shall mean the operational mode in which the data of the Machines are validated leveraging Target Site restore points during a predetermined process. “Tested” shall have a correlative meaning.
1.13 “Virtual Data Center” shall mean self-contained storage that is pooled, aggregated, virtualised and delivered as-a-service.
1.14 “Virtual Machine” shall mean a guest operating system such as Windows or Linux that can run or be stored an isolated entity on a host and is separated from the physical resources it uses such that the host environment is able to dynamically assign those resources among several Virtual Machines.
1.15 “Monthly Fee” means the aggregate Monthly Fees set out in Section 8.1
1.16 “Applicable Laws” means (a) European Union or Member State laws with respect to any Client Personal Data in respect of which any Client Group Member is subject to EU Data Protection Laws; and (b) any other applicable law with respect to any Client Personal Data in respect of which any Client Group Member is subject to any other Data Protection Laws;
1.17 “Client Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Client, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
1.18 “Client Group Member” means Client or any Client Affiliate;
1.19 “Client Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of a Client Group Member;
1.20 “Contracted Processor” means AAG IT Services Ltd or a Subprocessor;
1.21 “Data Exporter” means Client or any Client Affiliate;
1.22 “Data Importer” means AAG IT Services Ltd or a Subprocessor;
1.23 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
1.24 “EEA” means the European Economic Area;
1.25 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
1.26 “GDPR” means EU General Data Protection Regulation 2016/679;
1.27 “Restricted Transfer” means:
1.27.1 transfer of Client Personal Data from any Client Group Member to a Contracted Processor; or
1.27.2 an onward transfer of Client Personal Data from a Contracted Processor to a Contracted Processor, or between two establishments of a Contracted Processor,
1.28 in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of the Standard Contractual Clauses to be established under section 6.4 or 12 below;
1.29 “Services” means the services and other activities to be supplied to or carried out by or on behalf of AAG IT Services Ltd for Client Group Members;
1.30 “Standard Contractual Clauses” means the contractual clauses set out in the terms and conditions listed below,
1.31 “Subprocessor” means any person (including any third party, but excluding an employee of AAG IT Services Ltd or any of its sub-contractors) appointed by or on behalf of AAG IT Services Ltd to Process Personal Data on behalf of any Client Group Member; and
1.32 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
1.33 The word “include” shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
2 Term.
2.1 Reserved Resources. The term of a AAG Work Order will commence on the Billing Start Date as stated on the Work Order and will remain in effect until the final day of the contract term set out in such AAG Work Order, provided that each AAG Work Order will renew automatically for successive one-year terms (each, a “Successive Term”) on the final day of the Initial Term and each Successive Term, unless (a) either Party has given 90 days’ notice to the other Party that the AAG Work Order shall terminate on the final date of the then-current Initial Terms or Successive Term, or (b) such AAG Work Order is otherwise terminated prior to the final day of the then-current Initial Term or Successive Term in accordance with the Agreement or Section 8 of this Schedule.
2.2 Order Modifications. Unless otherwise agreed between the Parties in writing, (a) any modifications to the AAG Work Order agreed prior to Deployment will extend the Initial Term of the AAG Work Order in accordance with the new Billing Start Date on the Work Order for the modified resources, or (b) any modifications to the AAG Work Order (other than modifications of the term of the AAG Work Order specifically) agreed following Deployment shall not impact the Initial Term set out in the original AAG Work Order.
3 Provider’s Obligations.
3.1 The Provider is responsible for the following in accordance with industry best practices:
3.1.1 Providing pool of Archive Storage and network bandwidth at Target Site per specifications detailed in the AAG Work Order;
3.1.2 Maintaining Target Site Archive Storage infrastructure including patching, upgrades and updates;
3.1.3 Creating Virtual Data Center(s) per specifications detailed in the AAG Work Order;
3.1.4 Providing Client the URL and authentication credentials to access the Client’s Cloud Resources;
3.1.5 Providing storage pool modification options to the AAG Work Order as required by the Client;
4 Client’s Obligations.
4.1 The Client shall be obligated to pay the following fees:
4.1.1 upon execution of a AAG Work Order and the Setup Fee;
4.1.2 if a Security Deposit fee is specified in the work order, then it will be due in order to initiate the payment process. The Security Deposit Fee shall be refunded by the Provider to Client within 60 days of the termination of this Agreement, provided that this Agreement does not terminate following a breach by Client;
4.1.3 on a monthly basis throughout the term of each AAG Work Order, the Monthly Fee, applicable bandwidth usage fees, and overage fees, all of which shall be prorated for the initial and final months of the term to reflect the number of days that the Provider provides the services described herein to the Client;
4.1.4 the Provider’s then-current Engineering rates in respect of any Engineering support tickets opened by the Provider at Client’s request; and
4.1.5 the Client shall incur additional usage fees at the Provider’s then-current usage rates (unless rates are defined in the AAG Work Order) including but not limited to overages for AAG Cloud Connector replication and usage on storage, storage performance, and network bandwidth on Cloud Resources.
4.2 The Client is responsible for the following in accordance with industry best practices:
4.2.1 Providing the Provider with information reasonably required to fulfill its obligations, including without limitation backup requirement details;
4.2.2 Procuring, implementing, and configuring of the correct licensed versions of AAG Cloud Connector software on the Machines as specified in Provider’s then-current Product Compatibility Matrix contained within the Master Cloud Service Schedule;
4.2.3 Configuring and performing of backups, recovery tasks, and testing within the backup software installation;
4.2.4 Managing applicable Client-controlled firewall(s) including but not limited to the configuration of Network Address Translation (NAT), Access List, Virtual Private Network (VPN), Dynamic Host Configuration Protocol (DHCP), and static routing in relation to Client connectivity to the Target Site;
4.2.5 Fixing any problems resulting from upgrades to the AAG Cloud Connector software;
4.2.6 Maintaining software (including without limitation the AAG Cloud Connector software) on the Client’s machines including patching, upgrades, updates and anti-virus software in accordance with industry best practices;
4.2.7 Ensuring the functioning of services or software running on the Client’s machines;
4.2.8 Providing support for operating systems and applications installed on the Client’s machines; and
4.2.9 Promptly notifying Provider if the Cloud Resources are hacked, accessed by a person lacking permission to access the Cloud Resources, or infected with a virus, worm or similar code;
4.3 Client is solely responsible for ensuring that there is enough bandwidth at Source Site to enable initial backup and successive incremental changes of data to Target Site. Client must also ensure that during the term of the Work Order they maintain enough bandwidth to ensure the continued successful backup of the data. Client acknowledges that the Provider is not in breach of the agreement if there is not enough bandwidth available at Source Site.
4.4 If the Client provisions backup jobs in excess of the specifications set out on the Work Order, Provider is not responsible for any performance degradation or errors caused by over allocation;
5 Service Availability and Limitation of Liability.
5.1 The Provider will use commercially reasonable efforts to make sure that the Cloud Resources are available for 100% of each calendar month. The Cloud Resources will be deemed unavailable if (a) the Client can neither transmit nor receive data to or from the Cloud Resources (whereby inability is confirmed by way of Client documentation that verifies said inability is due to an issue with the Provider’s equipment and (b) such inability has been communicated to the Provider in sufficient detail to enable the Provider to open a case in respect thereof). The Cloud Resources shall not be deemed unavailable (without limitation) in the event of any of the following:
5.1.1 Any circumstances whatsoever which are not within the reasonable control of Provider or its subcontractor(s);
5.1.2 Force Majeure events;
5.1.3 Virus activity and hacking attempts;
5.1.4 In accordance with a court order or any requirements of any authority or other competent local authority;
5.1.5 Periods of scheduled or emergency maintenance on Provider-provided infrastructure of which the Client has been notified;
5.1.6 Client being suspended or disabled under the terms of Section 8(a);
5.1.7 Failure of the Client’s or End-User’s connection to the Provider Network (e.g. via the public internet or the Client’s own network) or related problem beyond the Provider Network Demarcation Point;
5.1.8 Inconsistencies in the environment or unavailability that result from changes in the Client’s source environment, including either intentional or accidental connection or disconnections to the environment;
5.1.9 Failure or malfunction of equipment, software (including, without limitation, AAG Cloud Connector), or other technology not owned or controlled by Provider;
5.1.10 A malfunction that results from any action or inactions of Client or any third party;
5.1.11 A malfunction that results from anyone gaining access to the Cloud Resources by means of Client’s passwords or equipment; and
5.1.12 Unavailability of the Portal or API.
5.1.13 If availability is impacted by factors other than those explicitly listed in this agreement, Provider may issue a Credit considering such factors in Provider sole discretion.
5.2 If the Provider does not meet its obligations under this Section 5 during a particular month during the term, the Provider will at the Client’s request, provide the applicable service credit (“Credit”) set out in the chart below.
5.3 A Credit will be applicable and issued only if the aggregate amount of Credits for the applicable monthly billing cycle is greater than ten pound sterling (£10 GBP). Service Credits may not be transferred or applied to any other account.
5.4 In order to request a Credit, the Client must fill out the Provider’s Credit Request Form (“Claim”) within 30 days from the last day of the reported event. The dates and time(s) Client was affected, and demonstration that Client was adversely affected must be included.
5.5 Provider will use all information reasonably available to it to validate Claims and make a good faith judgment on whether the Client is entitled to Credits under this Section 5.
5.6 Credits will only apply against future payments otherwise due from Client and are not transferable or redeemable for cash. The Client’s sole and exclusive remedy, and the Provider’s sole liability, with respect to Provider’s breach of its obligations in Section 5.1 and Section 5.2 are Credits as described in Section 5.3.
5.7 Express warranties only. The products and services to be provided by the provider are provided as is, with all faults. The provider excludes all warranties of any kind, express or implied, with respect to any product or service provided by the provider, including, without limitation, warranties for merchantability, fitness for any particular purpose, or satisfactory quality or whether at common law or in contract or tort or by statute, or otherwise. The Client expressly assumes the risk of data loss, downtime and equipment damage relating to the use of the provider’s services.
5.8 Software Licenses. The Client expressly acknowledges that the Provider may provide the Client with a license or the right to use software under the terms of a separate license from a Third Party licensor. The Client expressly acknowledges that its rights to use such software is limited to the rights provided by the third party licensor and that any and all claims that the Client may have concerning or relating to such software provided to the Client by the provider, regarding the performance or the functionality of such software or any services related thereto, shall be brought exclusively against the third party licensor of such software and not against the provider. The provider does not make any warranties concerning the performance or functionality of any software (including or any services related thereto) distributed by the providers and hereby disclaim and exclude all such warranties including, without limitation, warranties for merchantability, fitness for any particular purpose, or satisfactory quality or whether at common law or in contract or tort or by statute, or otherwise.
5.9 No consequential damages. The provider will not be liable to the Client or any other person for special, incidental, exemplary, punitive, multiple, consequential or indirect damages, including, without limitation, damages for loss of goodwill or business profits, loss of revenue, work stoppage, data loss, or computer failure or malfunction, whether such damages are alleged in tort, contract, or otherwise, even if the provider has been advised of the possibility of such damages.
5.10 Limitation on Direct Damages. Except in respect of the Provider’s gross negligence or willful misconduct, the Provider’s total aggregate liability to the Client and its affiliates under this Agreement shall not exceed the Monthly Fee. The Provider shall not have any liability to the Client in respect of (a) the costs of reloading, replacing, or recreating any of the Client’s lost or damaged information, data or software; or (b) the loss of the Client’s information, data or software.
5.11 Indemnification for Statutory Liability. The Client shall defend, indemnify, and hold each Provider and its affiliates and its and their respective officers, directors and employees harmless from any and all claims and proceedings by governmental entities arising from the Client’s use of the Providers’ networks and services for the storage of personal information, whether pursuant to the English Data Protection Act 1998 (in each case as amended from time to time) or other data protection laws and regulations.
5.12 Reasonableness. The Client acknowledges that the limitations and exclusions of liability set out in Section 11 are reasonable that that the Provider would not have been willing to provide products or services to the Client for the prices set out in this Agreement and on the other terms set out in this Agreement absent such limitations and exclusions.
6 Disabling.
6.1 Disabling Cloud Resources. If the Cloud Resources get infected, hacked, or are compromised in any way, or if it is determined by the Provider that there is a potential threat to the Provider’s network or any of the Provider’s other Clients, the Provider will make commercial best efforts to notify the Client and may in its sole discretion disable the Cloud Resources until the Client can take the appropriate actions to resolve the issue or contact the Provider to resolve the issue and the Client shall compensate the Provider at the Provider’s then-current Engineering rates for such disablement. The Provider may disable the Cloud Resources at any time if the Provider reasonably believes that the Client has violated the Provider’s then-current Acceptable Use Policy (which the Provider shall provide to the Client promptly following a request therefore).
7 Cancellation of Service.
7.1 Cancellation by Provider. Provider may terminate a AAG Work Order by providing 90 days’ advanced written notice to the Client. If the Provider terminates a AAG Work Order pursuant to this Section 8 following a breach of such AAG Work Order or the Agreement by the Client, the Client shall pay to the Provider promptly following such termination a termination fee equal to one-half of the aggregate Monthly Fees that would have been payable through the end of the then-current Initial Term or Successive Term if such AAG Work Order had not been terminated.
7.2 Software License Discontinuance upon Termination. Upon the termination of a AAG Work Order for any reason, the Client shall de-install and immediately discontinue all use of the software provided under the software licenses provided to the Client pursuant to such Work Order.
8 Services.
8.1 Description of Services. The Provider shall use its reasonable efforts to provide the resources described below comprising a cloud based infrastructure (the “Cloud Resources”) with the specifications set out below (the “Specifications”), in each case to the Client, and the Client shall compensate the Provider at the rates set out below, in each case subject to the terms and conditions set out in this Agreement until this Agreement is terminated.
8.2 Service-Specific Provisions. The terms set out on each Schedule within the AAG Master Cloud Service Schedule which may be updated from time to time at the Providers sole discretion are hereby deemed to be incorporated into each Order into which such Schedule’s terms are to be incorporated pursuant to the terms of such Schedule. The relevant Provider shall provide reasonable notice to the Client whenever the terms of an applicable Schedule are updated, and such updated schedule shall become binding on the Client and the relevant Providers on the thirtieth day following the date on which such notice is provided to the Client.
8.3 Renewal and Billing Commencement. Billing in respect of the services to be provided under this Agreement will commence on the date that the Provider confirms that the Cloud Resources have been handed off to the Client and will remain in effect until the end of the initial service term (“Initial Service Term”), provided that this Agreement will renew automatically for successive terms equal in length to the Initial Service Term (each, a “Successive Term”) on the final day of the initial term and each Successive Term, unless (a) either Party has given 30 days’ notice to the other Party that this Agreement shall terminate on the final date of the then-current Initial Terms or Successive Term, or (b) this Agreement is otherwise terminated prior to the final day of the then-current initial term or Successive Term in accordance with this Agreement.
9 Termination.
9.1 Termination Following Breach. If the Provider fails to perform its obligations or otherwise violates the terms or conditions of this Agreement and such default continues for a period of ten (10) days after receipt of a written notice describing the default, then the Client may terminate this Agreement upon notice to the Provider. If the Client fails to perform its obligations or otherwise violates the terms or conditions of this Agreement and such default continues for a period of ten (10) days after receipt of a written notice describing the default, then the Provider may terminate this Agreement, and the Client shall pay to the Provider promptly following such termination a termination fee equal to the aggregate Monthly Fees that would have been payable through the end of the then-current Initial Term or Successive Term if this Agreement had not been terminated.
10 Compensation and invoicing.
10.1 Billing and Payment Terms. The Provider shall issue invoices to the Client on a monthly basis. Each invoice will reflect the services to be provided by the Provider to the Client during the upcoming monthly, except charges that are dependent on usage of service, which shall be invoiced in arrears. The Client shall pay each invoice within thirty (30) days following the date of such invoice. The Client shall pay any relevant set up fees and a security deposit equal to the Monthly Fee concurrently with the execution of this Agreement.
10.2 Taxes and Fees. All charges for service are exclusive of Applicable Taxes (as defined below). The Client will be responsible for all taxes and Third Party fees that arise in any jurisdiction.
10.3 Bandwidth Billing. The Client is responsible for all bandwidth charges associated with its use of the Provider’s service.
10.4 Software Acquisition Costs. Software prices set out in this Agreement are subject to increase if the Provider’s costs of acquiring rights to Third-Party software that forms a part of the services to be provided by the Provider to the Client increase following the date of this Agreement, in which case the Provider may, upon notice to the Client, increase the price of the relevant services by an amount commensurate with the increase in the costs of acquiring the rights to such Third-Party software.
10.5 The Client shall incur additional installation fees at the Provider’s then-current Engineering rates according to the Engineering Schedule for the following:
10.5.1 Any work that is requested by the Client to be performed after the Provider’s usual business hours; and
10.5.2 Any additional services provided by the Provider relating to Implementation or not specified on the AAG Work Order.
11 Miscellaneous.
11.1 Confidentiality. Neither Party shall divulge confidential information provided to such Party by the other Party or use such confidential information for purposes other than fulfilling its obligations under this Agreement, and each Party shall take all reasonable steps to ensure that each of its affiliates will not divulge such information to any other person. The confidentiality and limitation of use obligation set out in this Section 6.1 shall survive for five years following termination of this Agreement. The confidentiality and limitation of use obligation shall not apply where the Party receiving confidential information can show that (a) such information is already known to such Party or its representatives or to others not bound by a duty of confidentiality, (b) such information is or becomes publicly available through no fault of such Party or its representatives, (c) the furnishing or use of such information is required by, is necessary, or is appropriate in connection with legal (whether judicial, administrative, or legislative) proceedings, or (d) such information is developed by such Party independent of this Agreement.
11.2 Entire Agreement. This Agreement is the entire agreement between the Parties concerning the subjects hereof. All prior negotiations, representations, understandings, and partial agreements concerning the subject matter of this Agreement are superseded by this Agreement.
11.3 Amendments. No amendment, modification, waiver, or release of the provisions of this Agreement shall be binding unless a writing of like import exists that (a) specifically identifies the amended, modified, waived, or released obligation, (b) describes the nature of the amendment, modification, waiver, or release, and (c) is signed by each Party.
11.4 Assignment. No Party may assign its rights or obligations under this Agreement to any person without the consent of the other Party, provided that the Provider may assign its rights and obligations under this Agreement to any person that acquires all or substantially all of the Provider’s assets without the Client’s consent. Any purported assignment without such consent shall be void.
11.5 Notice. All notices, requests, demands, and other communications specifically required or authorised by this Agreement shall be written and shall be (a) mailed by registered mail or certified mail, return receipt requested, postage prepaid, to the recipient’s address set out on the signature page of this Agreement, or (b) sent by recognised international courier to the recipient’s address set out on the signature page of this Agreement with all delivery fees prepaid. A Party may change its contact information by sending a notice to the other Parties complying with these notice requirements.
12 Authority.
AIS warrants and represents that, before it processes any Client Personal Data on behalf of any Client Group Member, AIS entry into the signed Service Agreement and TCs as an agent for and on behalf of that Client Group Member and will have been duly and effectively authorised (or subsequently ratified) to do so.
13 Processing of Client Personal Data
13.1 AIS shall:
13.1.1 comply with all applicable Data Protection Laws in the Processing of Client Personal Data; and
13.1.2 not Process Client Personal Data other than on the relevant Client Group Member’s documented instructions unless Processing is required by Applicable Laws to which the relevant Contracted Processor is subject, in which case AIS shall to the extent permitted by Applicable Laws inform the relevant Client Group Member of that legal requirement before the relevant Processing of that Personal Data.
13.2 Each Client Group Member:
13.2.1 instructs AIS (and authorises AIS to instruct each Subprocessor) to:
13.2.1.1 Process Client Personal Data; and
13.2.1.2 in particular, transfer Client Personal Data to any country or territory which is governed under the regulatory data protection act,
13.2.1.3 as reasonably necessary for the provision of the Services; and
13.2.2 warrants and represents that it is and will at all relevant times remain duly and effectively authorised to give the instruction set out in section 13.2.1 on behalf of each relevant Client Affiliate.
13.3 Subject to the Proposal Document and signed Service Agreement sets out certain information regarding the Contracted Processors’ Processing of the Client Personal Data as required by article 28(3) of the GDPR (and, possibly, equivalent requirements of other Data Protection Laws). Client may make reasonable amendments to the details of processing of client personal data by written notice to AIS from time to time as Client reasonably considers necessary to meet those requirements. Nothing in the Proposal Document and signed Service Agreement (including as amended pursuant to this section 13.3) confers any right or imposes any obligation on any party.
14 AIS Personnel.
AIS shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Client Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Client Personal Data, as strictly necessary for the purposes of the fulfilling the Service Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
15 Security
15.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, AIS shall in relation to the Client Personal Data implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
15.2 In assessing the appropriate level of security, AIS shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
16 Subprocessing
16.1 Each Client Group Member authorises AIS to appoint (and permit each Subprocessor appointed in accordance with this section 16 to appoint) Subprocessors in accordance with this section 16 and any restrictions in these terms and conditions.
16.2 AIS may continue to use those Subprocessors already engaged by AIS as at the date of the signed Service Agreement, subject to AIS in each case as soon as practicable meeting the obligations set out in section 16.4.
16.3 AIS shall give Client prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 30 days of receipt of that notice, Client notifies AIS in writing of any objections (on reasonable grounds) to the proposed appointment:
16.4 AIS shall ensure that each Subprocessor performs the obligations under sections 13.1, 14, 15, 17.1, 18.2, 19 and 21.1, as they apply to Processing of Client Personal Data carried out by that Subprocessor, as if it were party to these terms and conditions in place of AIS.
17 Data Subject Rights
17.1 Taking into account the nature of the Processing, AIS shall assist each Client Group Member by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Client Group Members’ obligations, as reasonably understood by Client, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
17.2 AIS shall:
17.2.1 promptly notify Client if any Contracted Processor receives a request from a Data Subject under any Data Protection Law in respect of Client Personal Data; and
17.2.2 ensure that the Contracted Processor does not respond to that request except on the documented instructions of Client or the relevant Client Affiliate or as required by Applicable Laws to which the Contracted Processor is subject, in which case AIS shall to the extent permitted by Applicable Laws inform Client of that legal requirement before the Contracted Processor responds to the request.
18 Personal Data Breach
18.1 AIS shall notify Client without undue delay upon AIS or any Subprocessor becoming aware of a Personal Data Breach affecting Client Personal Data, providing Client with sufficient information to allow each Client Group Member to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
18.2 AIS shall co-operate with Client and each Client Group Member and take such reasonable commercial steps as are directed by Client to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
19 Data Protection Impact Assessment and Prior Consultation.
AIS shall provide reasonable assistance to each Client Group Member with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Client reasonably considers to be required of any Client Group Member by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Client Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
20 Deletion or return of Client Personal Data
20.1 Subject to sections 20.2 and 20.3 AIS shall promptly and in any event within thirty [30] days of the date of cessation of any Services involving the Processing of Client Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Client Personal Data.
20.2 Subject to section 20.3, Client may in its absolute discretion by written notice to AIS within thirty [30] days of the Cessation Date require AIS to (a) return a complete copy of all Client Personal Data to Client by secure file transfer in such format as is reasonably notified by Client to AIS; and (b) delete and procure the deletion of all other copies of Client Personal Data Processed by any Contracted Processor. AIS shall comply with any such written request within thirty [30] days of the Cessation Date.
20.3 Each Contracted Processor may retain Client Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that AIS shall ensure the confidentiality of all such Client Personal Data and shall ensure that such Client Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
20.4 AIS shall provide written certification to Client that it has fully complied with this section 10 within thirty [30] days of the Cessation Date.
21 Audit rights
21.1 Subject to sections [21.2 to 21.4], AIS shall make available to each Client Group Member on request all information necessary to demonstrate compliance, and shall allow for and contribute to audits, including inspections, by any Client Group Member or an auditor mandated by any Client Group Member in relation to the Processing of the Client Personal Data by the Contracted Processors.
21.2 Information and audit rights of the Client Group Members only arise under section 21.1 to the extent that these terms and conditions does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law (including, where applicable, article 28(3)(h) of the GDPR).
21.3 A Client Group Member may only mandate an auditor for the purposes of section 21.1 if the auditor has been mutually agreed upon with AIS. AIS shall not unreasonably withhold or delay an agreement to the appointment of an auditor.
21.4 Client or the relevant Client Affiliate undertaking an audit shall give AIS reasonable notice of any audit or inspection to be conducted under section 21.1 and shall make (and ensure that each of its mandated auditors makes) reasonable endeavours to avoid causing (or, if it cannot avoid, to minimise) any damage, injury or disruption to the Contracted Processors’ premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. A Contracted Processor need not give access to its premises for the purposes of such an audit or inspection:
21.4.1 to any individual unless he or she produces reasonable evidence of identity and authority;
21.4.2 outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Client or the relevant Client Affiliate undertaking an
21.4.3 audit has given notice to AIS that this is the case before attendance outside those hours begins; or
21.4.4 for the purposes of more than one audit or inspection, in respect of each Contracted Processor, in any calendar year, except for any additional audits or inspections which:
21.4.4.1 Client or the relevant Client Affiliate undertaking an audit reasonably considers necessary because of genuine concerns as to AIS’s compliance with these terms and conditions; or
21.4.4.2 A Client Group Member is required or requested to carry out by Data Protection Law, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country or territory,
where Client or the relevant Client Affiliate undertaking an audit has identified its concerns or the relevant requirement or request in its notice to AIS of the audit or inspection.
22 Restricted Transfers
22.1 Subject to section 22.3, each Client Group Member (as “data exporter”) and each Contracted Processor, as appropriate, (as “data importer”) hereby enter into the Standard Contractual Clauses in respect of any Restricted Transfer from that Client Group Member to that Contracted Processor. 22.2 The Standard Contractual Clauses shall come into effect under section 22.1 on the later of:
22.1.1 the data exporter becoming a party to them;
22.1.2 the data importer becoming a party to them; and
22.1.3 commencement of the relevant Restricted Transfer.
22.2 Section 22.1 shall not apply to a Restricted Transfer unless its effect, together with other reasonably practicable compliance steps (which, for the avoidance of doubt, do not include obtaining consents from Data Subjects), is to allow the relevant Restricted Transfer to take place without breach of applicable Data Protection Law.
22.3 AIS warrants and represents that, before the commencement of any Restricted Transfer to a Subprocessor, AIS entry into the Standard Contractual Clauses under section 22.1, and agreement to variations to those Standard Contractual Clauses made under section 23.4.1, as agent for and on behalf of that Subprocessor will have been duly and effectively authorised (or subsequently ratified) by that Subprocessor.
23 Governing law and jurisdiction
23.1 Without prejudice to clauses 24.7 (Mediation and Jurisdiction) and 24.9 (Governing Law) of the Standard Contractual Clauses:
23.1.1 the parties hereby submit to the choice of jurisdiction stipulated in these terms and conditions with respect to any disputes or claims howsoever arising under these terms and conditions, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
23.1.2 all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in these terms and conditions.
23.1.3 Order of precedence
23.2 Nothing within these terms and conditions reduces AIS obligations in relation to the protection of Personal Data or permits AIS to Process (or permit the processing of) Personal Data in a manner which is prohibited by these terms and conditions.
Changes in Data Protection Laws, etc.
23.3 Client may:
23.3.1 by at least 60 (sixty) calendar days’ written notice to AIS from time to time make any variations to the Standard Contractual Clauses (including any Standard Contractual Clauses entered into under section 22.1), as they apply to Restricted Transfers which are subject to a particular Data Protection Law, which are required, as a result of any change in, or decision of a competent authority under, that Data Protection Law, to allow those Restricted Transfers to be made (or continue to be made) without breach of that Data Protection Law; and
23.3.2 propose any other variations to these standard terms and conditions which Client reasonably considers to be necessary to address the requirements of any Data Protection Law.
23.4 If Client gives notice under section 23.3.1:
23.4.1 AIS shall promptly co-operate (and ensure that any affected Subprocessors promptly co-operate) to ensure that equivalent variations are made to any agreement put in place under section 16.4; and
23.4.2 Client shall not unreasonably withhold or delay agreement to any consequential variations to these terms and conditions as proposed by AIS to protect the Contracted Processors against additional risks associated with the variations made under section 23.3.1 [and/or 23.4.1]. 23.5 If Client gives notice under section 23.3.2, the parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Client’s notice as soon as is reasonably practicable.
24 Data Protection.
The data exporter has entered into a Service Agreement with the data importer. Pursuant to the terms, it is contemplated that services provided by the data importer will involve the transfer of personal data to data importer. To ensure compliance with Directive 95/46/EC and applicable data protection law, the controller agrees to the provision of such Services, including the processing of personal data incidental thereto, subject to the data importer’s execution of, and compliance with, the terms of these Clauses.
24.1 Definitions
24.1.1 ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
24.1.2 ‘the data exporter’ means the controller who transfers the personal data;
24.1.3 ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
24.1.4 ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
24.1.5 ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
24.1.6 ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
24.2 Details of the transfer The details of the transfer and in particular the special categories of personal data where applicable are specified in the Proposal Document and signed Service Agreement which forms an integral part of the Clauses.
24.3 Third-party beneficiary clause
24.3.1 The data subject can enforce against the data exporter this Clause, Clause 24.4.2 to 24.4.9, Clause 24.5.1 to 24.5.5, and 24.5.7 to 24.5.10, Clause 24.6.1 and 24.6.2, Clause 24.7, Clause 24.8.2, and Clauses 24.9 to 24.12 as third-party beneficiary.
24.3.2 14.3.2 The data subject can enforce against the data importer this Clause, Clause 24.5.1 to 24.5.5 and 24.5.7, Clause 24.6, Clause 24.7, Clause 24.8.2, and Clauses 14.9 to 14.12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
24.3.3 The data subject can enforce against the subprocessor this Clause, Clause 24.5.1 to 24.5.5 and 24.5.7, Clause 24.6, Clause 24.7, Clause 24.8.2, and Clauses 24.9 to 24.12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
24.3.4 The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
24.4 Obligations of the data exporter
The data exporter agrees and warrants:
24.4.1 that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
24.4.2 that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
24.4.3 that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures;
24.4.4 that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
24.4.5 that it will ensure compliance with the security measures;
24.4.6 that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
24.4.7 to forward any notification received from the data importer or any subprocessor pursuant to Clause 24.5.2 and Clause 24.8.3 to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
24.4.8 to make available to the data subjects upon request a copy of the Clauses, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
24.4.9 that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 24.11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
24.4.10 that it will ensure compliance with Clause 24.4.2 to 24.4.9.
24.5 Obligations of the data importer
The data importer agrees and warrants:
24.5.1 to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
24.5.2 that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
24.5.3 that it has implemented the technical and organisational security measures required before processing the personal data transferred;
24.5.4 that it will promptly notify the data exporter about:
24.5.5 any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
i. any accidental or unauthorised access, and
ii. any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
24.5.6 to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
24.5.7 at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
24.5.8 to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, and a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
24.5.9 that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
24.5.10 that the processing services by the subprocessor will be carried out in accordance with Clause 24.11;
24.5.11 to send promptly when requested a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
24.6 Liability
24.6.1 The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 24.3 or in Clause 24.11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
24.6.2 If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 24.3 or in Clause 24.11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
24.6.3 The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
24.6.4 If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 24.3 or in Clause 24.11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
24.7 Mediation and jurisdiction
24.7.1 The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
b) to refer the dispute to the courts in the Member State in which the data exporter is established.
24.7.2 The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
24.8 Cooperation with supervisory authorities
24.8.1 The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
24.8.2 The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
24.8.3 The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 24.5.2.
24.9 Governing Law The Clauses shall be governed by the law of the Member State in which the data exporter is established.
24.10 Variation of the contract
24.10.1 The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
24.11 Subprocessing
24.11.1 The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
24.11.2 The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 24.3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 24.6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
24.11.3 The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
24.11.4 The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 24.5.10, which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority upon request.
24.12 Obligation after the termination of personal data processing services
24.12.1 The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
24.12.2 The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
Service Schedule
The terms and conditions set out in this AAG Master Cloud Service Schedule (this “Schedule”) shall apply to each Service Work Order executed by the Provider and the Client (each, a “Work Order”), and shall be deemed to be incorporated, the necessary changes having been made, into each Work Order.
Section 1: Definitions
In this Schedule: Any capitalised terms used but not defined in this Schedule or the remainder of the Agreement shall have the meanings set out in the relevant Work Order.
1. “Acceptable Use Policy” or “AUP” shall mean the Provider’s document that stipulates constraints and practices that Client must adhere to when utilising any of the Provider’s Cloud Services.
2. “Advanced Storage” shall mean storage resources provided on traditional shelves of disks.
3. “Archive Storage” shall mean storage resources provided on traditional shelves of disks.
4. “Carrier” shall mean an organisation that provides services accessing and using the Internet or any other telecommunications service that operates on its proprietary network infrastructure.
5. “Cloud Storage” shall mean storage resources within the Target Site, provided on traditional shelves of disk, accessed from the Machines.
6. “Commencement Date” shall mean the commencement date of the initial term of the relevant Order.
7. “Compliance Services” shall mean a suite of tools, processes, devices and information to support the efforts of certain categories of merchants to manage compliance with the requirements of each service noted below. The delivery model for these services offered and supported by the Provider fall under two categories: General Compliance and Managed Compliance-as-a-Service.
8. “Compliance Services Matrix” shall identify and list the Provider’s Compliance Services offering. The current Compliance Services Matrix is attached as Appendix A, however, that the Compliance Services may be modified from time to time in the Provider’s sole discretion.
9. “Data Centre” or “Datacentre” shall mean the facility operated by the Provider designated as the Datacentre in the relevant Hybrid Colocation Order.
10. “Deployment” shall mean the period of time beginning once the Provider has acknowledged receipt of the signed Work Order, and ending when the Provider satisfies all deliverables within the initial scope.
11. “Disaster” shall mean the Client’s inability to send or receive data at the Primary Site due to unavailable compute, storage, or network resources.
12. “Encrypted Archive Storage” shall mean encrypted storage resources included in the Cloud Resources provided on traditional shelves of disks.
13. “General Compliance” shall mean ad-hoc and on demand professional Compliance Services.
14. “Governance Framework” shall mean a category of Compliance Services that define the structure of rules and procedures by which enterprises and corporations are directed and controlled.
15. “IOPS” shall mean Input/Output Operations Per Second and is a common performance measurement used to benchmark computer storage devices.
16. “AAG Cloud” shall refer to an environment that contains the Provider’s basic cloud infrastructure features without any level of encryption or security attributes integrated into the environment and its underlying shared storage and/or shared Cloud Resources. Features associated with AAG Cloud environment are only available to Clients that elect to have those services provided to them on their Work Order.
17. “AAG Secure Cloud” shall refer to an environment that contains the Provider’s advanced security and encryption features and attributes integrated into the environment and its underlying shared storage and shared Cloud Resources. Features associated with AAG Secure Cloud environment are only available to Clients that elect to have those services provided to them on their Work Order.
18. “AAG Secure Cloud Backup” shall mean the public Internet service delivered by Provider that allows Client to backup Machine’s virtualised data into Cloud Resources. Features associated with AAG Secure Cloud Backup environment are only available to Clients that elect to have those services provided to them on their Work Order.
19. ‘AAG Secure Cloud Console” shall refer to the cloud based management portal in which Client access and administers the Cloud Resources.
20. “Image-based Backup” shall mean a point-in-time copy of a defined collection of data.
21. “Letter of Authorisation” or “LOA” is a document from the Client or Carrier authorising the Provider to act on their behalf.
22. “Machine” shall mean the computing equipment on which the Client is running the AAG Cloud Connector software and the computing equipment used by the Client to access the Cloud Resources (but excluding the Cloud Resources).
23. “Managed Compliance-as-a-Service” shall mean recurring activities and ongoing professional Compliance Services.
24. “Model Contract Framework” shall mean Compliance Services that falls under the Governance Framework and provides alignment with the standardised contractual clauses that European Union (EU) data protection law requires for the exchange of data.
25. “Product Compatibility Matrix” shall identify the requirements that Client systems and software must meet in order for them to be compatible with Provider offerings. Clients can see the current Matrix as Appendix A.
26. “Recovery Plan” shall mean the detailed steps involved in how a Client’s Virtual Machines will be recovered into Provider’s Recovery Site.
27. “Reserved Resources” shall mean Cloud Resources that are dedicated to the Client.
28. “Statement of Work” or “SOW” shall mean a document defining the project specific activities, requirements, considerations, deliverables and timelines between the Client and the Provider, conjunction with the specifications of the relevant Work Order
29. “Source Site” shall mean the Client’s physical location from which the Client’s Virtual Machines will be backed up in an AAG Secure Cloud Backup environment.
30. “Target Site” shall mean Provider’s physical location as specified in the Work Order to which the Machines will be backed up in an AAG Secure Cloud Backup environment.
31. “Users Authorised to Declare Disasters” shall mean users defined on the Client Contact form which have the Client’s authorisation to declare a Disaster. If Cloud Resources are available at the time-of-Disaster, Client pre-authorises Users Authorised to Declare Disasters the option to expand its Reserved Resources up to the Disaster Resource Limit specified in the Work Order. These resources are billed on a monthly basis with a minimum of one-month commitment. Client’s Resource Burst Limit will not be modified. At the end-of-Disaster, Client has option to revert to original Reserved Resource quantity.
32. “vApp” shall mean a collection of pre-configured Virtual Machines that combine applications with the operating systems that they require allowing them to work together in a stack as an application.
33. “Virtual Machine” or ‘”VM” shall mean a guest operating system such as Windows or Linux that can run or be stored as an isolated entity on a host and is separated from the physical resources it uses such that the host environment is able to dynamically assign those resources among several Virtual Machines.
Section 2: Universal Service Terms (Applicable to All Services)
2.1 Provider’s Obligations. The Provider is responsible for the following in accordance with industry best practices:
2.1.1 Testing and placing into production any software updates on the Provider’s systems in relation to the third party software on the Provider’s then-current Product Compatibility Matrix, which is updated from time to time to reflect new software updates that have been placed into production. The Provider shall not be liable to the Client and the Client can neither cancel nor withhold payment for an Order outside of the requirements set forth in the Service Schedule, or Work Order if the Client’s systems or software were not compatible with this Matrix prior to the commencement of a Work Order or if the Client installs a software update before that update is reflected in the Provider’s then-current Product Compatibility Matrix. In addition, while the Provider may test third party software updates before listing them on the Product Compatibility Matrix, those tests are solely designed to ensure that the third party software updates will not have a negative effect on the Provider’s ability to provide agreed upon services to the Client and the Provider presents those updates listed as being compatible “as is” with no warranties of any kind, express or implied, including, but not limited to, warranties for fitness of purpose in regard to the third party software.
2.2 Client’s Obligations. The Client is responsible for the following in accordance with industry best practices:
2.2.1 Supplying the Provider with information reasonably required to fulfil its obligations;
2.2.2 Promptly notifying Provider if the Cloud Resources are compromised, accessed by a person lacking permission to access the Cloud Resources, or infected with a virus, worm or similar malicious code; and
2.2.3 Reviewing the Provider’s then-current Product Compatibility Matrix before procuring the Provider’s services and before installing any software updates in order to ensure that the Client’s systems are compatible with the Provider’s system. The Provider shall not be liable to the Client and the Client can neither cancel nor withhold payment for an Order outside of the requirements set forth in the Service Schedule, or Work Order if the Client’s systems or software were not compatible with this Matrix prior to the commencement of a Work Order or if the Client installs a software update before that update is reflected in the Provider’s then-current Product Compatibility Matrix. In addition, while the Provider may test third party software updates before listing them on the Product Compatibility Matrix, those tests are solely designed to ensure that the third party software updates will not have a negative effect on the Provider’s ability to provide agreed upon services to the Client and the Provider presents those updates listed as being compatible “as is” with no warranties of any kind, express or implied, including, but not limited to, warranties for fitness of purpose in regard to the third party software.
2.3 Cloud Storage
2.3.1 Storage Performance Guarantee. The Provider offers different storage types with guaranteed aggregated average IOPS according to the following chart.
2.3.2 To calculate the average IOPS per storage type in each Virtual Datacentre, Provider sums up the total number of IOPS and divides it by the total GB of storage; and
2.3.3 Storage Performance Limits. The storage is capable of very high IOPS, and thus Provider will allow Client to occasionally burst IOPS over the guaranteed aggregated average IOPS for no additional charge. However, if Clients IOPs bursting is excessive or detrimental to overall storage performance, then Client must upgrade to the next available storage tier, or Provider may, at its sole discretion, limit such IOPs until the Client can correct the issue causing the excessive bursting.
2.4 Disabling Cloud Resources If the Cloud Resources get infected, hacked, or are compromised in any way, or if it is determined by the Provider that there is a potential threat to the Provider’s network or any of the Provider’s other Clients, the Provider will make commercial best efforts to notify the Client and may in its sole discretion disable the Cloud Resources until the Client can take the appropriate actions to resolve the issue or contact the Provider to resolve the issue. The Provider may disable the Cloud Resources at any time if the Provider reasonably believes that the Client has violated the Provider’s then-current Acceptable Use Policy.
2.5 Beta Service Participation. This section describes the terms and conditions under which the Client may access certain services or features available by the Provider that are not considered Generally Available. Services or features labelled “beta” (each, a “Beta Service”), or access and use of Provider’s Services available in Data Centres that are also labelled as “Beta Location”.
2.5.1 Client may access the applicable Beta Service used in a generally available Data Centre, or in a Beta Location during the term specified by the Provider;
2.5.2 Client shall not grant access to any Beta Service by any third party other than the Client’s employees and contractors that have executed written non-disclosure agreements with the Provider;
2.5.3 Client shall not advertise or publicly disclose any of the features, services or performance of the Beta Services without the written approval from the Provider;
2.5.4 Client shall utilise the applicable Beta Service used in a generally available Data Centre, or in a Beta Location only for internal evaluation purposes or to provide feedback to Provider;
2.5.5 Client shall comply with the Provider’s then-current Acceptable Use Policy when accessing and using the Beta Service or Provider’s Services in a Beta Location;
2.5.6 Provider may suspend or terminate Client’s access to or use of Beta Service or Provider’s Services available in Beta Locations;
2.5.7 Client shall provide reasonably-requested information related to access, use, testing, or evaluation results of the Beta Services to Provider;
2.5.8 Client agrees that Provider does not guarantee any Service Level, performance or stability of the Beta Service or any of the Provider’s Services in Beta Locations;
2.5.9 Access or use of the applicable Beta Services or Provider’s Services in the Beta Location will automatically terminate upon the release of a generally available version;
2.5.10 Client agrees that after termination of
a) The applicable Beta Service, or
b) Access to a Provider’s Service in a Beta Location, there will be a decommissioning process that will include the erasure of all the Client’s data;
2.5.11 Client agrees that Provider does not guarantee that any Beta Service or Provider’s Services in any Beta Location will ever be made generally available, or that the generally available version will be the same or similar as the version made available by Provider during the term of the Beta Service or Beta Location, as applicable; and
2.5.12 Provider excludes all warranties of any kind, express or implied, with respect to any service provided as part of the beta service or beta location, as applicable, including warranties for merchantability, fitness for any particular purpose, or satisfactory quality or whether at common law or contract or tort or by statute, or otherwise. The beta services and provider’s services in any beta location are offered on an as-is, where is basis, with all faults, and are not subject to any of the warranties set out in the agreement.
Section 3: Service-Specific Terms
3.1 AAG Cloud. The terms and conditions of this Section 3.1 are applicable to each Work Order for AAG Cloud services.
3.1.1 Resources
a) Storage. The types of shared storage available are Advanced, SSD, and/or Archive form. Storage types comprising the environment are specified in the Work Order;
b) CPU & RAM. These Cloud Resources are available as Shared Resources. CPU & RAM comprising the environment are specified in the Work Order;
c) Bandwidth. Bandwidth is available as a Shared Resource as specified in the Work Order; and
d) Business Models. Shared Cloud Resources are available in either Reserved, Burst, or Reserved plus Burst models as specified in the Work Order.
3.1.2 Provider’s Obligations. The Provider is responsible for the following in accordance with industry best practices:
a) Onboarding Client into Provider’s Cloud Services by giving access to the service and guiding Client through process of deploying the service;
b) Provide documentation, project management, and guiding Client through an initial set up;
c) Provide ongoing support and education on the Service at the Clients’ request;
d) Creating Virtual Data Centre(s) consisting of compute, memory, storage infrastructure, and network bandwidth per specifications detailed in the Work Order;
e) Maintaining the underlying cloud infrastructure components such as compute, memory, storage and networking by following Provider’s guidelines for managing these environments;
f) Providing Client with the URL and authentication credentials to access the Client’s Cloud Resources;
g) Assigning external and internal IP addresses for the virtual router per Client-provided requirements; and
h) Provide VM templates with Microsoft Windows Data Centre Licensing.
3.1.3 Client’s Obligations. The Client is responsible for the following in accordance with industry best practices:
a) Unless specified on the Work Order, implementing dedicated physical or virtual network security appliance, managing Firewall(s) including but not limited to the configuration of Network Address Translation (NAT) Access List, Virtual Private Network (VPN), Dynamic Host Configuration Protocol (DHCP), Load Balancing, and static routing;
b) Configuring additional organisation access including the creation, modification, and deletion of end-user account(s);
c) If the Client chooses to Seed Data, then Client must follow Provider’s then-current Data Seeding Guidelines;
d) Ensuring Virtual Machines match specifications as defined in the Provider’s then-current Product Compatibility Matrix;
e) Maintaining operating systems and applications installed on the Client’s Virtual Machines or in the Client’s Virtual Data Centre, including patching, upgrades, updates and anti-virus software in accordance with industry best practices;
f) Fixing any problems resulting from upgrades to the Virtual Machines operating system;
g) Providing Virtual Machine and application log monitoring;
h) Providing support for operating systems and applications installed on the Client-Managed Virtual Machines;
i) If the Client is providing operating system or application licenses:
i. Such licenses must be provided prior to Deployment or the Client will incur the full cost of Provider-provided licenses,
ii. The Client is responsible for adhering to the relevant software vendor’s licensing agreements,
iii. The Client is responsible for maintaining, updating and keeping current license information (as interruption of services may result if such licenses are not maintained),
iv. The Client is responsible for building Virtual Machine templates using Client-provided operating system licenses, and
v. No Microsoft operating system original equipment manufacturer (OEM) licenses are allowed; and
j) If the Client provisions Reserved Resources in excess of the specifications set out on the Work Order, the Provider is not responsible for any performance degradation or errors caused by over allocation.
3.1.4 Daily Backups
a) The Provider will create daily storage-based backups of Active Virtual Machine images and will retain for seven (7) restore points. Longer retention is available for an additional fee and the number of restore points and cost would be specified on the work order;
b) The Provider does not guarantee recoverability of individual applications running on Virtual Machines such as databases or email messaging systems. To ensure recoverability of applications, the Client is responsible for performing agent-based application aware backups and restores. The Client is also responsible for performing granular recovery of individual items including SharePoint documents, email boxes, email messages, etc. from agent based application aware backups;
c) Client may restore backups through the self-service AAG Secure Cloud Console. Client may also request support from Provider in restoring backups; and
d) In order for Client to restore Virtual Machine data, Client must have sufficient storage available. Client may have to purchase more storage to make this possible.
3.1.5 Encryption
a) VM Encryption.
I. Provider offers encryption on a per VM or per volume basis, and is available to Client if purchased on the Work Order,
II. Client agrees and understands that when running VM Encryption some features in the AAG Secure Cloud Console that require access to Client’s VMs may not function or provide information, since Client’s VM will be encrypted, and
III. VM Encryption encrypts data using AES-128/256 algorithms and allows Client to manage the encryption keys. Client understands that Provider has no access to encryption keys.
3.2 AAG Secure Cloud Backup with Veeam The terms and conditions of this Section 3.5 are applicable to each Work Order for AAG Secure Cloud Backup services.
3.2.1 Resources
a) Storage. Shared Advanced storage along with embedded Network Bandwidth are the Cloud Resources that comprise the Secure Cloud Backup service as described in the Work Order;
b) WAN Accelerator.
I. Provider offers WAN Accelerator service available to Client if purchased on the Work Order, and
II. WAN Accelerator VM and cache use SSD storage;
c) Business Models. Shared Storage is available in Reserved model only.
3.2.2 Provider’s Obligations. The Provider is responsible for the following in accordance with industry best practices:
a) Providing pool of Cloud Storage and network bandwidth at Target Site per specifications detailed in the Work Order;
b) Maintaining Target Site Cloud Storage infrastructure including patching, upgrades and updates;
c) Creating Cloud Resources per specifications detailed in the Work Order;
d) Providing Client the URL and authentication credentials to access the Client’s Cloud Resources;
e) Providing storage pool modification options to the Work Order as required by the Client; and
f) Providing a maximum of one active connection between the backup server at the Source Site and the Cloud Resources at the Target Site per set of credentials. This is a Cloud Connector Limitation. All other jobs running concurrently will sit idle until the job using the connection completes. The same set of credentials can be used to send to concurrent backups from different locations, or Source Sites to the same Target Site. Alternatively, two different sets of credentials can be used to send backups concurrently from the same backup server at the Source Site.
3.2.3 Client’s Obligations. The Client is responsible for the following in accordance with industry best practices:
a) Providing the Provider with information reasonably required to fulfil its obligations, including without limitation backup requirement details;
b) Procuring, implementing, and configuring of the correct licensed versions of Cloud Connector software on the Machines as specified in Provider’s then-current Product Compatibility Matrix;
c) Configuring and performing of backups, recovery tasks, and Testing within the software installation;
d) Managing applicable Client-controlled firewall(s) including but not limited to the configuration of Network Address Translation (NAT), Access List, Virtual Private Network (VPN), Dynamic Host Configuration Protocol (DHCP), and static routing in relation to Client connectivity to the Target Site;
e) Fixing any problems resulting from upgrades to the Cloud Connector software;
f) Maintaining software (including without limitation the Cloud Connector software) on the Client’s machines including patching, upgrades, updates and anti-virus software in accordance with industry best practices;
g) Ensuring the functioning of services or software running on the Client’s machines;
h) Providing support for operating systems and applications installed on the Client’s machines;
i) Promptly notifying Provider if the Cloud Resources are hacked, accessed by a person lacking permission to access the Cloud Resources, or infected with a virus, worm or similar code;
j) Ensuring that there is enough bandwidth at Source Site to enable initial backup and successive incremental changes of data to Target Site; and
k) Ensuring that during the term of the Work Order Client maintains enough bandwidth to ensure the continued successful backup of the data (and Client acknowledges that the Provider is not in breach of the agreement if there is not enough bandwidth available at Source Site); and
l) If the Client provisions backup jobs in excess of the specifications set out on the Work Order, Provider is not responsible for any performance degradation or errors caused by over allocation.
3.2.4 Service availability and limitation of liability. The Cloud Resources shall not be deemed unavailable (without limitation) in the event of any of the following:
a) Client does not have enough bandwidth at the Source Site to support backup to the Target Site;
b) Client exceeds reserved storage on Target Site;
c) Inconsistencies in the environment or unavailability that result from changes in the Client’s source environment, including either intentional or accidental connection or disconnections to the environment; or
d) Failure or malfunction of equipment, software (including, without limitation, AAG Cloud Connector), or other technology not owned or controlled by Provider.
3.3 Compliance Services The terms and conditions of this Section 3.12 are applicable to each Work Order for AAG Compliance services.
3.3.1 Provider’s Obligations. The Provider shall use its commercially reasonable efforts to undertake the obligations outlined in the Compliance Services Matrix.
3.3.2 Client’s Obligations. The Client shall use its commercially reasonable efforts to undertake the following:
a) Deliver and inform the Provider with all such information and assistance as Provider may reasonably require from time to time to perform the Compliance Services;
b) Ensure that any information supplied to Provider is complete and accurate;
c) If necessary, supply the Provider’s personnel with access, as required, to perform the Compliance Services; and
d) Inform the Provider of all compliance regulations and any other reasonable security and requirements that apply at all of co-operate with the Provider in all matters relating to the Compliance Services and not interfere in any way with the performance of the Compliance Services by the Provider.
Appendix A
Product Compatibility Matrix
Due to support issues that arise from version mismatch as a result of disaster recovery, AAG has created a quick breakdown on supported software and hardware versioning within the ESXi product space.
To ensure compatibility and operational uptime, AAG requires that versions do not exceed the following thresholds based on environment and solutions.
AAG Secure Cloud Console – Supported Browsers
The following browser versions are currently supported by AAG Secure Cloud Console:
AAG Secure Cloud Backup and DRaaS Environments
AAG Cloud Connector Client – Cloud Provider Compatibility Matrix
*ESXi v6.5 is supported at the Source/Production Site on VCC version 9.5U1 as long as HWv11 or lower is being used. The following features are not supported: Secure Boot and/or VM Encryption. HWv13 is not supported. Zerto Customer – Cloud Provider Compatibility Matrix
**ESXi v6.5 is supported at the Source/Production Site on ZVR version 5.0U1 (or higher) as long as HWv11 or lower is being used. The following features are not supported: Secure Boot and/or VM Encryption. HWv13 is not supported.
WARNING: It is important to note that disaster recovery supports only the noted versions of ESXi.
